{ "statistics": { "processing": [ { "name": "CAPE", "time": 6.55 }, { "name": "AnalysisInfo", "time": 0.044 }, { "name": "BehaviorAnalysis", "time": 0.011 }, { "name": "Debug", "time": 0.001 }, { "name": "NetworkAnalysis", "time": 15.184 }, { "name": "Suricata", "time": 9.715 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.0 }, { "name": "ProcessMemory", "time": 0.0 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_360_libs", "time": 0.0 }, { "name": "antiav_ahnlab_libs", "time": 0.0 }, { "name": "antiav_avast_libs", "time": 0.0 }, { "name": "antiav_bitdefender_libs", "time": 0.0 }, { "name": "antiav_bullguard_libs", "time": 0.0 }, { "name": "antiav_emsisoft_libs", "time": 0.0 }, { "name": "antiav_qurb_libs", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antiav_apioverride_libs", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antiav_nthookengine_libs", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antisandbox_cuckoo", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_sboxie_libs", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_sunbelt_libs", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_display", "time": 0.0 }, { "name": "antivm_generic_disk", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vbox_libs", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_vmware_libs", "time": 0.0 }, { "name": "antivm_wmi", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "bootkit", "time": 0.0 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "read_file_raw_disk_access", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "regsvr32_squiblydoo_dll_load", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "uac_bypass_windows_Backup", "time": 0.0 }, { "name": "dotnet_code_compile", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "decoy_document", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "mountpoints_volume_discovery", "time": 0.0 }, { "name": "dll_load_uncommon_file_types", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "guloader_apis", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "encrypted_ioc", "time": 0.0 }, { "name": "exec_crash", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "koadic_apis", "time": 0.0 }, { "name": "koadic_network_activity", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "cryptbot_network", "time": 0.0 }, { "name": "purplewave_network_activity", "time": 0.0 }, { "name": "quilclipper_behavior", "time": 0.0 }, { "name": "raccoon_behavior", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "vidar_behavior", "time": 0.0 }, { "name": "injection_createremotethread", "time": 0.0 }, { "name": "creates_suspended_process", "time": 0.0 }, { "name": "injection_explorer", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "injection_runpe", "time": 0.0 }, { "name": "injection_rwx", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "loader_alien", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "encrypt_pcinfo", "time": 0.0 }, { "name": "encrypt_data_agenttesla_http", "time": 0.0 }, { "name": "encrypt_data_agentteslat2_http", "time": 0.0 }, { "name": "encrypt_data_nanocore", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webhosting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_interactsh", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "network_document_http", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_com_load", "time": 0.0 }, { "name": "office_dotnet_load", "time": 0.0 }, { "name": "office_mshtml_load", "time": 0.0 }, { "name": "office_vb_load", "time": 0.0 }, { "name": "office_wmi_load", "time": 0.0 }, { "name": "office_cve2017_11882", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "office_write_exe", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_network_connection", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "ransomware_message", "time": 0.0 }, { "name": "nemty_network_activity", "time": 0.0 }, { "name": "nemty_note", "time": 0.0 }, { "name": "sodinokibi_behavior", "time": 0.0 }, { "name": "stop_ransomware_registry", "time": 0.0 }, { "name": "blackrat_apis", "time": 0.0 }, { "name": "blackrat_network_activity", "time": 0.0 }, { "name": "blackrat_registry_keys", "time": 0.0 }, { "name": "dcrat_behavior", "time": 0.0 }, { "name": "karagany_system_event_objects", "time": 0.0 }, { "name": "rat_luminosity", "time": 0.0 }, { "name": "rat_nanocore", "time": 0.0 }, { "name": "netwire_behavior", "time": 0.0 }, { "name": "obliquerat_network_activity", "time": 0.0 }, { "name": "orcusrat_behavior", "time": 0.0 }, { "name": "trochilusrat_apis", "time": 0.0 }, { "name": "reads_self", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "recon_systeminfo", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "remcos_shell_code_dynamic_wrapper_x", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_file", "time": 0.0 }, { "name": "stealth_timeout", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "uiautomationcore_load", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "mmc_dll_script_load", "time": 0.0 }, { "name": "mmc_dotnet_load", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "neshta_files", "time": 0.0 }, { "name": "neshta_regkeys", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.0 }, { "name": "banker_zeus_url", "time": 0.001 }, { "name": "binary_yara", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.0 }, { "name": "bot_drive2", "time": 0.0 }, { "name": "bot_madness", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_country_distribution", "time": 0.0 }, { "name": "network_cnc_http", "time": 0.032 }, { "name": "network_ip_exe", "time": 0.001 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.003 }, { "name": "network_excessive_udp", "time": 0.0 }, { "name": "network_http", "time": 0.011 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.001 }, { "name": "network_questionable_http_path", "time": 0.0 }, { "name": "network_questionable_https_path", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.001 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "pdf_annot_urls_checker", "time": 0.0 }, { "name": "polymorphic", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.0 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.0 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.0 }, { "name": "antianalysis_detectfile", "time": 0.002 }, { "name": "antianalysis_detectreg", "time": 0.001 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.004 }, { "name": "antiav_detectreg", "time": 0.006 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.001 }, { "name": "antiemu_windefend", "time": 0.0 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.0 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.0 }, { "name": "antivm_generic_bios", "time": 0.0 }, { "name": "antivm_generic_diskreg", "time": 0.0 }, { "name": "antivm_hyperv_keys", "time": 0.0 }, { "name": "antivm_parallels_keys", "time": 0.0 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.0 }, { "name": "antivm_vbox_files", "time": 0.002 }, { "name": "antivm_vbox_keys", "time": 0.001 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.0 }, { "name": "antivm_vmware_keys", "time": 0.0 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.0 }, { "name": "antivm_vpc_keys", "time": 0.0 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.0 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "gulpix_behavior", "time": 0.0 }, { "name": "ketrican_regkeys", "time": 0.0 }, { "name": "okrum_mutexes", "time": 0.0 }, { "name": "banker_cridex", "time": 0.0 }, { "name": "geodo_banking_trojan", "time": 0.001 }, { "name": "banker_spyeye_mutexes", "time": 0.0 }, { "name": "banker_zeus_mutex", "time": 0.0 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.0 }, { "name": "browser_security", "time": 0.001 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.0 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.0 }, { "name": "checks_uac_status", "time": 0.0 }, { "name": "uac_bypass_cmstpcom", "time": 0.0 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "carberp_mutex", "time": 0.0 }, { "name": "clears_logs", "time": 0.0 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.0 }, { "name": "file_credential_store_write", "time": 0.0 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_credential_store_access", "time": 0.0 }, { "name": "registry_lsa_secrets_access", "time": 0.0 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "cypherit_mutexes", "time": 0.0 }, { "name": "darkcomet_regkeys", "time": 0.0 }, { "name": "datop_loader", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.0 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.0 }, { "name": "disables_backups", "time": 0.001 }, { "name": "disables_browser_warn", "time": 0.001 }, { "name": "disables_context_menus", "time": 0.0 }, { "name": "disables_cpl_disable", "time": 0.0 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.001 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.0 }, { "name": "disables_startmenu_search", "time": 0.0 }, { "name": "disables_system_restore", "time": 0.0 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.0 }, { "name": "disables_windows_defender_logging", "time": 0.0 }, { "name": "removes_windows_defender_contextmenu", "time": 0.0 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "discover_registry_mount_points", "time": 0.0 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "andromut_mutexes", "time": 0.0 }, { "name": "downloader_cabby", "time": 0.0 }, { "name": "phorpiex_mutexes", "time": 0.0 }, { "name": "protonbot_mutexes", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.0 }, { "name": "apocalypse_stealer_file_behavior", "time": 0.0 }, { "name": "arkei_files", "time": 0.0 }, { "name": "azorult_mutexes", "time": 0.001 }, { "name": "infostealer_bitcoin", "time": 0.002 }, { "name": "cryptbot_files", "time": 0.0 }, { "name": "echelon_files", "time": 0.001 }, { "name": "infostealer_ftp", "time": 0.003 }, { "name": "infostealer_im", "time": 0.002 }, { "name": "infostealer_mail", "time": 0.002 }, { "name": "masslogger_files", "time": 0.0 }, { "name": "poullight_files", "time": 0.001 }, { "name": "purplewave_mutexes", "time": 0.0 }, { "name": "quilclipper_mutexes", "time": 0.0 }, { "name": "qulab_files", "time": 0.0 }, { "name": "qulab_mutexes", "time": 0.0 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.002 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "modify_certs", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.0 }, { "name": "modify_oem_information", "time": 0.0 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.0 }, { "name": "network_dns_blockchain", "time": 0.0 }, { "name": "network_dns_opennic", "time": 0.001 }, { "name": "network_dns_paste_site", "time": 0.001 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.001 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.008 }, { "name": "network_dns_doh_tls", "time": 0.0 }, { "name": "suspicious_tld", "time": 0.006 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.0 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.0 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.0 }, { "name": "persistence_ads", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.0 }, { "name": "persistence_service", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powerpool_mutexes", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "cryptomix_mutexes", "time": 0.0 }, { "name": "dharma_mutexes", "time": 0.0 }, { "name": "ransomware_extensions_generic", "time": 0.0 }, { "name": "ransomware_extensions_known", "time": 0.004 }, { "name": "ransomware_files", "time": 0.006 }, { "name": "fonix_mutexes", "time": 0.0 }, { "name": "gandcrab_mutexes", "time": 0.0 }, { "name": "germanwiper_mutexes", "time": 0.0 }, { "name": "medusalocker_mutexes", "time": 0.0 }, { "name": "medusalocker_regkeys", "time": 0.0 }, { "name": "nemty_mutexes", "time": 0.0 }, { "name": "nemty_regkeys", "time": 0.0 }, { "name": "pysa_mutexes", "time": 0.0 }, { "name": "ransomware_radamant", "time": 0.0 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "revil_mutexes", "time": 0.001 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "satan_mutexes", "time": 0.0 }, { "name": "snake_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransomware_cmd", "time": 0.0 }, { "name": "ransomware_stopdjvu", "time": 0.0 }, { "name": "rat_beebus_mutexes", "time": 0.0 }, { "name": "blacknet_mutexes", "time": 0.0 }, { "name": "blackrat_mutexes", "time": 0.0 }, { "name": "crat_mutexes", "time": 0.0 }, { "name": "dcrat_files", "time": 0.0 }, { "name": "dcrat_mutexes", "time": 0.0 }, { "name": "rat_fynloski_mutexes", "time": 0.0 }, { "name": "limerat_mutexes", "time": 0.0 }, { "name": "limerat_regkeys", "time": 0.0 }, { "name": "lodarat_file_behavior", "time": 0.0 }, { "name": "modirat_behavior", "time": 0.0 }, { "name": "njrat_regkeys", "time": 0.0 }, { "name": "obliquerat_files", "time": 0.0 }, { "name": "obliquerat_mutexes", "time": 0.0 }, { "name": "parallax_mutexes", "time": 0.0 }, { "name": "rat_pcclient", "time": 0.0 }, { "name": "rat_plugx_mutexes", "time": 0.0 }, { "name": "rat_poisonivy_mutexes", "time": 0.0 }, { "name": "rat_quasar_mutexes", "time": 0.0 }, { "name": "ratsnif_mutexes", "time": 0.0 }, { "name": "rat_spynet", "time": 0.0 }, { "name": "venomrat_mutexes", "time": 0.0 }, { "name": "warzonerat_files", "time": 0.0 }, { "name": "warzonerat_regkeys", "time": 0.0 }, { "name": "xpertrat_files", "time": 0.0 }, { "name": "xpertrat_mutexes", "time": 0.0 }, { "name": "rat_xtreme_mutexes", "time": 0.0 }, { "name": "reads_password_database", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.001 }, { "name": "remcos_files", "time": 0.0 }, { "name": "remcos_mutexes", "time": 0.0 }, { "name": "remcos_regkeys", "time": 0.0 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.0 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.0 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "spicyhotpot_behavior", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.0 }, { "name": "spreading_autoruninf", "time": 0.0 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.0 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.0 }, { "name": "tampers_etw", "time": 0.0 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "targeted_flame", "time": 0.0 }, { "name": "territorial_disputes_sigs", "time": 0.003 }, { "name": "trickbot_mutex", "time": 0.0 }, { "name": "fleercivet_mutex", "time": 0.0 }, { "name": "lokibot_mutexes", "time": 0.0 }, { "name": "ursnif_behavior", "time": 0.001 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "neshta_mutexes", "time": 0.0 }, { "name": "renamer_mutexes", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.0 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.0 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.0 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_setx", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 }, { "name": "allaple_mutexes", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "target": { "category": "file", "file": { "name": "ClientPlugin.dll", "path": "/opt/CAPEv2/storage/binaries/61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403", "guest_paths": "", "size": 19968, "crc32": "BE3B83AB", "md5": "bdc8945f1d799c845408522e372d1dbd", "sha1": "874b7c3c97cc5b13b9dd172fec5a54bc1f258005", "sha256": "61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403", "sha512": "4fa0ed4ef66e4c442f5fc628e8bfc8a4f84cb213210643996d9387027edb619c054f6104ac889ae77cece09f0304f95d5f20e14d66847e2d382ef51eecec0962", "rh_hash": null, "ssdeep": "192:VYLQui6h6p5WW3tZVTnlYJL/eLYLTr2/C8:VYLQu/6/fKqLYLTR", "type": "PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows", "yara": [ { "name": "DITEKSHEN_MALWARE_Win_Nanocore", "meta": { "description": "Detects NanoCore", "author": "ditekSHen", "id": "931b98f6-df2b-538b-bc49-ecbbd24334da", "date": "2020-11-06", "modified": "2024-11-01", "reference": "https://github.com/ditekshen/detection", "source_url": "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7654-L7681", "license_url": "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt", "logic_hash": "6336260e0af2b4b51338ee066f41b7c58aa134a6c03ca110db7e088edf2b65a7", "score": 75, "quality": 75, "tags": "FILE" }, "strings": [ "NanoCore.ClientPlugin", "NanoCore.ClientPluginHost", "IClientApp", "IClientData", "IClientNetwork", "IClientAppHost", "IClientDataHost", "IClientLoggingHost", "IClientNetworkHost", "IClientUIHost", "IClientNameObjectCollection", "IClientReadOnlyNameObjectCollection", "ClientPlugin", "get_ClientSettings", "get_Connected" ], "addresses": { "x2": 3640, "x3": 3701, "i1": 3674, "i2": 3662, "i3": 3625, "i4": 3779, "i5": 3685, "i6": 3760, "i7": 3727, "i8": 3746, "i9": 3794, "i10": 3831, "s1": 6025, "s6": 4601, "s7": 4681 } }, { "name": "Windows_Trojan_Nanocore_d8c4e3c5", "meta": { "author": "Elastic Security", "id": "d8c4e3c5-8bcc-43d2-9104-fa3774282da5", "fingerprint": "e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4", "creation_date": "2021-06-13", "last_modified": "2021-08-23", "threat_name": "Windows.Trojan.Nanocore", "reference_sample": "b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd", "severity": 100, "arch_context": "x86, arm64", "scan_context": "file, memory", "license": "Elastic License v2", "os": "windows" }, "strings": [ "NanoCore.ClientPluginHost", "NanoCore.ClientPlugin", "get_BuilderSettings", "IClientAppHost", "AddHostEntry", "LogClientException", "PipeExists", "IClientLoggingHost" ], "addresses": { "a1": 3701, "a2": 3640, "b1": 4620, "b4": 3779, "b6": 4733, "b7": 4844, "b8": 4705, "b9": 3760 } }, { "name": "Nanocore_RAT_Gen_2", "meta": { "description": "Detetcs the Nanocore RAT", "author": "Florian Roth", "score": 100, "reference": "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/", "date": "2016-04-22", "hash1": "755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050" }, "strings": [ "NanoCore.ClientPluginHost", "IClientNetworkHost" ], "addresses": { "x1": 3701, "x2": 3727 } }, { "name": "NETDLLMicrosoft", "meta": { "author": "malware-lu" }, "strings": [ "{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }" ], "addresses": { "a0": 6858 } }, { "name": "IsPE32", "meta": {}, "strings": [], "addresses": {} }, { "name": "IsNET_DLL", "meta": {}, "strings": [], "addresses": {} }, { "name": "IsDLL", "meta": {}, "strings": [], "addresses": {} }, { "name": "IsWindowsGUI", "meta": {}, "strings": [], "addresses": {} }, { "name": "Microsoft_Visual_Studio_NET", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "a": 6894 } }, { "name": "Microsoft_Visual_C_v70_Basic_NET_additional", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "a": 6894 } }, { "name": "Microsoft_Visual_C_Basic_NET", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "b": 6894 } }, { "name": "Microsoft_Visual_Studio_NET_additional", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "a": 6894 } }, { "name": "Microsoft_Visual_C_v70_Basic_NET", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "b": 6894 } }, { "name": "NET_executable_", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "a": 6894 } }, { "name": "NET_executable", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "b": 6894 } } ], "cape_yara": [], "clamav": [], "tlsh": "T1CA924D1362CE7DE6E5B916303B3387C1C72DDE041653DA2E16D87629E97E2833A523D8", "sha3_384": "34e76812c5bbcc4e39114f9560b049a9e8ac0f74800b55f33641134edf5dfb32ff8a420a55be3ca4c294e8d1f69db255", "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d", "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a", "pe": { "guest_signers": { "aux_sha1": null, "aux_timestamp": null, "aux_valid": false, "aux_error": true, "aux_error_desc": "No signature found.", "aux_signers": [] }, "digital_signers": [], "imagebase": "0x00400000", "entrypoint": "0x000038ee", "ep_bytes": "ff250020400000000000000000000000", "peid_signatures": null, "reported_checksum": "0x00000000", "actual_checksum": "0x0000721e", "osversion": "4.0", "machine_type": "IMAGE_FILE_MACHINE_I386", "pdbpath": null, "imports": { "mscoree": { "dll": "mscoree.dll", "imports": [ { "address": "0x402000", "name": "_CorDllMain" } ] } }, "exported_dll_name": null, "exports": [], "dirents": [ { "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "virtual_address": "0x0000389c", "size": "0x0000004f" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "virtual_address": "0x00004000", "size": "0x00002f58" }, { "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "virtual_address": "0x00008000", "size": "0x0000000c" }, { "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_TLS", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IAT", "virtual_address": "0x00002000", "size": "0x00000008" }, { "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "virtual_address": "0x00002008", "size": "0x00000048" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "virtual_address": "0x00000000", "size": "0x00000000" } ], "sections": [ { "name": ".text", "raw_address": "0x00000200", "virtual_address": "0x00002000", "virtual_size": "0x000018f4", "size_of_data": "0x00001a00", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000020", "entropy": "5.26" }, { "name": ".rsrc", "raw_address": "0x00001c00", "virtual_address": "0x00004000", "virtual_size": "0x00002f58", "size_of_data": "0x00003000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "3.31" }, { "name": ".reloc", "raw_address": "0x00004c00", "virtual_address": "0x00008000", "virtual_size": "0x0000000c", "size_of_data": "0x00000200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "0.08" } ], "overlay": null, "resources": [ { "name": "RT_ICON", "offset": "0x00004468", "size": "0x000002e8", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "1.71" }, { "name": "RT_ICON", "offset": "0x00004750", "size": "0x00000128", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "2.08" }, { "name": "RT_ICON", "offset": "0x00004878", "size": "0x000008a8", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "1.72" }, { "name": "RT_ICON", "offset": "0x00005120", "size": "0x00000568", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "1.05" }, { "name": "RT_ICON", "offset": "0x00005688", "size": "0x00000353", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "4.05" }, { "name": "RT_ICON", "offset": "0x000059e0", "size": "0x000010a8", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "2.72" }, { "name": "RT_ICON", "offset": "0x00006a88", "size": "0x00000468", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "2.76" }, { "name": "RT_GROUP_ICON", "offset": "0x00006ef0", "size": "0x00000068", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "2.69" }, { "name": "RT_VERSION", "offset": "0x00004208", "size": "0x0000025c", "filetype": null, "language": "LANG_NEUTRAL", "sublanguage": "SUBLANG_NEUTRAL", "entropy": "3.23" } ], "versioninfo": [ { "name": "Translation", "value": "0x0000 0x04b0" }, { "name": "FileDescription", "value": " " }, { "name": "FileVersion", "value": "1.2.0.0" }, { "name": "InternalName", "value": "ClientPlugin.dll" }, { "name": "LegalCopyright", "value": " " }, { "name": "OriginalFilename", "value": "ClientPlugin.dll" }, { "name": "ProductVersion", "value": "1.2.0.0" }, { "name": "Assembly Version", "value": "1.2.0.0" } ], "imphash": "dae02f32a21e03ce65412f6e56942daa", "timestamp": "2014-11-23 01:09:01", "icon": "iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAY0lEQVR4nO3XIQ6AMBBE0YH0eGuAcwKmZ1sLCkHRZUj4o9qaeVmzqfT3DJl5OAGjs1ySynWIiFeLa62SPjABAABK+7Cte9fCeZlud/sEAAAAAAAAADvgsY7bddk79gnwMSH2nLDUDvNx5OJLAAAAAElFTkSuQmCC", "icon_hash": "f66c7c86e9ab59ef3f289acd613a3738", "icon_fuzzy": "c3ca946d749a15ad18efd3e5d7b0d8f5", "icon_dhash": "454545d4d4d44503", "imported_dll_count": 1 }, "data": null, "strings": [ "System.CodeDom.Compiler", "get_ClientSettings", "RestoreProtection", "mscoree.dll", "EntryExists", "params", "Assembly Version", "ClientPlugin.dll", "SendToServer", "RebuildHostCache", "m_Context", "KeyValuePair`2", "GetObjectValue", "set_Value", "TargetMethod", "My.Application", "1.2.0.0", "NanoCore.My", "IDATx", "Microsoft.VisualBasic.CompilerServices", "InternalName", "message", "System", "#Blob", "_CorDllMain", "System.Diagnostics", "MulticastDelegate", "ClientPlugin", "ComVisibleAttribute", "MyApplication", "IClientNameObjectCollection", "MyGroupCollectionAttribute", "EditorBrowsableAttribute", "pipeName", "AddHostEntry", "ParamArrayAttribute", "MyComputer", "BeginInvoke", ".ctor", "MyProject", "compress", "ThreadSafeObjectProvider`1", "LogClientException", "ConnectionStateChanged", "DebuggerHiddenAttribute", "System.ComponentModel", "ToString", "DelegateCallback", "instance", "wwwwwwwwwwwwww", "VarFileInfo", "LegalCopyright", "My.Computer", "get_Connected", "GetEntries", "AsyncCallback", "MyTemplate", "m_AppObjectProvider", "Restart", "System.Runtime.CompilerServices", "", "GetInstance", "Uninstall", "get_GetInstance", "Equals", "IAsyncResult", "wwwwww", "ClientSettingChanged", "EndInvoke", "My.User", "FileVersion", "ClientInvokeDelegate", "ContextValue`1", "SetValue", "IClientNetwork", "get_WebServices", "PipeCreated", "`.rsrc", ".text", "AssemblyFileVersionAttribute", "WebServices", "Invoke", "StringFileInfo", "LogClientMessage", "GuidAttribute", "NanoCore", "AssemblyTrademarkAttribute", "DelegateAsyncState", "v2.0.50727", "ProductVersion", "#Strings", "System.Collections.Generic", "System.ComponentModel.Design", "Microsoft.VisualBasic", "AssemblyProductAttribute", "ClientSettings", "FileDescription", "@.reloc", "ConnectionFailed", "IClientUIHost", "$d6e3c4d8-8560-4021-a765-fad7362f3388", "VariableChanged", "MyWebServices", "!This program cannot be run in DOS mode.", "ClosePipe", "My.WebServices", "Variables", "IClientLoggingHost", "GetHashCode", "IClientNetworkHost", "TargetObject", "AssemblyCompanyAttribute", "BuildingHostCache", "GetValue", "m_UserObjectProvider", "Connected", "IClientApp", "RuntimeCompatibilityAttribute", "Dispose__Instance__", "8.0.0.0", "CompilationRelaxationsAttribute", "get_Application", "IClientData", "Activator", "000004b0", "PipeExists", "state", "PluginUninstalling", "Application", "Translation", "mscorlib", "OriginalFilename", "RuntimeHelpers", "RemoveValue", "IClientReadOnlyNameObjectCollection", "get_User", "CreateInstance", "IClientAppHost", "HideModuleNameAttribute", "connected", "ReadPacket", "System.Runtime.InteropServices", "value", "VS_VERSION_INFO", "HelpKeywordAttribute", "get_Variables", "Create__Instance__", "Computer", "Disconnect", "Exception", "AssemblyTitleAttribute", "defaultValue", "ApplicationBase", "#GUID", "ClientUninstalling", "AssemblyDescriptionAttribute", "NanoCore.ClientPlugin", "IClientDataHost", "Object", "get_BuilderSettings", "method", "System.Reflection", "AssemblyCopyrightAttribute", "DisableProtection", "get_Value", "Microsoft.VisualBasic.Devices", "4System.Web.Services.Protocols.SoapHttpClientProtocol", "m_MyWebServicesObjectProvider", "m_ComputerObjectProvider", "BuilderSettings", "GeneratedCodeAttribute", "NanoCore.ClientPluginHost", "Shutdown", "DelegateAsyncResult", "RuntimeTypeHandle", "WrapNonExceptionThrows", "get_Computer", ".cctor", "GetType", "StandardModuleAttribute", "GetTypeFromHandle", "PipeClosed", "EditorBrowsableState", "Microsoft.VisualBasic.ApplicationServices", "Microsoft.VisualBasic.MyServices.Internal" ], "virustotal": { "error": true, "msg": "VT File lookup disabled in processing.conf" }, "executed_tools": [ "overlay", "msi_extract", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "cape_type_code": 0, "cape_type": "" } }, "procdump": [ { "name": "9d7c7de83cb3527f377d51220f8a046ac9c72bce4389ade3d7d133b7a31ea3d3", "path": "/opt/CAPEv2/storage/analyses/36/procdump/9d7c7de83cb3527f377d51220f8a046ac9c72bce4389ade3d7d133b7a31ea3d3", "guest_paths": "1;?C:\\Windows\\SysWOW64\\rundll32.exe;?C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll;?", "size": 7680, "crc32": "A45BF1B0", "md5": "08586ab761ab859d6860a2c7de3bebd2", "sha1": "8cea2f8166202b243f70ded0b9dfb7fce1518365", "sha256": "9d7c7de83cb3527f377d51220f8a046ac9c72bce4389ade3d7d133b7a31ea3d3", "sha512": "7ab3fd442e35dd3140aef27abe78bd2374623b9d4794c6325977ad4c35943861ff79a7d8e0dd361660d2bed1a8618379cbfa8aa7254b16021a934071a6560ba0", "rh_hash": null, "ssdeep": "96:QYLIkUui+Nqih6pe+WWLTtZE2F6lYlnlYJnLEM/m3bViL0KfrneR1P7ZXmrI:QYLQui6h6p5WW3tZVTnlYJL/eLYLTr2", "type": "PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows", "yara": [ { "name": "DITEKSHEN_MALWARE_Win_Nanocore", "meta": { "description": "Detects NanoCore", "author": "ditekSHen", "id": "931b98f6-df2b-538b-bc49-ecbbd24334da", "date": "2020-11-06", "modified": "2024-11-01", "reference": "https://github.com/ditekshen/detection", "source_url": "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7654-L7681", "license_url": "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt", "logic_hash": "6336260e0af2b4b51338ee066f41b7c58aa134a6c03ca110db7e088edf2b65a7", "score": 75, "quality": 75, "tags": "FILE" }, "strings": [ "NanoCore.ClientPlugin", "NanoCore.ClientPluginHost", "IClientApp", "IClientData", "IClientNetwork", "IClientAppHost", "IClientDataHost", "IClientLoggingHost", "IClientNetworkHost", "IClientUIHost", "IClientNameObjectCollection", "IClientReadOnlyNameObjectCollection", "ClientPlugin", "get_ClientSettings", "get_Connected" ], "addresses": { "x2": 4152, "x3": 4213, "i1": 4186, "i2": 4174, "i3": 4137, "i4": 4291, "i5": 4197, "i6": 4272, "i7": 4239, "i8": 4258, "i9": 4306, "i10": 4343, "s1": 6537, "s6": 5113, "s7": 5193 } }, { "name": "Windows_Trojan_Nanocore_d8c4e3c5", "meta": { "author": "Elastic Security", "id": "d8c4e3c5-8bcc-43d2-9104-fa3774282da5", "fingerprint": "e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4", "creation_date": "2021-06-13", "last_modified": "2021-08-23", "threat_name": "Windows.Trojan.Nanocore", "reference_sample": "b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd", "severity": 100, "arch_context": "x86, arm64", "scan_context": "file, memory", "license": "Elastic License v2", "os": "windows" }, "strings": [ "NanoCore.ClientPluginHost", "NanoCore.ClientPlugin", "get_BuilderSettings", "IClientAppHost", "AddHostEntry", "LogClientException", "PipeExists", "IClientLoggingHost" ], "addresses": { "a1": 4213, "a2": 4152, "b1": 5132, "b4": 4291, "b6": 5245, "b7": 5356, "b8": 5217, "b9": 4272 } }, { "name": "Nanocore_RAT_Gen_2", "meta": { "description": "Detetcs the Nanocore RAT", "author": "Florian Roth", "score": 100, "reference": "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/", "date": "2016-04-22", "hash1": "755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050" }, "strings": [ "NanoCore.ClientPluginHost", "IClientNetworkHost" ], "addresses": { "x1": 4213, "x2": 4239 } }, { "name": "NETDLLMicrosoft", "meta": { "author": "malware-lu" }, "strings": [ "{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }" ], "addresses": { "a0": 7370 } }, { "name": "IsPE32", "meta": {}, "strings": [], "addresses": {} }, { "name": "IsNET_DLL", "meta": {}, "strings": [], "addresses": {} }, { "name": "IsDLL", "meta": {}, "strings": [], "addresses": {} }, { "name": "IsWindowsGUI", "meta": {}, "strings": [], "addresses": {} }, { "name": "Microsoft_Visual_Studio_NET", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "a": 7406 } }, { "name": "Microsoft_Visual_C_v70_Basic_NET_additional", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "a": 7406 } }, { "name": "Microsoft_Visual_C_Basic_NET", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "b": 7406 } }, { "name": "Microsoft_Visual_Studio_NET_additional", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "a": 7406 } }, { "name": "Microsoft_Visual_C_v70_Basic_NET", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "b": 7406 } }, { "name": "NET_executable_", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "a": 7406 } }, { "name": "NET_executable", "meta": {}, "strings": [ "{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }" ], "addresses": { "b": 7406 } } ], "cape_yara": [], "clamav": [], "tlsh": "T1F5F1D71AE3C0D2B6CF6A2372490399405BB2CB0932CBEF57159C9376C8D6B990B67167", "sha3_384": "db7d891351ab061a15580b9b986a987f3ad831454033bbe28ee8a1054c75e623a25d3c90c295d68347270bb4ff07ebee", "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d", "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a", "pe": { "guest_signers": { "aux_sha1": null, "aux_timestamp": null, "aux_valid": false, "aux_error": true, "aux_error_desc": "No signature found.", "aux_signers": [] }, "digital_signers": [], "imagebase": "0x00400000", "entrypoint": "0x000038ee", "ep_bytes": "ff250020400000000000000000000000", "peid_signatures": null, "reported_checksum": "0x00000000", "actual_checksum": "0x000069a1", "osversion": "4.0", "machine_type": "IMAGE_FILE_MACHINE_I386", "pdbpath": null, "imports": { "mscoree": { "dll": "mscoree.dll", "imports": [ { "address": "0x402000", "name": "_CorDllMain" } ] } }, "exported_dll_name": null, "exports": [], "dirents": [ { "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "virtual_address": "0x0000389c", "size": "0x0000004f" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "virtual_address": "0x00004000", "size": "0x00002f58" }, { "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "virtual_address": "0x00008000", "size": "0x0000000c" }, { "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_TLS", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IAT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "virtual_address": "0x00002008", "size": "0x00000048" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "virtual_address": "0x00000000", "size": "0x00000000" } ], "sections": [ { "name": ".text", "raw_address": "0x00000400", "virtual_address": "0x00002000", "virtual_size": "0x00002000", "size_of_data": "0x00001a00", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xe0000020", "entropy": "5.26" }, { "name": ".rsrc", "raw_address": "0x00001e00", "virtual_address": "0x00004000", "virtual_size": "0x00004000", "size_of_data": "0x00000000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "0.00" }, { "name": ".reloc", "raw_address": "0x00001e00", "virtual_address": "0x00008000", "virtual_size": "0x00002000", "size_of_data": "0x00000000", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "0.00" } ], "overlay": null, "resources": [], "versioninfo": [], "imphash": "dae02f32a21e03ce65412f6e56942daa", "timestamp": "2014-11-23 01:09:01", "icon": null, "icon_hash": null, "icon_fuzzy": null, "icon_dhash": null, "imported_dll_count": 1 }, "data": null, "strings": [ "System.CodeDom.Compiler", "get_ClientSettings", "RestoreProtection", "mscoree.dll", "EntryExists", "params", "ClientPlugin.dll", "SendToServer", "RebuildHostCache", "m_Context", "KeyValuePair`2", "GetObjectValue", "set_Value", "TargetMethod", "My.Application", "1.2.0.0", "NanoCore.My", "Microsoft.VisualBasic.CompilerServices", "message", "System", "#Blob", "_CorDllMain", "System.Diagnostics", "MulticastDelegate", "ClientPlugin", "ComVisibleAttribute", "MyApplication", "IClientNameObjectCollection", "MyGroupCollectionAttribute", "EditorBrowsableAttribute", "pipeName", "AddHostEntry", "ParamArrayAttribute", "MyComputer", "BeginInvoke", ".ctor", "MyProject", "compress", "ThreadSafeObjectProvider`1", "LogClientException", "ConnectionStateChanged", "DebuggerHiddenAttribute", "System.ComponentModel", "ToString", "DelegateCallback", "instance", "My.Computer", "get_Connected", "GetEntries", "AsyncCallback", "MyTemplate", "m_AppObjectProvider", "Restart", "System.Runtime.CompilerServices", "", "GetInstance", "Uninstall", "get_GetInstance", "Equals", "IAsyncResult", "ClientSettingChanged", "EndInvoke", "My.User", "ClientInvokeDelegate", "ContextValue`1", "SetValue", "IClientNetwork", "get_WebServices", "PipeCreated", ".text", "AssemblyFileVersionAttribute", "WebServices", "Invoke", "LogClientMessage", "GuidAttribute", "NanoCore", "AssemblyTrademarkAttribute", "DelegateAsyncState", "v2.0.50727", "#Strings", "System.Collections.Generic", "System.ComponentModel.Design", "Microsoft.VisualBasic", "AssemblyProductAttribute", "ClientSettings", "@.reloc", "ConnectionFailed", "IClientUIHost", "$d6e3c4d8-8560-4021-a765-fad7362f3388", ".rsrc", "VariableChanged", "MyWebServices", "!This program cannot be run in DOS mode.", "ClosePipe", "My.WebServices", "Variables", "IClientLoggingHost", "GetHashCode", "IClientNetworkHost", "TargetObject", "AssemblyCompanyAttribute", "BuildingHostCache", "GetValue", "m_UserObjectProvider", "Connected", "IClientApp", "RuntimeCompatibilityAttribute", "Dispose__Instance__", "8.0.0.0", "CompilationRelaxationsAttribute", "get_Application", "IClientData", "Activator", "PipeExists", "state", "Application", "PluginUninstalling", "mscorlib", "RuntimeHelpers", "RemoveValue", "IClientReadOnlyNameObjectCollection", "get_User", "CreateInstance", "IClientAppHost", "HideModuleNameAttribute", "connected", "ReadPacket", "System.Runtime.InteropServices", "value", "HelpKeywordAttribute", "get_Variables", "Create__Instance__", "Computer", "Disconnect", "Exception", "AssemblyTitleAttribute", "defaultValue", "ApplicationBase", "#GUID", "ClientUninstalling", "AssemblyDescriptionAttribute", "NanoCore.ClientPlugin", "IClientDataHost", "Object", "get_BuilderSettings", "method", "System.Reflection", "AssemblyCopyrightAttribute", "DisableProtection", "get_Value", "Microsoft.VisualBasic.Devices", "4System.Web.Services.Protocols.SoapHttpClientProtocol", "m_MyWebServicesObjectProvider", "m_ComputerObjectProvider", "BuilderSettings", "GeneratedCodeAttribute", "NanoCore.ClientPluginHost", "Shutdown", "DelegateAsyncResult", "RuntimeTypeHandle", "WrapNonExceptionThrows", "get_Computer", ".cctor", "GetType", "StandardModuleAttribute", "GetTypeFromHandle", "PipeClosed", "EditorBrowsableState", "Microsoft.VisualBasic.ApplicationServices", "Microsoft.VisualBasic.MyServices.Internal" ], "virustotal": { "error": true, "msg": "VT File lookup disabled in processing.conf" }, "executed_tools": [ "overlay", "msi_extract", "kixtart_extract", "vbe_extract", "batch_extract", "UnAutoIt_extract", "UPX_unpack", "RarSFX_extract", "Inno_extract", "SevenZip_unpack", "de4dot_deobfuscate", "eziriz_deobfuscate", "office_one" ], "cape_type_code": 1, "cape_type": "", "process_path": "C:\\Windows\\SysWOW64\\rundll32.exe", "process_name": "rundll32.exe", "module_path": "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll", "pid": 6020 } ], "CAPE": { "payloads": [], "configs": [] }, "info": { "version": "2.5", "started": "2026-04-16 22:31:31", "ended": "2026-04-16 22:36:15", "duration": 284, "id": 36, "category": "file", "custom": "", "machine": { "id": 29, "status": "stopping", "name": "win10x64", "label": "win10x64", "platform": "windows", "manager": "KVM", "started_on": "2026-04-16 22:31:31", "shutdown_on": "2026-04-16 22:36:15" }, "package": "dll", "timeout": true, "tlp": null, "parent_sample": { "id": 23, "file_size": 13850813, "file_type": "7-zip archive data, version 0.3", "md5": "a17189d956c6d1975717256a6e6418cb", "crc32": "97AFA081", "sha1": "970e16de1d07a90dd285e84b59c0a77e8992ed9f", "sha256": "f9cef6944196d5d27ca99a9c6287d9718b658add797e9cb770789a0c4dbf2bcd", "sha512": "3105fa5d4d6914fe69f4d4ab9e517eab55d225bbdfa199f37f3c9f103805b1b5c587fe5e985a87ea60e2e7d511a0f872619343014233791ef63859130065e9f1", "ssdeep": null, "source_url": null }, "options": {}, "source_url": null, "route": "", "user_id": 0, "CAPE_current_commit": "a9a0887dab232f52c59e955b9984dd494c47ce6b" }, "behavior": { "processes": [ { "process_id": 6020, "process_name": "rundll32.exe", "parent_id": 7304, "module_path": "C:\\Windows\\SysWOW64\\rundll32.exe", "first_seen": "2026-04-16 19:32:44,415", "calls": [ { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x77274faa", "parentcaller": "0x77514cce", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77525000" }, { "name": "ModuleName", "value": "imagehlp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 0 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "GetThreadContext" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ae38d0" } ], "repeated": 0, "id": 1 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "GetThreadTimes" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ad1f70" } ], "repeated": 0, "id": 2 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "IsProcessorFeaturePresent" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ad0b70" } ], "repeated": 0, "id": 3 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "OpenThread" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76acf5b0" } ], "repeated": 0, "id": 4 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "ProcessIdToSessionId" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ad0b90" } ], "repeated": 0, "id": 5 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "SetProcessShutdownParameters" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ac9540" } ], "repeated": 0, "id": 6 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "SetThreadContext" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ae4d20" } ], "repeated": 0, "id": 7 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x772696ea", "parentcaller": "0x77514c2c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76ab0000" }, { "name": "FunctionName", "value": "GetProcessId" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76ad0c20" } ], "repeated": 0, "id": 8 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x77274faa", "parentcaller": "0x77514d2f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77525000" }, { "name": "ModuleName", "value": "imagehlp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 9 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x77274faa", "parentcaller": "0x77514cce", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77525000" }, { "name": "ModuleName", "value": "imagehlp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 10 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x77274faa", "parentcaller": "0x77514d2f", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x77525000" }, { "name": "ModuleName", "value": "imagehlp.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00002000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 11 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x77e7007d", "parentcaller": "0x7726648d", "category": "system", "api": "NtQueryLicenseValue", "status": true, "return": "0x00000000", "arguments": [ { "name": "Name", "value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode" }, { "name": "Type", "value": "0x00000004" } ], "repeated": 0, "id": 12 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x77e7007d", "parentcaller": "0x7726648d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\imagehlp" }, { "name": "BaseAddress", "value": "0x77510000" }, { "name": "InitRoutine", "value": "0x77516560" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 13 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x77ea64d6", "parentcaller": "0x77ea63e1", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 14 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "5812", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 15 }, { "timestamp": "2026-04-16 19:32:44,978", "thread_id": "6940", "caller": "0x77e91c0e", "parentcaller": "0x77e8dbb1", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000007c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 3, "id": 16 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "5812", "caller": "0x00045f1a", "parentcaller": "0x00045fdd", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x029b3000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 17 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "5812", "caller": "0x00045f1a", "parentcaller": "0x00045fdd", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x029b4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 18 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "6936", "caller": "0x77e80857", "parentcaller": "0x77e8055f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x029b5000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 19 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "6936", "caller": "0x77e80857", "parentcaller": "0x77e8055f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x029b7000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 20 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "5812", "caller": "0x00044168", "parentcaller": "0x00046078", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "34", "pretty_value": "ProcessExecuteFlags" }, { "name": "ProcessInformation", "value": "1" } ], "repeated": 0, "id": 21 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "5812", "caller": "0x000440d8", "parentcaller": "0x000441fe", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "164" } ], "repeated": 0, "id": 22 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "6936", "caller": "0x77e7138f", "parentcaller": "0x77e7110a", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b8" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 23 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "6936", "caller": "0x77e713ac", "parentcaller": "0x77e7110a", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002b8" }, { "name": "ValueName", "value": "ResourcePolicies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies" } ], "repeated": 0, "id": 24 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "6936", "caller": "0x77e713c2", "parentcaller": "0x77e7110a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 25 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "6936", "caller": "0x77e6f04b", "parentcaller": "0x77e6ef40", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x026c0000" }, { "name": "RegionSize", "value": "0x00008000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 26 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "6936", "caller": "0x77e6f092", "parentcaller": "0x77e6ef40", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x026c0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 27 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "6936", "caller": "0x77ea64d6", "parentcaller": "0x77ea63e1", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 28 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "6936", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 29 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "6940", "caller": "0x77e80857", "parentcaller": "0x77e8055f", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x029b9000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 30 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "6940", "caller": "0x77ea64d6", "parentcaller": "0x77ea63e1", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 31 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "6940", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 32 }, { "timestamp": "2026-04-16 19:32:44,993", "thread_id": "5812", "caller": "0x00045a1d", "parentcaller": "0x000442a3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002bc" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 33 }, { "timestamp": "2026-04-16 19:32:45,071", "thread_id": "5812", "caller": "0x00045a1d", "parentcaller": "0x000442a3", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002c8" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000002bc" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll" } ], "repeated": 0, "id": 34 }, { "timestamp": "2026-04-16 19:32:45,071", "thread_id": "5812", "caller": "0x00045a1d", "parentcaller": "0x000442a3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000002c8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x026d0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 35 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a1d", "parentcaller": "0x000442a3", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 36 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a1d", "parentcaller": "0x000442a3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002cc" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 37 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a1d", "parentcaller": "0x000442a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" } ], "repeated": 0, "id": 38 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a1d", "parentcaller": "0x000442a3", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll.123.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 39 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a1d", "parentcaller": "0x000442a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 40 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a1d", "parentcaller": "0x000442a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 41 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a1d", "parentcaller": "0x000442a3", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x026d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 42 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a3e", "parentcaller": "0x000442a3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002c8" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 43 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a3e", "parentcaller": "0x000442a3", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002bc" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000002c8" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll" } ], "repeated": 0, "id": 44 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a3e", "parentcaller": "0x000442a3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000002bc" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x026d0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 45 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a3e", "parentcaller": "0x000442a3", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002cc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 46 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a3e", "parentcaller": "0x000442a3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002cc" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 47 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a3e", "parentcaller": "0x000442a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002cc" } ], "repeated": 0, "id": 48 }, { "timestamp": "2026-04-16 19:32:45,087", "thread_id": "5812", "caller": "0x00045a3e", "parentcaller": "0x000442a3", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll.124.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 49 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045a3e", "parentcaller": "0x000442a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 50 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045a3e", "parentcaller": "0x000442a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 51 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045a3e", "parentcaller": "0x000442a3", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x026d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 52 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045a5f", "parentcaller": "0x000442a3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002bc" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 53 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045a5f", "parentcaller": "0x000442a3", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002c8" }, { "name": "DesiredAccess", "value": "0x00000004", "pretty_value": "SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000002bc" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll" } ], "repeated": 0, "id": 54 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045a5f", "parentcaller": "0x000442a3", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x40000003", "arguments": [ { "name": "SectionHandle", "value": "0x000002c8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x026d0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x0000a000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 55 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045a5f", "parentcaller": "0x000442a3", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002b8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 56 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045a5f", "parentcaller": "0x000442a3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002b8" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 57 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045a5f", "parentcaller": "0x000442a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002b8" } ], "repeated": 0, "id": 58 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045a5f", "parentcaller": "0x000442a3", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x001200a9", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll.2.Manifest" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 59 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045a5f", "parentcaller": "0x000442a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002bc" } ], "repeated": 0, "id": 60 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045a5f", "parentcaller": "0x000442a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 61 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045a5f", "parentcaller": "0x000442a3", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x026d0000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 62 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045abb", "parentcaller": "0x000442a3", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000002c8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide" } ], "repeated": 0, "id": 63 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045abb", "parentcaller": "0x000442a3", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000002c8" }, { "name": "ValueName", "value": "PreferExternalManifest" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest" } ], "repeated": 0, "id": 64 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045abb", "parentcaller": "0x000442a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 65 }, { "timestamp": "2026-04-16 19:32:45,103", "thread_id": "5812", "caller": "0x00045abb", "parentcaller": "0x000442a3", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002c8" }, { "name": "DesiredAccess", "value": "0x00120089", "pretty_value": "FILE_GENERIC_READ" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\rundll32.exe" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 66 }, { "timestamp": "2026-04-16 19:32:45,134", "thread_id": "5812", "caller": "0x00045abb", "parentcaller": "0x000442a3", "category": "__notification__", "api": "sysenter", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadIdentifier", "value": "5812" }, { "name": "Module", "value": "KERNEL32.DLL" }, { "name": "Return Address", "value": "0x76ad24ac" } ], "repeated": 0, "id": 67 }, { "timestamp": "2026-04-16 19:32:45,134", "thread_id": "5812", "caller": "0x00045abb", "parentcaller": "0x000442a3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 68 }, { "timestamp": "2026-04-16 19:32:45,134", "thread_id": "5812", "caller": "0x00045d94", "parentcaller": "0x000442ae", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x00000008" }, { "name": "TokenHandle", "value": "0x000002c8" } ], "repeated": 0, "id": 69 }, { "timestamp": "2026-04-16 19:32:45,134", "thread_id": "5812", "caller": "0x00045d1d", "parentcaller": "0x00045db9", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "18" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 70 }, { "timestamp": "2026-04-16 19:32:45,134", "thread_id": "5812", "caller": "0x00045d42", "parentcaller": "0x00045db9", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "20" }, { "name": "TokenInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 71 }, { "timestamp": "2026-04-16 19:32:45,134", "thread_id": "5812", "caller": "0x00045dc4", "parentcaller": "0x000442ae", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 72 }, { "timestamp": "2026-04-16 19:32:45,134", "thread_id": "5812", "caller": "0x00043c8d", "parentcaller": "0x00043e97", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin" }, { "name": "DllBase", "value": "0x04050000" } ], "repeated": 0, "id": 73 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00043c8d", "parentcaller": "0x00043e97", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll" }, { "name": "BaseAddress", "value": "0x04050000" } ], "repeated": 0, "id": 74 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00043d51", "parentcaller": "0x00043e97", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "34", "pretty_value": "ProcessExecuteFlags" }, { "name": "ProcessInformation", "value": "13" } ], "repeated": 0, "id": 75 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00043da6", "parentcaller": "0x00043eb2", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000138", "arguments": [ { "name": "ModuleName", "value": "ClientPlugin.dll" }, { "name": "ModuleHandle", "value": "0x04050000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "1" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 76 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00043924", "parentcaller": "0x00043f58", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x024f0000" }, { "name": "RegionSize", "value": "0x00004000" } ], "repeated": 0, "id": 77 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00043924", "parentcaller": "0x00043f58", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e8" } ], "repeated": 0, "id": 78 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00043924", "parentcaller": "0x00043f58", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000e8" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 79 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00043924", "parentcaller": "0x00043f58", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000e8" }, { "name": "ValueName", "value": "Latest" }, { "name": "Type", "value": "1", "pretty_value": "REG_SZ" }, { "name": "Information", "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest" } ], "repeated": 0, "id": 80 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00043924", "parentcaller": "0x00043f58", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e8" } ], "repeated": 0, "id": 81 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00043924", "parentcaller": "0x00043f58", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000000e8" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\rundll32.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 82 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00043924", "parentcaller": "0x00043f58", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002c8" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000000e8" }, { "name": "FileName", "value": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\rundll32.exe.mui" } ], "repeated": 0, "id": 83 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00043924", "parentcaller": "0x00043f58", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002c8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x024f0000" }, { "name": "SectionOffset", "value": "0x0217ea68" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 84 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00043924", "parentcaller": "0x00043f58", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002c8" } ], "repeated": 0, "id": 85 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00045e77", "parentcaller": "0x000469af", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0004b000" }, { "name": "ModuleName", "value": "rundll32.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 86 }, { "timestamp": "2026-04-16 19:32:45,150", "thread_id": "5812", "caller": "0x00045e77", "parentcaller": "0x000469af", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x0004b000" }, { "name": "ModuleName", "value": "rundll32.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 87 }, { "timestamp": "2026-04-16 19:32:45,181", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "__notification__", "api": "sysenter", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadIdentifier", "value": "5812" }, { "name": "Module", "value": "KERNELBASE.dll" }, { "name": "Return Address", "value": "0x772833ec" } ], "repeated": 0, "id": 88 }, { "timestamp": "2026-04-16 19:32:45,353", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\TextShaping" }, { "name": "DllBase", "value": "0x73b20000" } ], "repeated": 0, "id": 89 }, { "timestamp": "2026-04-16 19:32:45,540", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x745d0000" } ], "repeated": 0, "id": 90 }, { "timestamp": "2026-04-16 19:32:45,556", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x745d0000" } ], "repeated": 0, "id": 91 }, { "timestamp": "2026-04-16 19:32:45,681", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\MSCTF" }, { "name": "DllBase", "value": "0x76ba0000" } ], "repeated": 0, "id": 92 }, { "timestamp": "2026-04-16 19:32:45,712", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\kernel.appcore" }, { "name": "DllBase", "value": "0x75250000" } ], "repeated": 0, "id": 93 }, { "timestamp": "2026-04-16 19:32:45,728", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x76d80000" } ], "repeated": 0, "id": 94 }, { "timestamp": "2026-04-16 19:32:45,868", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x73710000" } ], "repeated": 0, "id": 95 }, { "timestamp": "2026-04-16 19:32:45,868", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreMessaging" }, { "name": "DllBase", "value": "0x73740000" } ], "repeated": 0, "id": 96 }, { "timestamp": "2026-04-16 19:32:45,884", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\wintypes" }, { "name": "DllBase", "value": "0x73630000" } ], "repeated": 0, "id": 97 }, { "timestamp": "2026-04-16 19:32:45,884", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\CoreUIComponents" }, { "name": "DllBase", "value": "0x737e0000" } ], "repeated": 0, "id": 98 }, { "timestamp": "2026-04-16 19:32:45,884", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\textinputframework" }, { "name": "DllBase", "value": "0x73a60000" } ], "repeated": 0, "id": 99 }, { "timestamp": "2026-04-16 19:32:45,946", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32.dll" }, { "name": "BaseAddress", "value": "0x76ab0000" } ], "repeated": 0, "id": 100 }, { "timestamp": "2026-04-16 19:32:45,946", "thread_id": "5812", "caller": "0x00043a40", "parentcaller": "0x00043f58", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\msctf.dll" }, { "name": "BaseAddress", "value": "0x76ba0000" } ], "repeated": 0, "id": 101 }, { "timestamp": "2026-04-16 19:33:15,743", "thread_id": "3092", "caller": "0x77ea64d6", "parentcaller": "0x77ea63e1", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 102 }, { "timestamp": "2026-04-16 19:33:15,743", "thread_id": "3092", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 103 }, { "timestamp": "2026-04-16 19:33:15,743", "thread_id": "3092", "caller": "0x77271454", "parentcaller": "0x7693b5fa", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x00000348" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 104 }, { "timestamp": "2026-04-16 19:33:15,743", "thread_id": "3092", "caller": "0x76938f18", "parentcaller": "0x76938dcd", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000300" } ], "repeated": 0, "id": 105 }, { "timestamp": "2026-04-16 19:33:15,743", "thread_id": "724", "caller": "0x77ea64d6", "parentcaller": "0x77ea63e1", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 106 }, { "timestamp": "2026-04-16 19:33:15,743", "thread_id": "724", "caller": "0x00000000", "parentcaller": "0x00000000", "category": "threading", "api": "RtlUserThreadStart", "status": true, "return": "0x00000000", "arguments": [ { "name": "StartAddress", "value": "0x00000000" }, { "name": "Parameter", "value": "0x00000000" } ], "repeated": 0, "id": 107 }, { "timestamp": "2026-04-16 19:33:44,025", "thread_id": "4976", "caller": "0x77eab5a6", "parentcaller": "0x77e760fc", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "4976" } ], "repeated": 0, "id": 108 }, { "timestamp": "2026-04-16 19:33:44,025", "thread_id": "4976", "caller": "0x77eab5c9", "parentcaller": "0x77e760fc", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 109 }, { "timestamp": "2026-04-16 19:33:44,025", "thread_id": "6648", "caller": "0x77eab5a6", "parentcaller": "0x77e760fc", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "6648" } ], "repeated": 0, "id": 110 }, { "timestamp": "2026-04-16 19:33:44,025", "thread_id": "6648", "caller": "0x77eab5c9", "parentcaller": "0x77e760fc", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 111 }, { "timestamp": "2026-04-16 19:34:57,868", "thread_id": "724", "caller": "0x77eab5a6", "parentcaller": "0x77e760fc", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "724" } ], "repeated": 0, "id": 112 }, { "timestamp": "2026-04-16 19:34:57,868", "thread_id": "724", "caller": "0x77eab5c9", "parentcaller": "0x77e760fc", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 113 }, { "timestamp": "2026-04-16 19:34:57,868", "thread_id": "3092", "caller": "0x77eab5a6", "parentcaller": "0x77e760fc", "category": "threading", "api": "NtQueryInformationThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0xfffffffe" }, { "name": "ThreadInformationClass", "value": "12" }, { "name": "ThreadInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "ThreadId", "value": "3092" } ], "repeated": 0, "id": 114 }, { "timestamp": "2026-04-16 19:34:57,868", "thread_id": "3092", "caller": "0x7726269a", "parentcaller": "0x7693c192", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000348" } ], "repeated": 0, "id": 115 }, { "timestamp": "2026-04-16 19:34:57,868", "thread_id": "3092", "caller": "0x7726269a", "parentcaller": "0x7693c214", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000344" } ], "repeated": 0, "id": 116 }, { "timestamp": "2026-04-16 19:34:57,868", "thread_id": "3092", "caller": "0x77eab5c9", "parentcaller": "0x77e760fc", "category": "threading", "api": "NtTerminateThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ExitStatus", "value": "0x00000000" }, { "name": "ThreadId", "value": "0" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 117 } ], "threads": [ "5812", "6940", "6936", "3092", "724", "4976", "6648" ], "environ": { "UserName": "cape", "ComputerName": "DESKTOP-PC01", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\cape\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll\",#1", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "7c6d-8d48", "SystemVolumeGUID": "c48439d1-0000-0000-0000-100000000000", "MachineGUID": "", "MainExeBase": "0x00040000", "MainExeSize": "0x00014000", "Bitness": "32-bit", "DllBase": "0x04050000" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } } ], "anomaly": [], "processtree": [ { "name": "rundll32.exe", "pid": 6020, "parent_id": 7304, "module_path": "C:\\Windows\\SysWOW64\\rundll32.exe", "children": [], "threads": [ "5812", "6940", "6936", "3092", "724", "4976", "6648" ], "environ": { "UserName": "cape", "ComputerName": "DESKTOP-PC01", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Users\\cape\\AppData\\Local\\Temp\\", "CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll\",#1", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "7c6d-8d48", "SystemVolumeGUID": "c48439d1-0000-0000-0000-100000000000", "MachineGUID": "", "MainExeBase": "0x00040000", "MainExeSize": "0x00014000", "Bitness": "32-bit", "DllBase": "0x04050000" } } ], "summary": { "files": [ "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll", "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll.123.Manifest", "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll.124.Manifest", "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll.2.Manifest", "C:\\Windows\\SysWOW64\\rundll32.exe", "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\\Windows\\System32\\ru-RU\\rundll32.exe.mui" ], "read_files": [], "write_files": [], "delete_files": [], "keys": [ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest" ], "read_keys": [ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest" ], "write_keys": [], "delete_keys": [], "executed_commands": [], "resolved_apis": [], "mutexes": [], "created_services": [], "started_services": [] }, "enhanced": [ { "event": "read", "object": "registry", "timestamp": "2026-04-16 19:32:44,993", "eid": 1, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-04-16 19:32:45,087", "eid": 2, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-04-16 19:32:45,087", "eid": 3, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-04-16 19:32:45,103", "eid": 4, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2026-04-16 19:32:45,103", "eid": 5, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest", "content": null } }, { "event": "load", "object": "library", "timestamp": "2026-04-16 19:32:45,150", "eid": 6, "data": { "file": "C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll", "pathtofile": null, "moduleaddress": "0x04050000" } }, { "event": "read", "object": "registry", "timestamp": "2026-04-16 19:32:45,150", "eid": 7, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU\\Latest", "content": "C:\\Program Files\\WindowsApps\\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe" } }, { "event": "load", "object": "library", "timestamp": "2026-04-16 19:32:45,556", "eid": 8, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x745d0000" } }, { "event": "load", "object": "library", "timestamp": "2026-04-16 19:32:45,946", "eid": 9, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": "0x76ab0000" } }, { "event": "load", "object": "library", "timestamp": "2026-04-16 19:32:45,946", "eid": 10, "data": { "file": "C:\\Windows\\System32\\msctf.dll", "pathtofile": null, "moduleaddress": "0x76ba0000" } } ], "encryptedbuffers": [], "network_map": { "endpoint_map": {}, "http_host_map": {}, "dns_intents": {}, "http_requests": [], "winhttp_sessions": [] } }, "debug": { "log": "2026-03-05 20:34:37,991 [root] INFO: Date set to: 20260416T22:32:03, timeout set to: 200\n2026-04-16 22:32:03,149 [root] DEBUG: Starting analyzer from: C:\\vdyc7mjt\n2026-04-16 22:32:03,212 [root] DEBUG: Storing results at: C:\\YGRKNQf\n2026-04-16 22:32:03,228 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\uCFsTXY\n2026-04-16 22:32:03,243 [root] DEBUG: Python path: C:\\Python310\n2026-04-16 22:32:03,259 [root] INFO: analysis running as an admin\n2026-04-16 22:32:03,290 [root] INFO: analysis package specified: \"dll\"\n2026-04-16 22:32:03,306 [root] DEBUG: importing analysis package module: \"modules.packages.dll\"...\n2026-04-16 22:32:03,306 [root] DEBUG: imported analysis package \"dll\"\n2026-04-16 22:32:03,321 [root] DEBUG: initializing analysis package \"dll\"...\n2026-04-16 22:32:03,321 [lib.common.common] INFO: wrapping\n2026-04-16 22:32:03,493 [lib.core.compound] INFO: C:\\Users\\cape\\AppData\\Local\\Temp already exists, skipping creation\n2026-04-16 22:32:03,588 [root] DEBUG: New location of moved file: C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll\n2026-04-16 22:32:03,634 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option\n2026-04-16 22:32:03,665 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option\n2026-04-16 22:32:03,665 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option\n2026-04-16 22:32:03,681 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option\n2026-04-16 22:32:03,728 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2026-04-16 22:32:03,837 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2026-04-16 22:32:03,931 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2026-04-16 22:32:04,056 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2026-04-16 22:32:04,165 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2026-04-16 22:32:04,306 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'\n2026-04-16 22:32:04,353 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'\n2026-04-16 22:32:05,728 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance\n2026-04-16 22:32:05,728 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-04-16 22:32:05,744 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-04-16 22:32:05,744 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-04-16 22:32:05,744 [root] DEBUG: attempting to configure 'Browser' from data\n2026-04-16 22:32:05,744 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-04-16 22:32:05,759 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-04-16 22:32:05,759 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-04-16 22:32:05,759 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-04-16 22:32:05,759 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-04-16 22:32:05,759 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-04-16 22:32:05,759 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-04-16 22:32:05,775 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-04-16 22:32:07,228 [modules.auxiliary.digisig] DEBUG: File is not signed\n2026-04-16 22:32:07,228 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-04-16 22:32:07,228 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-04-16 22:32:07,228 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-04-16 22:32:07,228 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-04-16 22:32:07,228 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-04-16 22:32:07,228 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-04-16 22:32:07,275 [modules.auxiliary.disguise] INFO: Disguising GUID to bb0fe90a-e37e-4dd8-8abe-f76c8e7d5d3b\n2026-04-16 22:32:07,275 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-04-16 22:32:07,290 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-04-16 22:32:07,290 [root] DEBUG: attempting to configure 'Human' from data\n2026-04-16 22:32:07,290 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-04-16 22:32:07,290 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-04-16 22:32:07,322 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-04-16 22:32:07,322 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-04-16 22:32:07,322 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-04-16 22:32:07,322 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-04-16 22:32:07,322 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-04-16 22:32:07,353 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-04-16 22:32:07,493 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-04-16 22:32:07,493 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-04-16 22:32:32,853 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-04-16 22:32:33,149 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-04-16 22:32:33,165 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644\n2026-04-16 22:32:33,493 [lib.api.process] INFO: Monitor config for : C:\\vdyc7mjt\\dll\\644.ini\n2026-04-16 22:32:33,509 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor\n2026-04-16 22:32:33,587 [lib.api.process] INFO: 64-bit DLL to inject is C:\\vdyc7mjt\\dll\\RXAYAOA.dll, loader C:\\vdyc7mjt\\bin\\HApEBtjt.exe\n2026-04-16 22:32:33,884 [root] DEBUG: Loader: Injecting process 644 with C:\\vdyc7mjt\\dll\\RXAYAOA.dll.\n2026-04-16 22:32:35,009 [root] DEBUG: 644: Python path set to 'C:\\Python310'.\n2026-04-16 22:32:35,196 [root] DEBUG: 644: Disabling sleep skipping.\n2026-04-16 22:32:35,228 [root] DEBUG: 644: TLS secret dump mode enabled.\n2026-04-16 22:32:35,368 [root] DEBUG: 644: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500\n2026-04-16 22:32:35,384 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEABC40000, thread 5020, image base 0x00007FF7C23E0000, stack from 0x0000008E4CCF2000-0x0000008E4CD00000\n2026-04-16 22:32:35,399 [root] DEBUG: 644: Commandline: C:\\Windows\\system32\\lsass.exe\n2026-04-16 22:32:35,462 [root] DEBUG: 644: Hooked 5 out of 5 functions\n2026-04-16 22:32:35,462 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\\YGRKNQf\\tlsdump\\tlsdump.log\n2026-04-16 22:32:35,478 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2026-04-16 22:32:35,493 [root] DEBUG: Successfully injected DLL C:\\vdyc7mjt\\dll\\RXAYAOA.dll.\n2026-04-16 22:32:35,493 [lib.api.process] INFO: Injected into 64-bit \n2026-04-16 22:32:35,493 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-04-16 22:32:41,415 [root] INFO: Restarting WMI Service\n2026-04-16 22:32:41,525 [root] DEBUG: package modules.packages.dll does not support configure, ignoring\n2026-04-16 22:32:41,525 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages'\n2026-04-16 22:32:41,540 [lib.core.compound] INFO: C:\\Users\\cape\\AppData\\Local\\Temp already exists, skipping creation\n2026-04-16 22:32:41,634 [lib.api.process] INFO: Successfully executed process from path \"C:\\Windows\\System32\\rundll32.exe\" with arguments \"\"C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll\",#1\" with pid 6020\n2026-04-16 22:32:41,634 [lib.api.process] INFO: Monitor config for : C:\\vdyc7mjt\\dll\\6020.ini\n2026-04-16 22:32:41,649 [lib.api.process] INFO: 32-bit DLL to inject is C:\\vdyc7mjt\\dll\\uhvbxn.dll, loader C:\\vdyc7mjt\\bin\\gpQBarl.exe\n2026-04-16 22:32:41,759 [root] DEBUG: Loader: Injecting process 6020 (thread 5812) with C:\\vdyc7mjt\\dll\\uhvbxn.dll.\n2026-04-16 22:32:41,806 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-04-16 22:32:41,822 [root] DEBUG: Successfully injected DLL C:\\vdyc7mjt\\dll\\uhvbxn.dll.\n2026-04-16 22:32:41,822 [lib.api.process] INFO: Injected into 32-bit \n2026-04-16 22:32:43,837 [lib.api.process] INFO: Successfully resumed \n2026-04-16 22:32:44,369 [root] DEBUG: 6020: Python path set to 'C:\\Python310'.\n2026-04-16 22:32:44,415 [root] DEBUG: 6020: Disabling sleep skipping.\n2026-04-16 22:32:44,415 [root] DEBUG: 6020: Dropped file limit defaulting to 100.\n2026-04-16 22:32:44,462 [root] DEBUG: 6020: YaraInit: Compiled 44 rule files\n2026-04-16 22:32:44,462 [root] DEBUG: 6020: YaraInit: Compiled rules saved to file C:\\vdyc7mjt\\data\\yara\\capemon.yac\n2026-04-16 22:32:44,478 [root] DEBUG: 6020: YaraScan: Scanning 0x00040000, size 0x136e8\n2026-04-16 22:32:44,478 [root] DEBUG: 6020: Monitor initialised: 32-bit capemon loaded in process 6020 at 0x73bc0000, thread 5812, image base 0x40000, stack from 0x2172000-0x2180000\n2026-04-16 22:32:44,478 [root] DEBUG: 6020: Commandline: \"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin.dll\",#1\n2026-04-16 22:32:44,743 [root] DEBUG: 6020: hook_api: LdrpCallInitRoutine export address 0x77EB2A40 obtained via GetFunctionAddress\n2026-04-16 22:32:44,774 [root] DEBUG: 6020: hook_api: Warning - CreateProcessA export address 0x76AE2D90 differs from GetProcAddress -> 0x73F522A0 (AcLayers.DLL::0xfd4a22a0)\n2026-04-16 22:32:44,774 [root] DEBUG: 6020: hook_api: Warning - CreateProcessW export address 0x76AC88E0 differs from GetProcAddress -> 0x73F524E0 (AcLayers.DLL::0xfd4a24e0)\n2026-04-16 22:32:44,774 [root] DEBUG: 6020: hook_api: Warning - WinExec export address 0x76B0CF20 differs from GetProcAddress -> 0x73F527A0 (AcLayers.DLL::0xfd4a27a0)\n2026-04-16 22:32:44,853 [root] WARNING: b'Unable to place hook on GetCommandLineA'\n2026-04-16 22:32:44,853 [root] DEBUG: 6020: set_hooks: Unable to hook GetCommandLineA\n2026-04-16 22:32:44,868 [root] WARNING: b'Unable to place hook on GetCommandLineW'\n2026-04-16 22:32:44,868 [root] DEBUG: 6020: set_hooks: Unable to hook GetCommandLineW\n2026-04-16 22:32:44,962 [root] DEBUG: 6020: Hooked 630 out of 632 functions\n2026-04-16 22:32:44,962 [root] DEBUG: 6020: Syscall hook installed, syscall logging level 1\n2026-04-16 22:32:44,978 [root] DEBUG: 6020: RestoreHeaders: Restored original import table.\n2026-04-16 22:32:44,978 [root] INFO: Loaded monitor into process with pid 6020\n2026-04-16 22:32:44,993 [root] DEBUG: 6020: caller_dispatch: Added region at 0x00040000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00045F1A, thread 5812).\n2026-04-16 22:32:44,993 [root] DEBUG: 6020: YaraScan: Scanning 0x00040000, size 0x136e8\n2026-04-16 22:32:44,993 [root] DEBUG: 6020: ProcessImageBase: Main module image at 0x00040000 unmodified (entropy change 0.000000e+00)\n2026-04-16 22:32:45,134 [root] DEBUG: 6020: InstrumentationCallback: Added region at 0x76AD24AC (base 0x76AB0000) to tracked regions list (thread 5812).\n2026-04-16 22:32:45,134 [root] DEBUG: 6020: ProcessTrackedRegion: Region at 0x76AB0000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2026-04-16 22:32:45,134 [root] DEBUG: 6020: Target DLL loaded at 0x04050000: C:\\Users\\cape\\AppData\\Local\\Temp\\ClientPlugin (0xa000 bytes).\n2026-04-16 22:32:45,150 [root] DEBUG: 6020: YaraScan: Scanning 0x04050000, size 0x1f0\n2026-04-16 22:32:45,275 [root] DEBUG: 6020: InstrumentationCallback: Added region at 0x772833EC (base 0x77150000) to tracked regions list (thread 5812).\n2026-04-16 22:32:45,290 [root] DEBUG: 6020: ProcessTrackedRegion: Region at 0x77150000 mapped as \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2026-04-16 22:32:45,353 [root] DEBUG: 6020: DLL loaded at 0x73B20000: C:\\Windows\\SYSTEM32\\TextShaping (0x94000 bytes).\n2026-04-16 22:32:45,556 [root] DEBUG: 6020: DLL loaded at 0x745D0000: C:\\Windows\\system32\\uxtheme (0x74000 bytes).\n2026-04-16 22:32:45,681 [root] DEBUG: 6020: DLL loaded at 0x76BA0000: C:\\Windows\\System32\\MSCTF (0xd4000 bytes).\n2026-04-16 22:32:45,728 [root] DEBUG: 6020: set_hooks_by_export_directory: Hooked 0 out of 632 functions\n2026-04-16 22:32:45,728 [root] DEBUG: 6020: DLL loaded at 0x75250000: C:\\Windows\\SYSTEM32\\kernel.appcore (0xf000 bytes).\n2026-04-16 22:32:45,728 [root] DEBUG: 6020: DLL loaded at 0x76D80000: C:\\Windows\\System32\\bcryptPrimitives (0x5f000 bytes).\n2026-04-16 22:32:45,868 [root] DEBUG: 6020: DLL loaded at 0x73710000: C:\\Windows\\SYSTEM32\\ntmarta (0x29000 bytes).\n2026-04-16 22:32:45,884 [root] DEBUG: 6020: DLL loaded at 0x73740000: C:\\Windows\\System32\\CoreMessaging (0x9b000 bytes).\n2026-04-16 22:32:45,884 [root] DEBUG: 6020: DLL loaded at 0x73630000: C:\\Windows\\SYSTEM32\\wintypes (0xdb000 bytes).\n2026-04-16 22:32:45,884 [root] DEBUG: 6020: DLL loaded at 0x737E0000: C:\\Windows\\System32\\CoreUIComponents (0x27e000 bytes).\n2026-04-16 22:32:45,884 [root] DEBUG: 6020: DLL loaded at 0x73A60000: C:\\Windows\\SYSTEM32\\textinputframework (0xb9000 bytes).\n2026-04-16 22:36:04,857 [root] INFO: Analysis timeout hit, terminating analysis\n2026-04-16 22:36:04,857 [lib.api.process] INFO: Terminate event set for \n2026-04-16 22:36:04,857 [root] DEBUG: 6020: Terminate Event: Attempting to dump process 6020\n2026-04-16 22:36:04,873 [root] DEBUG: 6020: VerifyCodeSection: Executable code does not match, 0x18f2 of 0x18f3 matching\n2026-04-16 22:36:04,888 [root] DEBUG: 6020: DoProcessDump: Code modification detected, dumping Imagebase at 0x04050000.\n2026-04-16 22:36:04,888 [root] DEBUG: 6020: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-04-16 22:36:04,888 [root] DEBUG: 6020: DumpProcess: Instantiating PeParser with address: 0x04050000.\n2026-04-16 22:36:04,904 [root] DEBUG: 6020: DumpProcess: Module entry point VA is 0x040538EE.\n2026-04-16 22:36:04,904 [root] DEBUG: 6020: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x04054000, section 2\n2026-04-16 22:36:04,920 [root] DEBUG: 6020: PeParser: readPeSectionsFromProcess: readSectionFromProcess failed address 0x04058000, section 3\n2026-04-16 22:36:04,982 [lib.common.results] INFO: Uploading file C:\\YGRKNQf\\CAPE\\6020_377204361916442026 to procdump\\9d7c7de83cb3527f377d51220f8a046ac9c72bce4389ade3d7d133b7a31ea3d3; Size is 7680; Max size: 100000000\n2026-04-16 22:36:04,982 [root] DEBUG: 6020: DumpProcess: Module image dump success - dump size 0x1e00.\n2026-04-16 22:36:04,998 [lib.api.process] INFO: Termination confirmed for \n2026-04-16 22:36:05,013 [root] INFO: Terminate event set for process 6020\n2026-04-16 22:36:05,013 [root] INFO: Created shutdown mutex\n2026-04-16 22:36:05,013 [root] DEBUG: 6020: Terminate Event: monitor shutdown complete for process 6020\n2026-04-16 22:36:06,029 [root] INFO: Shutting down package\n2026-04-16 22:36:06,029 [root] INFO: Stopping auxiliary modules\n2026-04-16 22:36:06,029 [root] INFO: Stopping auxiliary module: Browser\n2026-04-16 22:36:06,029 [root] INFO: Stopping auxiliary module: Human\n2026-04-16 22:36:09,138 [root] INFO: Stopping auxiliary module: Screenshots\n2026-04-16 22:36:09,919 [root] INFO: Finishing auxiliary modules\n2026-04-16 22:36:09,919 [root] INFO: Shutting down pipe server and dumping dropped files\n2026-04-16 22:36:09,919 [root] WARNING: Folder at path \"C:\\YGRKNQf\\debugger\" does not exist, skipping\n2026-04-16 22:36:09,919 [root] INFO: Uploading files at path \"C:\\YGRKNQf\\tlsdump\"\n2026-04-16 22:36:09,919 [lib.common.results] INFO: Uploading file C:\\YGRKNQf\\tlsdump\\tlsdump.log to tlsdump\\tlsdump.log; Size is 19728; Max size: 100000000\n2026-04-16 22:36:09,935 [root] INFO: Analysis completed\n", "errors": [] }, "network": { "pcap_sha256": "b246df2381621ceaa7b7efe21d6f2a4f42b8cba2a839379da61aedb65c38e239", "hosts": [ { "ip": "20.93.72.182", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "128.75.237.176", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 80 ] }, { "ip": "46.149.110.67", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 80 ] }, { "ip": "72.154.7.16", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.108", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.100", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.105", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.102", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.98", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.101", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.107", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "72.154.7.109", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "13.107.6.156", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "84.47.178.41", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "20.165.94.54", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "150.171.27.11", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "173.194.73.94", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "i.pki.goog", "inaddrarpa": "", "ports": [ 80 ] }, { "ip": "20.42.65.93", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "84.47.178.56", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "84.47.178.49", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "52.123.242.97", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "40.126.53.14", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "4.207.247.139", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "20.189.173.2", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] } ], "domains": [ { "domain": "i.pki.goog", "ip": "142.251.143.131" } ], "tcp": [ { "src": "192.168.1.100", "sport": 49723, "dst": "20.189.173.2", "dport": 443, "offset": 24, "time": 0.0 }, { "src": "192.168.1.100", "sport": 49724, "dst": "20.189.173.2", "dport": 443, "offset": 95, "time": 0.9062118530273438 }, { "src": "192.168.1.100", "sport": 49784, "dst": "40.126.53.14", "dport": 443, "offset": 248, "time": 3.8227248191833496 }, { "src": "192.168.1.100", "sport": 49809, "dst": "52.123.242.198", "dport": 443, "offset": 18649, "time": 4.313510894775391 }, { "src": "192.168.1.100", "sport": 49811, "dst": "13.107.253.44", "dport": 443, "offset": 43091, "time": 4.436440944671631 }, { "src": "192.168.1.100", "sport": 49813, "dst": "194.158.198.23", "dport": 80, "offset": 44683, "time": 4.463518857955933 }, { "src": "192.168.1.100", "sport": 49814, "dst": "84.47.178.49", "dport": 443, "offset": 69527, "time": 4.618912935256958 }, { "src": "192.168.1.100", "sport": 49815, "dst": "84.47.178.49", "dport": 443, "offset": 74548, "time": 4.628819942474365 }, { "src": "192.168.1.100", "sport": 49718, "dst": "84.47.178.56", "dport": 443, "offset": 88715, "time": 4.812054872512817 }, { "src": "192.168.1.100", "sport": 49817, "dst": "128.75.237.184", "dport": 443, "offset": 319317, "time": 5.040994882583618 }, { "src": "192.168.1.100", "sport": 49721, "dst": "8.8.8.8", "dport": 443, "offset": 330211, "time": 5.186939001083374 }, { "src": "192.168.1.100", "sport": 49821, "dst": "173.194.73.94", "dport": 80, "offset": 363265, "time": 6.075206995010376 }, { "src": "192.168.1.100", "sport": 49823, "dst": "199.232.210.172", "dport": 80, "offset": 391688, "time": 6.345167875289917 }, { "src": "192.168.1.100", "sport": 49728, "dst": "150.171.27.11", "dport": 443, "offset": 393056, "time": 6.370564937591553 }, { "src": "192.168.1.100", "sport": 49824, "dst": "150.171.27.11", "dport": 443, "offset": 395511, "time": 6.41155481338501 }, { "src": "192.168.1.100", "sport": 49825, "dst": "13.71.55.58", "dport": 443, "offset": 414791, "time": 7.666335821151733 }, { "src": "192.168.1.100", "sport": 49826, "dst": "40.126.53.14", "dport": 443, "offset": 420474, "time": 7.92724084854126 }, { "src": "192.168.1.100", "sport": 49827, "dst": "20.42.65.93", "dport": 443, "offset": 430695, "time": 8.062122821807861 }, { "src": "192.168.1.100", "sport": 49831, "dst": "4.207.247.139", "dport": 443, "offset": 488176, "time": 33.70869588851929 }, { "src": "192.168.1.100", "sport": 49833, "dst": "20.106.86.13", "dport": 443, "offset": 509675, "time": 33.98600101470947 }, { "src": "192.168.1.100", "sport": 49836, "dst": "20.190.147.8", "dport": 443, "offset": 511638, "time": 34.050071001052856 }, { "src": "192.168.1.100", "sport": 49834, "dst": "20.106.86.13", "dport": 443, "offset": 547458, "time": 34.18333601951599 }, { "src": "192.168.1.100", "sport": 49840, "dst": "4.207.247.139", "dport": 443, "offset": 593482, "time": 34.477943897247314 }, { "src": "192.168.1.100", "sport": 49841, "dst": "4.207.247.139", "dport": 443, "offset": 600300, "time": 34.55033302307129 }, { "src": "4.207.247.139", "sport": 443, "dst": "192.168.1.100", "dport": 49834, "offset": 637937, "time": 34.79306387901306 }, { "src": "192.168.1.100", "sport": 49844, "dst": "20.106.86.13", "dport": 443, "offset": 687850, "time": 35.264642000198364 }, { "src": "192.168.1.100", "sport": 49847, "dst": "74.178.240.61", "dport": 443, "offset": 782100, "time": 36.076972007751465 }, { "src": "192.168.1.100", "sport": 49849, "dst": "20.106.86.13", "dport": 443, "offset": 864067, "time": 36.398008823394775 }, { "src": "192.168.1.100", "sport": 49850, "dst": "20.165.94.54", "dport": 443, "offset": 872614, "time": 36.792104959487915 }, { "src": "192.168.1.100", "sport": 49852, "dst": "104.208.16.90", "dport": 443, "offset": 876894, "time": 36.91282796859741 }, { "src": "192.168.1.100", "sport": 49855, "dst": "74.178.240.61", "dport": 443, "offset": 959032, "time": 37.854028940200806 }, { "src": "192.168.1.100", "sport": 49857, "dst": "20.106.86.13", "dport": 443, "offset": 970574, "time": 39.01706600189209 }, { "src": "192.168.1.100", "sport": 49860, "dst": "199.232.210.172", "dport": 80, "offset": 982764, "time": 39.134482860565186 }, { "src": "192.168.1.100", "sport": 49862, "dst": "20.106.86.13", "dport": 443, "offset": 1377194, "time": 39.395073890686035 }, { "src": "192.168.1.100", "sport": 49710, "dst": "84.47.178.41", "dport": 443, "offset": 1681742, "time": 39.825188875198364 }, { "src": "192.168.1.100", "sport": 49716, "dst": "84.47.178.56", "dport": 443, "offset": 1681883, "time": 39.871946811676025 }, { "src": "192.168.1.100", "sport": 49719, "dst": "8.8.4.4", "dport": 443, "offset": 1688171, "time": 40.371861934661865 }, { "src": "192.168.1.100", "sport": 49708, "dst": "13.107.6.156", "dport": 443, "offset": 1694107, "time": 41.01264786720276 }, { "src": "192.168.1.100", "sport": 49867, "dst": "13.71.55.58", "dport": 443, "offset": 1719649, "time": 42.135809898376465 }, { "src": "192.168.1.100", "sport": 49712, "dst": "84.47.178.41", "dport": 443, "offset": 1719935, "time": 42.184321880340576 }, { "src": "192.168.1.100", "sport": 49874, "dst": "52.123.129.14", "dport": 443, "offset": 1968271, "time": 46.45467782020569 }, { "src": "192.168.1.100", "sport": 49876, "dst": "20.190.147.8", "dport": 443, "offset": 1986471, "time": 46.75810098648071 }, { "src": "192.168.1.100", "sport": 49879, "dst": "172.170.180.133", "dport": 443, "offset": 21930848, "time": 49.015875816345215 }, { "src": "192.168.1.100", "sport": 49881, "dst": "13.71.55.58", "dport": 443, "offset": 29992866, "time": 49.647392988204956 }, { "src": "192.168.1.100", "sport": 49883, "dst": "23.46.118.69", "dport": 443, "offset": 111105059, "time": 58.08386301994324 }, { "src": "192.168.1.100", "sport": 49885, "dst": "52.167.17.97", "dport": 443, "offset": 111119456, "time": 60.53205585479736 }, { "src": "192.168.1.100", "sport": 49887, "dst": "52.167.17.97", "dport": 443, "offset": 111134727, "time": 62.37414288520813 }, { "src": "192.168.1.100", "sport": 49889, "dst": "52.167.17.97", "dport": 443, "offset": 111150339, "time": 63.310290813446045 }, { "src": "8.8.8.8", "sport": 443, "dst": "192.168.1.100", "dport": 49860, "offset": 111167038, "time": 66.15510487556458 }, { "src": "192.168.1.100", "sport": 49892, "dst": "204.79.197.203", "dport": 80, "offset": 111169686, "time": 66.31959390640259 }, { "src": "192.168.1.100", "sport": 49894, "dst": "23.11.40.157", "dport": 80, "offset": 111181938, "time": 69.48308300971985 }, { "src": "192.168.1.100", "sport": 49896, "dst": "23.197.162.102", "dport": 80, "offset": 111490074, "time": 84.91412782669067 }, { "src": "192.168.1.100", "sport": 49897, "dst": "13.78.111.199", "dport": 443, "offset": 111495003, "time": 85.24750089645386 }, { "src": "192.168.1.100", "sport": 49900, "dst": "23.11.40.157", "dport": 80, "offset": 111507251, "time": 85.53754091262817 }, { "src": "192.168.1.100", "sport": 49902, "dst": "52.123.129.14", "dport": 443, "offset": 112352585, "time": 90.59735083580017 }, { "src": "192.168.1.100", "sport": 49906, "dst": "135.233.95.80", "dport": 443, "offset": 114407071, "time": 100.46956181526184 }, { "src": "192.168.1.100", "sport": 49908, "dst": "2.23.90.38", "dport": 443, "offset": 114430332, "time": 101.82795691490173 }, { "src": "192.168.1.100", "sport": 49909, "dst": "46.149.110.67", "dport": 80, "offset": 114441843, "time": 102.1787040233612 }, { "src": "192.168.1.100", "sport": 49910, "dst": "46.149.110.67", "dport": 80, "offset": 114444240, "time": 102.42335200309753 }, { "src": "192.168.1.100", "sport": 49911, "dst": "46.149.110.67", "dport": 80, "offset": 114462227, "time": 102.58681297302246 }, { "src": "192.168.1.100", "sport": 49914, "dst": "72.154.7.107", "dport": 443, "offset": 116253383, "time": 106.6560389995575 }, { "src": "192.168.1.100", "sport": 49916, "dst": "72.154.7.106", "dport": 443, "offset": 116254267, "time": 106.68353486061096 }, { "src": "192.168.1.100", "sport": 49918, "dst": "2.23.90.38", "dport": 443, "offset": 116277479, "time": 107.53428196907043 }, { "src": "192.168.1.100", "sport": 49920, "dst": "23.197.162.102", "dport": 80, "offset": 116296485, "time": 107.70907688140869 }, { "src": "192.168.1.100", "sport": 49922, "dst": "52.123.224.134", "dport": 443, "offset": 116316728, "time": 110.22937989234924 }, { "src": "192.168.1.100", "sport": 49924, "dst": "199.232.214.172", "dport": 80, "offset": 116336804, "time": 141.8024218082428 }, { "src": "192.168.1.100", "sport": 49925, "dst": "128.75.237.176", "dport": 80, "offset": 116341465, "time": 146.2175269126892 }, { "src": "192.168.1.100", "sport": 49927, "dst": "20.42.73.27", "dport": 443, "offset": 116369690, "time": 176.326416015625 }, { "src": "192.168.1.100", "sport": 49929, "dst": "199.232.214.172", "dport": 80, "offset": 116398449, "time": 204.3923909664154 }, { "src": "192.168.1.100", "sport": 49931, "dst": "23.11.40.157", "dport": 80, "offset": 116436874, "time": 213.21319484710693 }, { "src": "192.168.1.100", "sport": 49933, "dst": "52.123.240.20", "dport": 443, "offset": 116458619, "time": 224.61640000343323 }, { "src": "192.168.1.100", "sport": 49935, "dst": "2.23.89.205", "dport": 443, "offset": 116510818, "time": 229.42612886428833 }, { "src": "192.168.1.100", "sport": 49937, "dst": "46.149.110.67", "dport": 80, "offset": 116534684, "time": 230.0857458114624 }, { "src": "192.168.1.100", "sport": 49939, "dst": "46.149.110.67", "dport": 80, "offset": 116551739, "time": 230.513170003891 }, { "src": "192.168.1.100", "sport": 49940, "dst": "46.149.110.67", "dport": 80, "offset": 116569735, "time": 230.61799097061157 } ], "udp": [ { "src": "192.168.1.100", "sport": 50605, "dst": "8.8.8.8", "dport": 53, "offset": 17196, "time": 4.229959964752197 }, { "src": "192.168.1.100", "sport": 62170, "dst": "8.8.8.8", "dport": 53, "offset": 87930, "time": 4.695616960525513 }, { "src": "192.168.1.100", "sport": 55893, "dst": "8.8.8.8", "dport": 53, "offset": 328072, "time": 5.112076997756958 }, { "src": "192.168.1.100", "sport": 60374, "dst": "8.8.8.8", "dport": 53, "offset": 360333, "time": 6.036466836929321 }, { "src": "192.168.1.100", "sport": 53286, "dst": "8.8.8.8", "dport": 53, "offset": 390464, "time": 6.287873029708862 }, { "src": "192.168.1.100", "sport": 63771, "dst": "8.8.8.8", "dport": 53, "offset": 430994, "time": 8.06862497329712 }, { "src": "192.168.1.100", "sport": 138, "dst": "192.168.1.255", "dport": 138, "offset": 487917, "time": 31.651566982269287 }, { "src": "192.168.1.100", "sport": 65157, "dst": "8.8.8.8", "dport": 53, "offset": 494063, "time": 33.76542401313782 }, { "src": "192.168.1.100", "sport": 64829, "dst": "8.8.8.8", "dport": 53, "offset": 509351, "time": 33.96771287918091 }, { "src": "192.168.1.100", "sport": 58386, "dst": "8.8.8.8", "dport": 53, "offset": 781059, "time": 35.97023582458496 }, { "src": "192.168.1.100", "sport": 52623, "dst": "8.8.8.8", "dport": 53, "offset": 869914, "time": 36.733662843704224 }, { "src": "192.168.1.100", "sport": 59917, "dst": "8.8.8.8", "dport": 53, "offset": 982521, "time": 39.13097381591797 }, { "src": "192.168.1.100", "sport": 54452, "dst": "8.8.8.8", "dport": 53, "offset": 1694813, "time": 41.17456603050232 }, { "src": "192.168.1.100", "sport": 64256, "dst": "8.8.8.8", "dport": 53, "offset": 26391238, "time": 49.36539602279663 }, { "src": "192.168.1.100", "sport": 64273, "dst": "8.8.8.8", "dport": 53, "offset": 111111073, "time": 59.61078190803528 }, { "src": "192.168.1.100", "sport": 53070, "dst": "8.8.8.8", "dport": 53, "offset": 111169103, "time": 66.27702498435974 }, { "src": "192.168.1.100", "sport": 59530, "dst": "8.8.8.8", "dport": 53, "offset": 111489347, "time": 84.83497381210327 }, { "src": "192.168.1.100", "sport": 58624, "dst": "8.8.8.8", "dport": 53, "offset": 111494750, "time": 85.24636793136597 }, { "src": "192.168.1.100", "sport": 61284, "dst": "8.8.8.8", "dport": 53, "offset": 114406335, "time": 99.65269088745117 }, { "src": "192.168.1.100", "sport": 58357, "dst": "8.8.8.8", "dport": 53, "offset": 114429768, "time": 101.73257493972778 }, { "src": "192.168.1.100", "sport": 65131, "dst": "8.8.8.8", "dport": 53, "offset": 116251663, "time": 106.44809484481812 }, { "src": "192.168.1.100", "sport": 59174, "dst": "8.8.8.8", "dport": 53, "offset": 116252381, "time": 106.47474694252014 }, { "src": "192.168.1.100", "sport": 55750, "dst": "8.8.8.8", "dport": 53, "offset": 116276235, "time": 107.48604488372803 }, { "src": "192.168.1.100", "sport": 59868, "dst": "8.8.8.8", "dport": 53, "offset": 116332895, "time": 124.12145495414734 }, { "src": "192.168.1.100", "sport": 49965, "dst": "8.8.8.8", "dport": 53, "offset": 116385691, "time": 191.58705401420593 }, { "src": "192.168.1.100", "sport": 57756, "dst": "8.8.4.4", "dport": 53, "offset": 116427773, "time": 212.76758885383606 }, { "src": "192.168.1.100", "sport": 51289, "dst": "8.8.4.4", "dport": 53, "offset": 116435911, "time": 213.0960669517517 }, { "src": "192.168.1.100", "sport": 51987, "dst": "8.8.4.4", "dport": 53, "offset": 116443975, "time": 223.67434191703796 }, { "src": "192.168.1.100", "sport": 64887, "dst": "8.8.8.8", "dport": 53, "offset": 116509668, "time": 229.37421584129333 }, { "src": "192.168.1.100", "sport": 58402, "dst": "8.8.8.8", "dport": 53, "offset": 116521473, "time": 229.7119779586792 }, { "src": "192.168.1.100", "sport": 61254, "dst": "8.8.8.8", "dport": 53, "offset": 116539022, "time": 230.3074769973755 }, { "src": "192.168.1.100", "sport": 58134, "dst": "8.8.8.8", "dport": 53, "offset": 116549510, "time": 230.4136688709259 }, { "src": "192.168.1.100", "sport": 52061, "dst": "8.8.8.8", "dport": 53, "offset": 116570704, "time": 230.6462368965149 } ], "icmp": [ { "src": "192.168.1.100", "dst": "8.8.4.4", "type": 3, "data": "" }, { "src": "192.168.1.100", "dst": "8.8.4.4", "type": 3, "data": "" } ], "http": [ { "count": 2, "host": "i.pki.goog", "port": 80, "data": "GET /gsr1.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n", "uri": "http://i.pki.goog/gsr1.crt", "body": "", "path": "/gsr1.crt", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "version": "1.1", "method": "GET", "first_seen": 1776378730.18089 }, { "count": 2, "host": "i.pki.goog", "port": 80, "data": "GET /r4.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n", "uri": "http://i.pki.goog/r4.crt", "body": "", "path": "/r4.crt", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "version": "1.1", "method": "GET", "first_seen": 1776378730.20008 }, { "count": 2, "host": "i.pki.goog", "port": 80, "data": "GET /we2.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n", "uri": "http://i.pki.goog/we2.crt", "body": "", "path": "/we2.crt", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "version": "1.1", "method": "GET", "first_seen": 1776378730.217315 }, { "count": 2, "host": "i.pki.goog", "port": 80, "data": "GET /gsr4.crt HTTP/1.1\r\nHost: i.pki.goog\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n\r\n", "uri": "http://i.pki.goog/gsr4.crt", "body": "", "path": "/gsr4.crt", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "version": "1.1", "method": "GET", "first_seen": 1776378730.236903 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: M6x9+/Wbkkq8yUNql+OP0w.0.2.3.1.1\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378826.284387 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=0-1\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: M6x9+/Wbkkq8yUNql+OP0w.0.2.6.1.1.1\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378826.529035 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=1048576-1697335\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: M6x9+/Wbkkq8yUNql+OP0w.0.2.6.1.1.2\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378826.618146 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=0-1048575\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: M6x9+/Wbkkq8yUNql+OP0w.0.2.6.1.1.3\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378826.692496 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.3.1.1\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378954.191429 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=0-1\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.1\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378954.618853 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=45088768-46137343\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.2\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378954.670652 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=32505856-33554431\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.3\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378954.723674 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=16777216-17825791\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.4\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378955.869625 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=37748736-38797311\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.5\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378959.540248 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=4194304-5242879\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.6\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378959.578927 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=22020096-23068671\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.7\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378960.05261 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=24117248-25165823\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.8\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378960.334237 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=3145728-4194303\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.9\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378960.353893 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=27262976-28311551\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.10\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378960.596678 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=40894464-41943039\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.11\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378960.80146 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=53477376-54525951\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.12\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378960.833473 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=44040192-45088767\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.13\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378960.989699 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=1048576-2097151\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.14\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378961.212841 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=13631488-14680063\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.15\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378961.236805 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=55574528-56623103\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.16\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378961.460595 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=11534336-12582911\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.17\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378961.532649 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=41943040-42991615\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.18\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378961.732574 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=23068672-24117247\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.19\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378961.813717 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=12582912-12845055\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.20\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378961.994847 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=12845056-13107199\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.21\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378962.373513 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=13107200-13369343\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.22\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378962.763841 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=13369344-13631487\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.23\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378963.319086 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=59768832-60293119\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.24\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378963.543728 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=60293120-60817407\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.25\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378963.998824 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=25165824-25690111\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.26\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378964.451011 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=25690112-26214399\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.27\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378964.904011 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=10485760-11010047\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.28\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378965.358148 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=11010048-11534335\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.29\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378965.7824 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=48234496-48758783\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.30\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378966.200964 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=48758784-49283071\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.31\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378966.624262 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=46137344-46661631\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.32\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378967.045856 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=46661632-47185919\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.33\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378967.46751 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=5242880-5767167\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.34\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378967.88804 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=5767168-6291455\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.35\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378968.303689 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=31457280-31981567\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.36\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378968.718115 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=31981568-32505855\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.37\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378969.13814 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=8388608-8912895\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.38\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378969.547015 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=8912896-9437183\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.39\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378969.950172 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=34603008-35127295\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.40\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378970.358552 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=35127296-35651583\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.41\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378970.762457 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=51380224-51904511\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.42\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378971.169367 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=51904512-52428799\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.43\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378971.575007 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=29360128-29884415\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.44\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378971.982686 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=29884416-30408703\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.45\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378972.388168 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=7340032-7864319\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.46\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378972.794769 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=7864320-8388607\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.47\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378973.195907 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=28311552-28835839\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.48\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378973.606146 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=28835840-29360127\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.49\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378974.015449 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=9437184-9961471\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.50\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378974.417547 }, { "count": 1, "host": "46.149.110.67", "port": 80, "data": "GET /filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=9961472-10485759\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: 1JlQuJaSWkugq9PvlGmcrA.0.2.7.1.1.51\r\nContent-Length: 0\r\nHost: 46.149.110.67\r\n\r\n", "uri": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "body": "", "path": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "user-agent": "Microsoft-Delivery-Optimization/10.0", "version": "1.1", "method": "GET", "first_seen": 1776378974.824258 } ], "dns": [ { "request": "i.pki.goog", "type": "A", "answers": [ { "type": "A", "data": "173.194.73.94" }, { "type": "CNAME", "data": "pki-goog.l.google.com" } ], "first_seen": 1776378730.14235 } ], "smtp": [], "irc": [], "dead_hosts": [ [ "52.123.242.97", 443 ], [ "72.154.7.109", 443 ], [ "72.154.7.98", 443 ], [ "72.154.7.101", 443 ], [ "72.154.7.102", 443 ], [ "72.154.7.105", 443 ], [ "72.154.7.100", 443 ], [ "72.154.7.108", 443 ], [ "72.154.7.16", 443 ] ] }, "suricata": { "alerts": [], "tls": [ { "srcport": 49820, "srcip": "192.168.1.100", "dstport": 443, "dstip": "8.8.8.8", "timestamp": "2026-04-16 22:32:10.185152+0000", "version": "TLS 1.3", "sni": "dns.google", "ja3": { "hash": "87c36e0efdb847c153954b9f4778e764", "string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,45-13-43-51-23-0-65037-65281-5-27-10-11-35-18-16-17613,4588-29-23-24,0" }, "ja3s": { "hash": "eb1d94daa7e0344597e756a1fb6e7054", "string": "771,4865,51-43" } }, { "srcport": 49822, "srcip": "192.168.1.100", "dstport": 443, "dstip": "8.8.8.8", "timestamp": "2026-04-16 22:32:10.392435+0000", "version": "TLS 1.3", "sni": "dns.google", "ja3": { "hash": "eca10cbdddc3be37612b1d322437c105", "string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,51-23-5-45-27-65281-0-35-16-65037-43-10-17613-13-18-11,4588-29-23-24,0" }, "ja3s": { "hash": "eb1d94daa7e0344597e756a1fb6e7054", "string": "771,4865,51-43" } }, { "srcport": 49859, "srcip": "192.168.1.100", "dstport": 443, "dstip": "8.8.8.8", "timestamp": "2026-04-16 22:32:43.186879+0000", "version": "TLS 1.3", "sni": "dns.google", "ja3": { "hash": "00cf290bd02b8f31a70af6a46e70e981", "string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,18-10-16-17613-11-65037-13-0-51-5-27-43-45-23-35-65281,4588-29-23-24,0" }, "ja3s": { "hash": "eb1d94daa7e0344597e756a1fb6e7054", "string": "771,4865,51-43" } } ], "perf": [], "files": [], "http": [ { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:32:04.105683+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 476570, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49821, "srcip": "192.168.1.100", "dstport": 80, "dstip": "173.194.73.94", "timestamp": "2026-04-16 22:32:10.196470+0000", "uri": "/gsr1.crt", "length": 797, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49821, "srcip": "192.168.1.100", "dstport": 80, "dstip": "173.194.73.94", "timestamp": "2026-04-16 22:32:10.217315+0000", "uri": "/r4.crt", "length": 455, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49821, "srcip": "192.168.1.100", "dstport": 80, "dstip": "173.194.73.94", "timestamp": "2026-04-16 22:32:10.236903+0000", "uri": "/we2.crt", "length": 582, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49821, "srcip": "192.168.1.100", "dstport": 80, "dstip": "173.194.73.94", "timestamp": "2026-04-16 22:32:10.271729+0000", "uri": "/gsr4.crt", "length": 480, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49821, "srcip": "192.168.1.100", "dstport": 80, "dstip": "173.194.73.94", "timestamp": "2026-04-16 22:32:10.287176+0000", "uri": "/gsr1.crt", "length": 797, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49821, "srcip": "192.168.1.100", "dstport": 80, "dstip": "173.194.73.94", "timestamp": "2026-04-16 22:32:10.307246+0000", "uri": "/r4.crt", "length": 455, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49821, "srcip": "192.168.1.100", "dstport": 80, "dstip": "173.194.73.94", "timestamp": "2026-04-16 22:32:10.330858+0000", "uri": "/we2.crt", "length": 582, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49821, "srcip": "192.168.1.100", "dstport": 80, "dstip": "173.194.73.94", "timestamp": "2026-04-16 22:32:10.386801+0000", "uri": "/gsr4.crt", "length": 480, "hostname": "i.pki.goog", "status": 200, "http_method": "GET", "contenttype": "application/pkix-cert", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0", "referrer": null }, { "srcport": 49909, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:33:46.368172+0000", "uri": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com", "length": 246, "hostname": "46.149.110.67", "status": 200, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49910, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:33:46.616138+0000", "uri": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 2, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49910, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:33:46.997013+0000", "uri": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 648760, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49911, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:33:50.553938+0000", "uri": "/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49937, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:35:54.391191+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com", "length": 2926, "hostname": "46.149.110.67", "status": 200, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:35:54.670652+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 2, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:35:55.869625+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:35:56.112710+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:35:56.371545+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:00.052610+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:00.334237+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:00.353893+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:00.596678+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:00.801460+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:00.833473+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:00.989699+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:01.192280+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:01.236805+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:01.460595+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:01.532649+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:01.732574+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:01.768066+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:01.994847+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:02.058523+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 1048576, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:02.121251+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 262144, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:02.527606+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 262144, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:02.887326+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 262144, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:03.504610+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 262144, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:03.731239+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:04.189423+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:04.653565+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:05.126539+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:05.560828+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:05.965486+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:06.366808+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:06.812926+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:07.211389+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:07.649999+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:08.053601+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:08.494418+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:08.883203+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:09.426634+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:09.711652+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:10.275396+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:10.523909+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:11.080003+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:11.334522+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:11.891509+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:12.147249+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:12.662190+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:12.960474+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:13.479998+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:13.771287+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49939, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:14.307532+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null }, { "srcport": 49940, "srcip": "192.168.1.100", "dstport": 80, "dstip": "46.149.110.67", "timestamp": "2026-04-16 22:36:14.582175+0000", "uri": "/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com", "length": 524288, "hostname": "46.149.110.67", "status": 206, "http_method": "GET", "contenttype": "application/octet-stream", "ua": "Microsoft-Delivery-Optimization/10.0", "referrer": null } ], "dns": [ { "timestamp": "2026-04-16T22:32:10.142350+0000", "flow_id": 611388941905388, "pcap_cnt": 497, "event_type": "dns", "src_ip": "192.168.1.100", "src_port": 56786, "dest_ip": "8.8.8.8", "dest_port": 53, "proto": "UDP", "pkt_src": "wire/pcap", "dns": { "version": 2, "type": "query", "id": 51226, "rrname": "i.pki.goog", "rrtype": "A", "tx_id": 0, "opcode": 0 } }, { "timestamp": "2026-04-16T22:32:10.163739+0000", "flow_id": 611388941905388, "pcap_cnt": 502, "event_type": "dns", "src_ip": "192.168.1.100", "src_port": 56786, "dest_ip": "8.8.8.8", "dest_port": 53, "proto": "UDP", "pkt_src": "wire/pcap", "dns": { "version": 2, "type": "answer", "id": 51226, "flags": "8180", "qr": true, "rd": true, "ra": true, "opcode": 0, "rrname": "i.pki.goog", "rrtype": "A", "rcode": "NOERROR", "answers": [ { "rrname": "i.pki.goog", "rrtype": "CNAME", "ttl": 8, "rdata": "pki-goog.l.google.com" }, { "rrname": "pki-goog.l.google.com", "rrtype": "A", "ttl": 300, "rdata": "173.194.73.94" } ], "grouped": { "CNAME": [ "pki-goog.l.google.com" ], "A": [ "173.194.73.94" ] } } }, { "timestamp": "2026-04-16T22:32:10.142150+0000", "flow_id": 610530795330677, "pcap_cnt": 496, "event_type": "dns", "src_ip": "192.168.1.100", "src_port": 60374, "dest_ip": "8.8.8.8", "dest_port": 53, "proto": "UDP", "pkt_src": "wire/pcap", "dns": { "version": 2, "type": "query", "id": 30694, "rrname": "i.pki.goog", "rrtype": "HTTPS", "tx_id": 0, "opcode": 0 } }, { "timestamp": "2026-04-16T22:32:10.163831+0000", "flow_id": 610530795330677, "pcap_cnt": 504, "event_type": "dns", "src_ip": "192.168.1.100", "src_port": 60374, "dest_ip": "8.8.8.8", "dest_port": 53, "proto": "UDP", "pkt_src": "wire/pcap", "dns": { "version": 2, "type": "answer", "id": 30694, "flags": "8180", "qr": true, "rd": true, "ra": true, "opcode": 0, "rrname": "i.pki.goog", "rrtype": "HTTPS", "rcode": "NOERROR", "answers": [ { "rrname": "i.pki.goog", "rrtype": "CNAME", "ttl": 120, "rdata": "pki-goog.l.google.com" } ], "grouped": { "CNAME": [ "pki-goog.l.google.com" ] }, "authorities": [ { "rrname": "l.google.com", "rrtype": "SOA", "ttl": 60, "soa": { "mname": "ns1.google.com", "rname": "dns-admin.google.com", "serial": 900627266, "refresh": 900, "retry": 900, "expire": 1800, "minimum": 60 } } ] } } ], "ssh": [], "fileinfo": [], "eve_log_full_path": "/opt/CAPEv2/storage/analyses/36/logs/eve.json", "alert_log_full_path": null, "tls_log_full_path": null, "http_log_full_path": null, "file_log_full_path": null, "ssh_log_full_path": null, "dns_log_full_path": null }, "url_analysis": {}, "procmemory": [], "signatures": [ { "name": "stealth_network", "description": "Network activity detected but not expressed in monitor API logs", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "ip": "20.93.72.182" }, { "ip": "128.75.237.176" }, { "ip": "46.149.110.67" }, { "ip": "72.154.7.16" }, { "ip": "72.154.7.108" }, { "ip": "72.154.7.100" }, { "ip": "72.154.7.105" }, { "ip": "72.154.7.102" }, { "ip": "72.154.7.98" }, { "ip": "72.154.7.101" }, { "ip": "72.154.7.107" }, { "ip": "72.154.7.109" }, { "ip": "13.107.6.156" }, { "ip": "84.47.178.41" }, { "ip": "20.165.94.54" }, { "ip": "150.171.27.11" }, { "ip": "173.194.73.94" }, { "ip": "20.42.65.93" }, { "ip": "84.47.178.56" }, { "ip": "84.47.178.49" }, { "ip": "52.123.242.97" }, { "ip": "40.126.53.14" }, { "ip": "4.207.247.139" }, { "ip": "20.189.173.2" }, { "domain": "i.pki.goog" } ], "new_data": [], "alert": false, "families": [] }, { "name": "network_cnc_http", "description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic", "categories": [ "network", "c2" ], "severity": 2, "weight": 1, "confidence": 30, "references": [], "data": [ { "ip_hostname": "HTTP connection was made to an IP address rather than domain name" }, { "suspicious_request": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com" }, { "suspicious_request": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "suspicious_request": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com" }, { "suspicious_request": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" } ], "new_data": [], "alert": false, "families": [] }, { "name": "network_http", "description": "Performs some HTTP requests", "categories": [ "network" ], "severity": 2, "weight": 1, "confidence": 30, "references": [], "data": [ { "url": "http://i.pki.goog/gsr1.crt" }, { "url": "http://i.pki.goog/r4.crt" }, { "url": "http://i.pki.goog/we2.crt" }, { "url": "http://i.pki.goog/gsr4.crt" }, { "url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" } ], "new_data": [], "alert": false, "families": [] }, { "name": "binary_yara", "description": "Binary file triggered multiple YARA rules", "categories": [ "static" ], "severity": 3, "weight": 1, "confidence": 80, "references": [], "data": [ { "Binary triggered YARA rule": "DITEKSHEN_MALWARE_Win_Nanocore" }, { "Binary triggered YARA rule": "Windows_Trojan_Nanocore_d8c4e3c5" }, { "Binary triggered YARA rule": "Nanocore_RAT_Gen_2" }, { "Binary triggered YARA rule": "NETDLLMicrosoft" }, { "Binary triggered YARA rule": "IsPE32" }, { "Binary triggered YARA rule": "IsNET_DLL" }, { "Binary triggered YARA rule": "IsDLL" }, { "Binary triggered YARA rule": "IsWindowsGUI" }, { "Binary triggered YARA rule": "Microsoft_Visual_Studio_NET" }, { "Binary triggered YARA rule": "Microsoft_Visual_C_v70_Basic_NET_additional" }, { "Binary triggered YARA rule": "Microsoft_Visual_C_Basic_NET" }, { "Binary triggered YARA rule": "Microsoft_Visual_Studio_NET_additional" }, { "Binary triggered YARA rule": "Microsoft_Visual_C_v70_Basic_NET" }, { "Binary triggered YARA rule": "NET_executable_" }, { "Binary triggered YARA rule": "NET_executable" } ], "new_data": [], "alert": false, "families": [] }, { "name": "network_questionable_http_path", "description": "Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext", "categories": [ "network" ], "severity": 3, "weight": 1, "confidence": 100, "references": [], "data": [ { "url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/c92e95cf-27b9-4ea9-a961-5f08d3174bee?P1=1776983625&P2=404&P3=2&P4=VOk2xGe9pl8E9uG1JttlQA7CfMAd0mMFihQdJx1qGaJTGN4Im8udcX8Jn1w61N%2fkTL%2bYDT7RQjtaM7dETii1Pg%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051/pieceshash?cacheHostOrigin=msedge.f.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" }, { "url": "http://46.149.110.67/filestreamingservice/files/1c8bb521-add5-4d27-9549-25669b46e051?P1=1776983753&P2=404&P3=2&P4=BxIKNye1TLiJNIWVKEJueeiqd1NbvIp%2fu7ZVglgi0u6CHJ2hF%2f%2blRsJn3jdZSwSLDs2wA%2bNZDWQluTqowlS4uQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com" } ], "new_data": [], "alert": false, "families": [] }, { "name": "procmem_yara", "description": "Yara detections observed in process dumps, payloads or dropped files", "categories": [ "malware" ], "severity": 3, "weight": 4, "confidence": 100, "references": [], "data": [ { "Hit": "PID 6020 triggered the Yara rule 'DITEKSHEN_MALWARE_Win_Nanocore' with data '['NanoCore.ClientPlugin', 'NanoCore.ClientPluginHost', 'IClientApp', 'IClientData', 'IClientNetwork', 'IClientAppHost', 'IClientDataHost', 'IClientLoggingHost', 'IClientNetworkHost', 'IClientUIHost', 'IClientNameObjectCollection', 'IClientReadOnlyNameObjectCollection', 'ClientPlugin', 'get_ClientSettings', 'get_Connected']'" }, { "Hit": "PID 6020 triggered the Yara rule 'Windows_Trojan_Nanocore_d8c4e3c5' with data '['NanoCore.ClientPluginHost', 'NanoCore.ClientPlugin', 'get_BuilderSettings', 'IClientAppHost', 'AddHostEntry', 'LogClientException', 'PipeExists', 'IClientLoggingHost']'" }, { "Hit": "PID 6020 triggered the Yara rule 'Nanocore_RAT_Gen_2' with data '['NanoCore.ClientPluginHost', 'IClientNetworkHost']'" }, { "Hit": "PID 6020 triggered the Yara rule 'NETDLLMicrosoft' with data '['{ 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 }']'" }, { "Hit": "PID 6020 triggered the Yara rule 'IsPE32' with data '[]'" }, { "Hit": "PID 6020 triggered the Yara rule 'IsNET_DLL' with data '[]'" }, { "Hit": "PID 6020 triggered the Yara rule 'IsDLL' with data '[]'" }, { "Hit": "PID 6020 triggered the Yara rule 'IsWindowsGUI' with data '[]'" }, { "Hit": "PID 6020 triggered the Yara rule 'Microsoft_Visual_Studio_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'" }, { "Hit": "PID 6020 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'" }, { "Hit": "PID 6020 triggered the Yara rule 'Microsoft_Visual_C_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'" }, { "Hit": "PID 6020 triggered the Yara rule 'Microsoft_Visual_Studio_NET_additional' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'" }, { "Hit": "PID 6020 triggered the Yara rule 'Microsoft_Visual_C_v70_Basic_NET' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'" }, { "Hit": "PID 6020 triggered the Yara rule 'NET_executable_' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'" }, { "Hit": "PID 6020 triggered the Yara rule 'NET_executable' with data '['{ FF 25 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }']'" } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 8.0, "ttps": [ { "signature": "network_cnc_http", "ttps": [ "T1071" ], "mbcs": [ "OB0004", "B0033", "OC0006", "C0002" ] }, { "signature": "network_http", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "network_questionable_http_path", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "procmem_yara", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] } ], "malstatus": "Malicious" }